windows10使用openssl生成ca证书并本地模拟https调试开发环境
背景:本地python flask项目,python脚本运行manage.py启动server,使用ngrok配置内网穿透无法模拟https地址(报502)
ngrok http -bind-tls=true localhost:443ngrok http https://localhost:443ngrok http 443现做以下尝试:
1. 安装Openssl (参考地址:https://tecadmin.net/install-openssl-on-windows/ )
下载地址:http://slproweb.com/products/Win32OpenSSL.html (windows openssl下载地址,下载43M那个)
配置环境变量,bin目录添加到path以方便使用:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
set Path=......Other Values here......;C:\Program Files\OpenSSL-Win64\bin检测是否安装成功
Microsoft Windows [Version 10.0.17134.1069]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Users\jalchu>openssl
OpenSSL> version
OpenSSL 1.1.1d 10 Sep 2019
OpenSSL>2. 创建私钥 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )
PS D:\ssl> openssl genrsa -des3 -out rootSSL.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................+++++
...+++++
e is 65537 (0x010001)
Enter pass phrase for rootSSL.key:
Verifying - Enter pass phrase for rootSSL.key:(注:上面的两个key输入相同的字符串)
3. 创建证书 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )
PS D:\ssl> openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Enter pass phrase for rootSSL.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zero Point Development
Organizational Unit Name (eg, section) []:Development
Common Name (e.g. server FQDN or YOUR name) []:zeropointdevelopment.com
Email Address []:hello@zeropointdevelopment.com
PS D:\ssl> openssl req -new -sha256 -nodes -out client-1.local.csr -newkey rsa:2048 -keyout client-1.local.key -subj "/C
=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/emailAddress=hello@client-1.local"
Generating a RSA private key
.............................................................................................+++++
.......................................................................................................+++++
writing new private key to 'client-1.local.key'
-----4. 证书授信 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )
(1)Step 1 – Press the Windows key + R
(2)Step 2 – Type “MMC” and click “OK”
(3)Step 3 – Go to “File > Add/Remove Snap-in”
(4)Step 4 – Click “Certificates” and “Add”
(5)Step 5 – Select “Computer Account” and click “Next”
(6)Step 6 – Select “Local Computer” then click “Finish”
(7)Step 7 – Click “OK” to go back to the MMC window
(8)Step 8 – Double-click “Certificates (local computer)” to expand the view
(9)Step 9 – Select “Trusted Root Certification Authorities”, right-click “Certificates” and select “All Tasks” then “Import”
(10)Step 10 – Click “Next” then Browse and locate the “rootSSL.pem” file we created in step 2
(11)Step 11 – Select “Place all certificates in the following store” and select the “Trusted Root Certification Authorities store”. Click “Next” then click “Finish” to complete the wizard.5. 映射Domain
修改C:\Windows\System32\drivers\etc\hosts,结尾添加
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 client-1.local6. 给Domain创建私钥
PS D:\ssl> openssl req -new -sha256 -nodes -out client-1.local.csr -newkey rsa:2048 -keyout client-1.local.key -subj "/C
=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/emailAddress=hello@client-1.local"
Generating a RSA private key
.............................................................................................+++++
.......................................................................................................+++++
writing new private key to 'client-1.local.key'
-----7. 发布证书
PS D:\ssl> openssl x509 -req -in client-1.local.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out client-1.loc
al.crt -days 500 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digit
alSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNS:client-1.local"
Signature ok
subject=C = AU, ST = NSW, L = Sydney, O = Client One, OU = Dev, CN = client-1, emailAddress = hello@client-1.local
Getting CA Private Key
Enter pass phrase for rootSSL.key:
PS D:\ssl>8. Nginx配置
server {listen 8080;server_name client-1.local;# New Lines belowlisten 443 ssl;ssl on;ssl_certificate d:/ssl/client-1.local.crt;ssl_certificate_key d:/ssl/client-1.local.key;}启动/关闭命令
C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe
C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe -s stop9. 配置Pycharm启动参数,启动pycharm
runserver --host 127.0.0.1 --port 8080 --threaded10. Nginx启动报错
PS C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in C:\Users\jalchu\Nginx\nginx-1.15.8/conf/nginx.conf:128
nginx: [emerg] bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)第一个:高版本配置ssl时警告,可以移除掉ssl on;那一行
第二个:本地端口冲突,检查如下(也可以用任务管理器关闭该进程)
C:\Users\jalchu>netstat -aon|findstr "443"TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 8716TCP 10.79.100.111:51627 66.163.36.181:443 ESTABLISHED 14904TCP 10.79.100.111:52294 103.116.4.197:443 CLOSE_WAIT 2384TCP 10.79.100.111:52313 103.116.4.197:443 CLOSE_WAIT 2384TCP 10.79.100.111:52956 13.59.223.131:443 ESTABLISHED 14904... ...
C:\Users\jalchu>tasklist | findstr 8716
vmware-hostd.exe 8716 Services 0 5,516 K
C:\Users\jalchu>tskill 871611. 重启,访问页面,公司内网给block了,白忙活一场 :)
SECURITY THREAT DETECTED AND BLOCKEDwindows10使用openssl生成ca证书并本地模拟https调试开发环境相关推荐
- Apache OpenSSL生成CA证书使用
最近在学习SSL协议,这次是基于Apache服务器自带的openssl来实现的 TLS:传输层安全协议 SSL:安全套接字层 KEY:私钥 CSR:证书签名请求,即公钥,生成证书时需要将此提交给证书机 ...
- 24、OpenSSL生成CA证书及终端用户证书
1.准备ca.conf配置文件 内容如下 [ req ] default_bits = 4096 distinguished_name = req_distinguished_name[ ...
- win64使用openssl生成ca证书
一.准备工作: 1. 下载win64的Openssl,可到http://slproweb.com/products/Win32OpenSSL.html下载,这里下载1.0.1j版本.同时在该地址下载V ...
- nginx反向代理cas-server之2:生成证书,centOS下使用openssl生成CA证书(根证书、server证书、client证书)...
前些天搭好了cas系统,这几天一致再搞nginx和cas的反向代理,一直不成功,但是走http还是测试通过的,最终确定是ssl认证证书这一块的问题,原本我在cas服务端里的tomcat已经配置了证书, ...
- fiddler证书生成ca证书命令及抓包配置
fiddler证书生成ca证书命令 下载OpenSSL fiddler配置https fiddler导出证书 将文件直接放到openssl的bin目录下 执行cmd命令生成ca证书 将证书放到andr ...
- OpenSSL 生成 ssl 证书
openssl 可以生成证书,但只是 "自制证书",我们自己来使用.因为我们生成的证书,不被各种浏览器认可,所以一般用于本机来测试.openssl 的介绍:https://segm ...
- OpenSSL生成CA自签名根证书和颁发证书和证书提取
CA根证书 生成流程 第一步 生成CA证书私钥 1.#生成ca私钥 (.key 和 pem 只是格式不一样) openssl genrsa -aes128 -passout pass:Test@202 ...
- openssl给内网IP生成ca证书(ssl证书)
一.要使用 OpenSSL 为内网 IP 生成 CA 证书,您需要遵循以下步骤: 1.创建一个存放证书的文件夹 mkdir /opt/zhengshu 注意:大家自己按照自己的目录创建就行,我的直接放 ...
- 使用openssl生成CA、server、client私钥和证书(证书包括公钥)
参考:SSL证书制作并使用NodeJs进行HTTPS认证配置 - 苍青浪 - 博客园 1. 生成CA证书及私钥: 1)生成一个私钥为ca-key.pem openssl genrsa -out ca- ...
- OpenSSL创建生成CA证书、服务器、客户端证书及密钥
使用OpenSSL创建生成CA证书.服务器.客户端证书及密钥 目录 使用OpenSSL创建生成CA证书.服务器.客户端证书及密钥 (一)生成CA证书 (二)生成服务器证书 (三)生成客户端证书 (四) ...
最新文章
- 2021CCPC网络赛部分题解
- MySQl的一些基本知识(1)
- linux上如何查看具体的命令属于哪个安装包
- Ubuntu12.04中eclipse提示框黑色背景色修改
- c语言有结构体的200行代码,C语言——结构体(示例代码)
- 使用tp5.1写api接口的流程
- python调用nmap扫描全端口_python nmap实现端口扫描器教程
- 【树莓派】在Raspbian下将wifi中继为有线网络
- 小程序分包Error: 分包大小超过限制,main package source
- 矿物质电缆的优点与应用场所
- 专科学历去学计算机,前景到底如何?
- 苏州最新税前税后计算机,苏州税前税后工资计算标准
- 华为公司大数据中台架构分享
- Navicat 15注册时报错“Rsa Public key not find“的解决办法
- 七牛云绑定阿里云域名
- 【智能优化算法】基于阴阳对优化算法求解单目标优化问题附matlab代码 Yin Yang Pair Optimization
- 用CainAbel进行ARP欺骗和用Wireshark侦测ARP欺骗
- 使用Cpoly.f90注意事项
- 1、第一次亲密接触Linux
- ZJOI2009 狼和羊的故事