给 localhost 添加CA证书

参考 https://majing.io/posts/10000050311000

  1. 在 Ubuntu 18.04 上执行
    openssl rand -writerand ~/.rnd
     
    openssl req -x509 -nodes -new -sha256 -days 10240 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=WSS-Root-CA"
     
    openssl x509 -outform pem -in RootCA.pem -out RootCA.crt

    生成根证书

  2. 创建文件 domains.ext, 写入以下内容
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = localhost
    DNS.2 = oakfire-wss.local
  3. 继续执行
    openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Oakfire-Wss-Certificates/CN=localhost.local"
     
    openssl x509 -req -sha256 -days 10240 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
  4. 拷贝 localhost.key, localhost.crt 作为站点证书
  5. 在 win10 上右键 RootCA.crt 导入 【受信任的根证书颁发机构】, 重启 chrome。 win7 打开certmgr.msccertlm.msc 来导入。