Create a self-signed SSL Certificate with OpenSSL

最新推荐文章于 2024-07-15 16:55:31 发布
最新推荐文章于 2024-07-15 16:55:31 发布
阅读量570 收藏
点赞数
分类专栏: Deployment 文章标签: OpenSS SSL Certificate

Creating a self-signed certificate with OpenSSL

by Mike Solomon

OpenSSL comes installed with Mac OS X (but see below), as well as many Linux and Unix distributions. Creating a certificate with it is very easy.

OpenSSL commands

openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"

The first OpenSSL command generates a 2048-bit (recommended) RSA private key.

The second command generates a Certificate Signing Request, which you could instead use to generate a CA-signed certificate. This step will ask you questions; be as accurate as you like since you probably aren’t getting this signed by a CA.

The third command generates a self-signed x509 certificate suitable for use on web servers. This is the file you were after all along, congrats!

The check at the end ensures you will be able to use your certificate beyond 2016. OpenSSL on OS X is currently insufficient, and will silently generate a SHA-1 certificate that will be rejected by browsers in 2017. Update using your package manager, or with Homebrew on a Mac and start the process over.

More about self-signed SSL certificates

Self-signed SSL certificates provide all of the encryption benefits of a certificate signed by a Certificate Authority (CA), but essentially none of the authentication benefits. This is obviously still useful, and I find them particularly nice for staging sites, in the early stages of a project, and for use behind CloudFlare.

Due the the lack of authentication, web browsers will display a warning to users attempting to connect to your site. If this is a production site or you don’t want this warning, you must get a certificate signed by a CA. Google “free SSL certificate” and you’ll easily find a free 1-year certificate.

ECC certificates

While I would not recommend an ECC (elliptical curve) certificate, I have a guide to create a self-signed ECC certificate. ECC is a relatively new kind of key, and can be used as an alternative to RSA which we used above.

创建自签名ssl证书_IT:如何创建自签名安全性(SSL)证书并将其部署到客户端计算机...
cuma1988的博客
09-17 1751
创建自签名ssl证书Developers and IT administrators have, no doubt, the need the deploy some website through HTTPS using an SSL certificate. While this process is pretty straightforward for a production site, ...
使用Self-Signed Certificate构建HTTPS服务
SpringDou的博客
08-20 4607
HTTPS我们知道是比HTTP安全的协议,传输过程中,客户端和服务端都对对方进行了安全确认,并且传输的数据进行了加密,保证数据的完整性,防止传输过程中,中间有人对数据进行修改。 HTTPS和HTTP都是应用层的协议,监听端口都是走tcp协议,只不过应用处理是走的HTTPS/HTTP。所以我们在监听之前要设置好处理数据用什么协议。 要做HTTPS的服务器,最基本的一条就是需要SSL证书,申请证书可能是比较麻烦的事情,也需要花钱,或者每次都自动申请免费的证书,但是在开发阶段的话,我们可以用openssl自己
给Nginx配置一个自签名的SSL证书
MySpace
12-23 879
转载:http://www.liaoxuefeng.com/article/0014189023237367e8d42829de24b6eaf893ca47df4fb5e000 要保证Web浏览器到服务器的安全连接,HTTPS几乎是唯一选择。HTTPS其实就是HTTP over SSL,也就是让HTTP连接建立在SSL安全连接之上。 SSL使用证书来创建安全连接。有两种验证模式:
How to create a self-signed SSL Certificate
weixin_33796177的博客
12-12 199
2019独角兽企业重金招聘Python工程师标准>>> ...
create a self-signed certificate
faith66667的博客
02-25 789
);part!wrong;3。
转:创建自签名证书(How to Create a Self Signed Certificate in IIS 7)
weixin_34233856的博客
03-19 344
转:https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html SSL is an essential part of securing your IIS 7.0 site and creating a self-signed certificate in IIS 7 is ...
使用OpenSSL生成自签名SSL证书
热门推荐
锐意工作室
04-21 3万+
文章目录使用OpenSSL生成自签名SSL证书参考文档检查OpenSSL生成自签名的SSL证书和私钥第一步:生成私钥第二步:去除私钥中的密码第三步:生成CSR(证书签名请求)第四步:生成自签名SSL证书在Server中配置在浏览器中访问注意 使用OpenSSL生成自签名SSL证书 参考文档 https://www.linuxtweaks.in/create-a-self-signed-ssl-c...
如何使用OpenSSL创建自签名根证书
sqqqqq77的博客
09-19 611
使用OpenSSL创建自签名根证书
docs-register-postgresql-ssl_files
06-18
docs-register-postgresql-ssl_files To enable SSL for PostgreSQL the user must import an SSL certificate into the keystore of... Create a quick self-signed certificate using the following OpenSSL command
3akai-ux:开放式学术环境(OAE)前端
03-06
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout <SOME>/nginx-selfsigned.key -out <SOME>/nginx-selfsigned.crt 然后在nginx.conf旁边创建一个self-signed.conf文件,取消注释两行,并将<&#...
创建 Android 上使用的自签名证书(Creating self-signed certificates for use on Android)
太阳火神的美丽人生
11-08 2280
创建 Android 上使用的自签名证书(Creating self-signed certificates for use on Android)
How to created a self-signed certificate, became a CA and enable TLS communication via HTTPS
几何螃蟹的代码笔记
11-11 503
Generate a Self-signed certificate
创建并部署自签名的 SSL 证书到 Nginx
qq1353424111的博客
01-15 740
自签名的 SSL 证书(self-signed SSL certificate),就是未经过权威第三方认证的 SSL 证书,常常用作测试 https 连接之用。当用户访问使用这种 SSL 证书的网站时,往往会被提示“该网站的 SSL 证书未被认证!”。使用 CloudFlare 的 CDN 加速可以解决这个问题,CloudFlare 可以将你的网站的内容缓存到其分布全球的 CDN 节点上,而当用户...
Creating a selfsigned SSL Certificate
any2mobile的专栏
01-08 429
openssl genrsa 2048 > my.key openssl req -new -x509 -nodes -sha1 -days 3650 -key my.key > my.cert openssl x509 -noout -fingerprint -text my.ca This creates: my.key - The key file my.cert - T
Nginx中实现自签名SSL证书生成与配置
Katie_ff的博客
09-07 5607
本文 主要是Nginx 就可以使用自签名 SSL 证书来启用 HTTPS,实现加密和安全的通信。需要注意的是,自签名 SSL 证书不会受到公信任的证书颁发机构(Certificate Authority)认可,因此浏览器会显示安全警告。在生产环境中,建议使用由受信任的证书颁发机构签发的证书来获得更高的安全性和可信度。
Subversion Self Signed Certificates
weixin_30591551的博客
11-04 107
When connecting to Subversion repositories using SSL connections the SVN client checks the server certificate if it is not expired, if it’s host description matches the host of the repository and if t...
nginx生成自签名SSL证书配置HTTPS
qq11771258的博客
07-15 1785
在浏览器访问https//xxx.xxx.xxx.xxx:443。
linux 下生成ssl自签证书, 并配置nginx通过https访问
wgq2020的博客
10-19 2123
将“yourdomain.com”替换为你要使用的域名,“/path/to/yourdomain.crt”和“/path/to/yourdomain.key”分别替换为你的 SSL 证书和私钥文件的路径。请确保在浏览器中使用 https://yourdomain.com 访问你的网站,以验证 SSL 证书是否正常工作。在 Linux 系统中,可以使用 OpenSSL 工具来创建自签名 SSL 证书,并使用 Nginx 服务器配置 HTTPS 访问。生成私钥后,需要为 SSL 证书创建签名请求(CSR)。
Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen httplib_response = self._make_request( ^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request self._validate_conn(conn) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn conn.connect() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 366, in connect self.sock = ssl_wrap_socket( ^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=server_hostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/ssl.py", line 1104, in _create self.do_handshake() File "/usr/lib/python3.11/ssl.py", line 1382, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1016) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send resp = conn.urlopen( ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 747, in urlopen return self.urlopen( ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 747, in urlopen return self.urlopen( ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 747, in urlopen return self.urlopen( ^^^^^^^^^^^^^ [Previous line repeated 2 more times] File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen retries = retries.increment( ^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='marketplace.dify.ai', port=443): Max retries exceeded with url: /api/v1/plugins/download?unique_identifier=langgenius/openai:0.0.22 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1016)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/home/gwm002/code/code/test.py", line 20, in <module> response = session.get("https://marketplace.dify.ai/api/v1/plugins/download?unique_identifier=langgenius/openai:0.0.22", timeout=(10, 30)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/requests/sessions.py", line 546, in get return self.request('GET', url, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request resp = self.send(prep, **send_kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='marketplace.dify.ai', port=443): Max retries exceeded with url: /api/v1/plugins/download?unique_identifier=langgenius/openai:0.0.22 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1016)')))
最新发布
05-14
### 自签名证书导致的SSL验证失败解决方案 在使用Python的`requests`库进行HTTPS请求时,如果目标服务器使用的是自签名证书(self-signed certificate),可能会遇到类似于以下错误信息的情况: `SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:XXXX)`[^1]。 这种错误的根本原因是Python默认会对HTTPS连接执行严格的SSL/TLS证书验证,而自签名证书未被信任根证书颁发机构(CA)认证,因此会被视为不安全。 以下是几种常见的解决方法: --- #### 方法一:禁用SSL验证 可以通过将`verify=False`传递给`requests`函数来跳过SSL验证。这种方法简单快捷,但在生产环境中应谨慎使用,因为它会使通信变得不安全,容易受到中间人攻击(MitM)[^2]。 ```python import requests url = "https://example.com" response = requests.get(url, verify=False) print(response.text) ``` 尽管如此,仍需注意此方式仅适用于测试或内部网络环境下的临时解决方案。 --- #### 方法二:导入自签名证书至信任存储 另一种更为推荐的安全做法是从目标站点导出自签名证书,并将其添加到系统的受信CA列表中。这样可以让Python识别并接受该证书作为合法凭证的一部分[^3]。 具体步骤如下: 1. 使用浏览器访问目标网站; 2. 导出其提供的公钥证书文件(.crt/.pem格式); 3. 将获得的`.crt`文件转换成PEM编码形式(如果必要的话),命令如下所示: ```bash openssl x509 -inform DER -in example.crt -out example.pem ``` 4. 配置Python项目加载这个新的可信证书路径: ```python import os import requests cert_path = '/path/to/example.pem' # 替换为实际保存位置 response = requests.get('https://example.com', verify=cert_path) print(response.text) ``` 通过这种方式能够保持完整的安全性同时解决了原生拒绝问题。 --- #### 方法三:更新系统内置的信任链 有时可能是操作系统自带的基础信任库版本老旧造成兼容性缺失所致,则考虑升级对应组件即可恢复正常运作状态[^4]。 对于Linux发行版而言一般只需运行包管理器刷新软件源即可完成自动修补工作;而在Windows平台上则建议定期安装微软发布的累积更新补丁集以维持最新防护等级标准。 --- ### 总结说明 综上所述,针对由“self signed certificate in certificate chain”引起的SSL验证失败情形提供了三种可行应对策略。其中前两者适合快速部署调试场景需求,而后一种长期维护视角下显得尤为重要。最终选择何种途径取决于具体的业务背景和技术约束条件等因素综合考量决定。 ---
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值