问题
I am currently writing an HTTPS proxy using OpenSSL, but I cannot get Firefox or IE to accept my self-signed certificate as a CA. I have added the certificate to "Trusted Root Certification Authorities" in IE and "Authorities" in Firefox. I am testing on https://ssltest11.bbtest.net/ with the certificate found at Geotrust, but the same applies for other sites as far as I've seen. IE gives me the error:
The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address.
Firefox:
https://ssltest11.bbtest.net/ Peer's Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false
Certificate chain: -----BEGIN CERTIFICATE-----
Do I have to generate a certificate for each domain that the proxy connects to?
To clarify, I am generating the .pem certificate and key, then converting the certificate to .cer, which I use in Firefox and IE. The .pem certificate and key are used by the proxy.
回答1:
If you want to do SSL interception you have to generate a CA certificate which you add as trusted to the browser/system and then dynamically generate leaf certificates signed by this trusted CA certificate. This means for each site you are doing SSL interception for (i.e. man in the middle attack) you need to create a certificate which matches the name as shown in the URL. Matching certificates can for example be created by extracting common name and subject alternative names from the original certificate and creating a new certificate based on these information, signed by your man in the middle CA.
来源:https://stackoverflow.com/questions/40182934/how-to-generate-https-proxy-certificate