如何在网站之间共享自签名的TLS证书
我已经在同一域中的两个网站示例app1.test.local和app2.test.test.lcaol。以下是我生成自签名证书的过程。
- 创建一个私钥。
openssl genrsa -out tls.key 2048
- 编辑
openssl.conf文件和更新req_distinginginged_name和alt_namescottents。
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = KA
stateOrProvinceName_default = KA
localityName = Test
localityName_default = Test
organizationalUnitName = test
organizationalUnitName_default = test
commonName = *.test.local
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.test.local
- 创建证书签名请求
openssl req -new -out tls.csr -key tls.key -config openssl.cnf
- 签署SSL证书。
openssl x509 -req -days 3650 -in tls.csr -signkey tls.key -out tls.crt -extensions v3_req -extfile openssl.cnf
从查看证书浏览器的选项我可以看到san和cn hap *。test.local价值。但是,当我从app1浏览器启动应用程序app2时,再次提示信任证书[证书不信任,因为它是自签名的。] 。
问题:如何防止浏览器提示接受风险,并多次继续使用同一证书的,但来自不同网站的自签名证书。
I've two website within same domain example app1.test.local and app2.test.lcaol. Below is the procedure using which I've generated the self-signed certificate.
- Create a private key.
openssl genrsa -out tls.key 2048
- Edit
openssl.conffile and updatereq_distinguished_nameandalt_namescontents.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = KA
stateOrProvinceName_default = KA
localityName = Test
localityName_default = Test
organizationalUnitName = test
organizationalUnitName_default = test
commonName = *.test.local
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.test.local
- Create certificate signing request
openssl req -new -out tls.csr -key tls.key -config openssl.cnf
- Sign the SSL Certificate.
openssl x509 -req -days 3650 -in tls.csr -signkey tls.key -out tls.crt -extensions v3_req -extfile openssl.cnf
From the view certificate option of browser I can see both SAN and CN has *.test.local as the value. However when I launch application app2 from app1 browser again prompts for trusting the certificate [The certificate is not trusted because it is self-signed.].
Question: How to prevent browser from prompting to Accept the risk and Continue multiple times for the same certificate but from different websites for self-signed certificates.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
覆盖证书的警告只会影响当前使用的域,而不影响证书中的每个域。否则,有人可以为一些无辜的网站创建一个证书,但其中还包括重要网站(如 paypal.com)的 SAN - 然后再使用该证书来冒充重要网站。
要使证书中给定的所有域都信任证书,需要将证书显式导入为受信任的浏览器信任存储区,而不是简单地忽略证书警告。
Overriding the warning of a certificate will only affect the currently used domain and not every domain in the certificate. Otherwise somebody could create a certificate for some innocent site but which also includes an SAN of an important site like paypal.com - and later reuse the certificate to impersonate the important site.
To make a certificate trusted for all domains given in the certificate one need to explicitly import the certificate as trusted into the browsers trust store instead of simply ignoring certificate warnings.