我可以用 Java 创建自签名证书,该证书将自动受到 Web 浏览器的信任吗?
我已经使用 keytool 为我的 Java 应用程序生成了自签名证书。但是,当我在浏览器中访问该网站时,它总是会弹出一个警告 - 说该网站不拥有该证书 - 有没有办法自签名/修改证书,这样我就不会在浏览器?服务器和浏览器都位于同一主机上,我使用“http://localhost/”导航到该站点。我不想向浏览器添加异常,因为我有在大型构建场上运行的测试,因此向所有构建计算机上的所有浏览器添加异常是多余的。
I've generated a self-signed certificate for my Java app using keytool. However, when I go to the site in a browser it always pops up with a warning - saying this site does not own the certificate - is there a way to self-sign/doctor a certificate so I won't get these warnings in a browser? Both server and browser are located on the same host and I navigate to the site using "http://localhost/". I do not want to add an exception to the browser because I have tests which run on a big build farm so it is excessive to add an exception to all browsers on all build machines.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不,你不能。您不妨问“如何为 hsbc.com 制作假证书?”
有两种方法可以让浏览器接受证书:
在不接触浏览器的情况下,没有其他方法可以做到这一点 - 如果要保持互联网安全,怎么可能有呢?
No, you can't. You might as well ask "How can I make a fake certificate for hsbc.com?"
There are two ways to get a browser to accept a certificate:
Without touching the browsers, there's no other way to do it - how could there be, if the internet is to remain secure?
您还可以使用 OpenSSL 或 Java 工具设置自签名证书颁发机构 (CA)。然后,您可以使用该 CA 签署多个服务器证书。
您仍然需要在访问测试服务器的所有客户端上手动信任自签名 CA,但至少您只需信任一个根 CA,而不是一堆单独的自签名服务器证书。
另一种选择是查看 CAcert。
You could also setup a self-signed Certificate Authority (CA) using OpenSSL or possibly your Java tool. You can then use that CA to sign a number of server certs.
You are still going to need to manually trust your self-signed CA on all clients that access your test servers, but at least you only have to trust one root CA, rather than a bunch of individual self-signed server certs.
Another option is to check out CAcert.
您为 localhost 创建的证书还是为 test.textbox.com 创建的证书?如果您为 FQDN test.textbox.com 创建证书,那么只要证书经过正确签名,您就需要通过这种方式访问服务器才不会出现这些错误。您无法为 FQDN 生成证书,然后使用 IP 或别名 (localhost) 访问它,而不会收到有关事情不正确匹配的警告。还是我误解了你的问题?
Is the certificate you created for localhost or for test.textbox.com? If you create a certificate for the FQDN test.textbox.com, that's how you need to be reaching the server to not get those errors, as long as the certificate is properly signed. You can't generate a certificate for the FQDN and then use an IP or an alias (localhost) to access it without being warned that things aren't matching up properly. Or am I misunderstanding your problem?
为“localhost”制作证书。它需要与 URL 中的主机名匹配。
您仍然会因为证书不受信任而感到困扰,但这是另一个问题。
Make the certificate for "localhost" instead. It needs to match the hostname you have in the URL.
You will still be bothered as the certificate is not trusted, but that is another issue.