Eu fiz uma pergunta semelhante aqui antes. Mas a solução fornecida parou de funcionar. Eu estou tentando obter certificados SSL para hosts locais. Eu não preciso que eles sejam oficiais, eles só precisam trabalhar na minha máquina local.
Desenvolvo sites e todas as minhas cópias locais estão no domínio domain.local.
Eu já descobri que o Chrome não permitirá um certificado * .local.
Até que eu atualizei para o cromo 63, o seguinte processo estava funcionando bem:
conf / caconfig.cnf
#..................................
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/*****/Sites/root-ca
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3000
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copyall
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = *****
localityName_default = *****
stateOrProvinceName_default = *****
countryName_default = *****
emailAddress_default = *****
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alternate_names
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = site1.local
DNS.2 = site2.local
DNS.3 = site3.local
DNS.4 = site4.local
Criar autoridade de certificação
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 3000 -config conf/caconfig.cnf
Quando solicitado
Common Name (hostname, IP, or your name) []:Jonathan Hodgson
Criar solicitação
openssl req -extensions v3_req -new -nodes -out local.req.pem -keyout private/local.key.pem -config conf/caconfig.cnf
Quando solicitado
Common Name (hostname, IP, or your name) []:*.local
Solicitação de sinal
openssl ca -out certs/local.cert.pem -config conf/caconfig.cnf -infiles local.req.pem
Parte relevante da configuração do Apache
<VirtualHost *:443>
ServerName test.local
ServerAlias *.local
VirtualDocumentRoot /home/jonathan/Sites/%-2/public_html
CustomLog /home/jonathan/Sites/access.log vhost_combined
ErrorLog /home/jonathan/Sites/error.log
SSLEngine On
SSLCertificateFile /home/jonathan/Sites/root-ca/certs/local.cert.pem
SSLCertificateKeyFile /home/jonathan/Sites/root-ca/private/local.key.pem
</VirtualHost>
Em seguida, importo o arquivo certs/cacert.pem
para o gerenciador de certificados dos navegadores como uma autoridade.
Isso funciona bem no Chrome 61 e no Firefox 55, mas não funciona no Chromium 63. Embora eu não possa confirmá-lo, também acredito que funcionou no Chromium 62, o que é algo que mudou no Chromium 63.
Curiosamente,opaineldesegurançadodev-toolspareceimplicarqueocertificadoestácorreto:
Editar:
Como solicitado por @garethTheRed
$ openssl x509 -noout -text -in certs/local.cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Jonathan Hodgson Ltd, emailAddress = ########, L = #########, ST = #######, C = GB, CN = Jonathan Hodgson
Validity
Not Before: Sep 21 10:18:36 2017 GMT
Not After : Dec 8 10:18:36 2025 GMT
Subject: C = GB, ST = #######, O = Jonathan Hodgson Ltd, CN = *.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:2c:e0:9e:e2:3e:6b:d6:2d:37:ab:a3:92:96:
46:ee:7e:77:6c:4b:04:6b:7e:ba:5c:a5:d6:4b:03:
a2:6a:54:12:c9:ff:2a:dc:12:8b:ee:f6:16:7b:28:
f8:78:ec:df:7b:29:09:b9:01:56:d3:08:b7:5a:46:
fe:1f:70:13:63:47:3c:f6:fe:f1:f4:0e:16:b8:5d:
8e:72:fa:c8:c3:07:eb:9c:61:66:63:52:19:47:66:
ef:bb:99:f7:cb:21:c6:b8:f3:84:c2:65:49:d9:b5:
fb:1d:75:dd:8a:79:b1:f8:02:e1:59:ae:ce:b8:7a:
1b:54:7b:58:58:cb:f8:ab:bf:7f:97:b3:0c:8f:c2:
b0:ee:ee:24:5b:7a:9d:b0:9a:ed:c7:56:52:72:f1:
ac:d2:f5:06:3a:5e:07:f6:f0:12:70:bc:4d:4b:bb:
99:b7:81:b7:e8:58:f1:a1:4a:2e:41:ee:1b:a4:9e:
e0:a7:0b:51:d5:94:5d:54:36:83:bd:38:9d:1d:4d:
e2:d8:4d:b0:b1:df:2b:42:1d:71:46:94:77:4a:c3:
19:1e:04:3d:29:2c:0b:c3:96:aa:9f:a1:b9:5a:a8:
37:8d:8a:7c:71:32:64:c4:d3:85:d3:78:0e:f3:9c:
8f:05:d7:5a:03:1b:67:d6:42:3b:3f:0e:cc:95:f3:
2d:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5C:17:CD:7A:5D:9F:DC:01:DF:37:3E:7C:3D:61:50:CB:7D:0C:78:87
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
4d:f2:7c:bf:68:72:63:ad:e8:82:d3:59:0b:28:4d:22:f9:a4:
a4:64:49:5e:f2:8a:29:09:21:2f:2e:c8:41:e9:8b:fb:52:ed:
b4:8d:38:22:ad:3b:fa:2d:6f:d6:71:90:2a:cf:a0:86:20:b9:
41:12:b2:e6:20:1b:88:a1:da:40:27:a0:89:a8:8e:51:38:ed:
16:ab:96:6b:15:bd:80:96:32:5c:e9:a3:42:88:22:b4:98:f6:
f1:07:0b:8c:35:44:36:65:f5:21:56:f8:68:22:3c:7e:49:c6:
8e:1d:da:28:7a:fa:e0:15:d2:69:a9:13:0f:e1:de:ee:3b:0f:
ef:b9:2e:09:49:af:88:ce:2f:c0:d2:79:7a:9c:7a:31:1d:34:
bc:af:70:9d:da:63:bc:10:c1:9e:12:4f:90:03:37:c4:ea:b4:
d6:f0:fc:c3:94:ac:95:e2:ab:bd:54:62:dd:cb:58:96:b2:92:
f9:7c:bc:21:e4:a4:a9:d0:70:83:62:b3:98:fd:20:e1:e5:37:
0b:95:3a:28:3d:41:17:03:47:c2:c1:f3:4a:59:da:eb:d8:55:
d6:a9:9b:83:e5:49:3d:23:92:91:98:14:2e:d5:06:55:d9:77:
90:48:21:ec:1b:9e:1b:84:85:36:ec:4f:86:50:de:fb:71:d9:
2a:06:9f:77
Eu tenho #ed meu e-mail e localização
Editar 2:
Aqui está o novo certificado gerado com um novo CN e número de série.
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Jonathan Hodgson Ltd, emailAddress = ##########, L = ######, ST = ######, C = #########, CN = JonathanHodgsonAuthority
Validity
Not Before: Sep 25 13:13:46 2017 GMT
Not After : Dec 12 13:13:46 2025 GMT
Subject: C = GB, ST = ########, O = Jonathan Hodgson Ltd, CN = MyNewCN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:b3:b5:18:06:e5:91:05:90:80:57:6a:8d:78:
50:94:09:b6:73:e6:4c:4e:5f:8c:f0:e3:8e:5b:bb:
09:f7:4c:6d:c2:c4:4a:ba:bb:7d:c3:53:1c:98:98:
2a:ea:be:8a:7f:cd:de:58:d8:74:2b:c1:5c:a9:44:
24:17:49:7e:6a:87:8d:a0:55:f8:71:b3:93:e3:b2:
fe:5b:88:7a:2a:45:15:3e:eb:94:c7:a2:26:74:db:
9e:58:84:45:cc:db:f9:4b:51:22:25:c0:27:ca:47:
76:6e:05:a6:5b:6d:74:a2:92:0e:67:d4:5c:bf:08:
cf:78:d9:95:f2:55:d1:ec:d4:78:ff:02:64:16:b9:
79:44:06:39:4e:bb:d0:a2:9d:91:93:b5:43:68:39:
f2:22:f3:0a:b4:eb:5c:1b:d1:54:51:4f:ac:23:43:
08:66:8e:a3:57:8c:51:ab:12:ec:7d:32:de:1f:a8:
e1:d8:99:c6:b2:94:87:e0:7a:8e:80:75:fe:44:10:
e6:1c:86:dd:90:c9:1f:0e:2f:3f:3e:fb:af:c7:dc:
0a:60:d3:2c:78:a3:62:0f:9a:e6:91:12:bc:e3:1c:
77:a7:31:04:23:b3:82:11:3c:d4:cc:5e:ae:71:fd:
8f:7c:12:b5:88:33:92:f5:6b:71:6f:cb:0b:93:bd:
13:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6E:66:B9:C8:57:03:81:E4:2D:99:7C:78:28:B1:E3:36:D4:4B:C5:76
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
4d:73:39:76:88:5e:01:d5:80:8e:4e:b9:11:2d:99:6f:a5:6a:
f9:6f:1b:07:e4:7c:5e:ca:24:36:c0:55:bf:10:71:c8:57:0b:
16:67:97:75:80:ce:7b:f2:d7:38:6f:cd:d3:00:7d:5a:76:db:
7f:90:ad:12:47:8a:e6:4c:b0:16:cb:ab:be:89:4c:3f:6d:7d:
a0:72:a2:18:93:8a:1c:a8:b9:12:70:c8:b2:8d:81:49:61:62:
80:b1:04:c3:a2:de:22:d2:7f:2d:65:6e:1d:49:6a:65:7c:3f:
2f:8b:9f:5f:6d:1d:4b:c5:04:ad:37:c9:e4:c3:1b:5e:03:0e:
60:8b:6c:09:46:71:e1:02:b9:94:9c:14:87:94:aa:e0:93:05:
b9:df:f6:c2:99:b4:c8:62:c0:49:bb:97:dc:b9:a7:75:4e:55:
d8:06:49:07:2d:d4:7e:cf:be:89:63:f6:91:22:ca:e0:d5:65:
e4:73:88:0a:c1:d9:d5:a0:75:db:b3:41:d6:05:cb:62:7b:19:
01:de:62:d2:4d:7d:86:88:32:a8:8e:84:f6:96:6a:53:77:31:
7a:62:46:66:6a:7b:56:0e:89:77:0b:fb:e0:34:f3:ae:f2:08:
c5:81:ab:dd:3e:19:0a:59:eb:b2:44:e7:c8:f0:a5:30:a2:ae:
06:f3:e1:9e