自建HTTPS证书

1. 背景

在做 Web 相关开发的时候，有可能需要在本地搭建 https 的环境，而在 https 环境的过程中，需要私钥和证书文件，本文提供自建证书的方案供读者参考。

2. 创建自建证书

2.1 步骤

一般情况下，只需执行步骤1 ～ 5即可满足需求。

2.1.1 生成私钥

openssl genrsa -out key.pem 2048

2.1.2 创建openSSL.conf配置文件

[ req ]
distinguished_name = local_pc
attributes = req_attributes
x509_extensions	= v3_ca
string_mask = utf8only

[ req_attributes ]
challengePassword = local_pc
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = local_pc

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = CA:true

[ local_pc ]
countryName = CN
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = HuBei
stateOrProvinceName_default = HuBei
localityName = WuHan
localityName_default = WuHan
organizationName = IT Company
organizationName_default	= IT Company
organizationalUnitName = IT Department
organizationalUnitName_default = IT Department

commonName = Local CA
commonName_default = Local CA
commonName_max = 64

2.1.3 生成 server 证书签名请求

2.1.3.1 server

先创建文件：server-openSSL.conf

[ req ]
distinguished_name = local_pc
req_extensions = v3_req

[ local_pc ]
countryName = CN
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = HuBei
stateOrProvinceName_default = HuBei
localityName = WuHan
localityName_default = WuHan
organizationName = IT Company
organizationName_default	= IT Company
organizationalUnitName = IT Department
organizationalUnitName_default = IT Department

commonName = local.pc
commonName_default = local.pc
commonName_max = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

openssl req -new -key key.pem -out server.csr -config server-openSSL.conf

2.1.3.2 client

openssl req -new -key key.pem -out client.csr -config openSSL.conf

2.1.4 生成 ca 证书

openssl req -x509 -config openSSL.conf -new -nodes -key ca-key.pem -days 36500 -out ca-cert.crt

2.1.5 使用 ca 签发证书

2.1.5.1 签发服务器证书

创建https.ext文件

extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = local.pc
DNS.2 = www.local.pc
IP.1 = 127.0.0.1

签发证书：

openssl x509 -req -in server.csr -CA ca-cert.crt -CAkey ca-key.pem -CAcreateserial -out server.crt -days 36500 -sha256 -extfile https.ext

2.1.5.2 签发客户端证书

签发证书：
openssl x509 -req -in client.csr -CA ca-cert.crt -CAkey ca-key.pem -CAcreateserial -out client.crt -days 36500 -sha256

2.1.6 将 ca 证书打包为 p12 格式

openssl pkcs12 -export -in ca-cert.crt -inkey ca-key.pem -out ca-cert.p12 -password pass:8AAA8BBB

2.1.7 对 p12 格式的证书进行 BASE64 编码

2.1.7.1 macOS

base64 ca-cert.p12 > ca-cert-p12.base64

2.1.7.2 nodejs

用 nodejs 简单写了个转 base64 模块。

const fs = require('fs')
const path = require('path')
const p12Path = path.join(__dirname, 'ca-cert.p12')
const p12Base64Path = path.join(__dirname, 'ca-cert-p12.base64')

!(async () => {
  const fileBuffer = fs.readFileSync(p12Path)
  const p12Base64 = fileBuffer.toString('base64')
  fs.writeFileSync(p12Base64Path, p12Base64)
  console.log(`p12Base64Path: ${p12Base64Path}`)
})()

3. 信任证书

3.1 chrome

1. 隐私设置和安全性-安全-管理证书
2. 受信任的根证书颁发机构

3.2 macOS

1. 钥匙串
2. 导入证书
3. 显示简介
4. 信任证书

3.3 windows

3.3.1 GUI

1. cmd
2. mmc
3. 添加“证书”
4. 受信任的根证书颁发机构
5. 证书
6. 导入

3.3.2 命令行

1. 以管理员的身份运行 cmd
2. 执行如下命令：
   • certutil -addstore "Root" "D:\ca-cert.crt"