更新(2018年11月):您是否 需要 自签名证书?
还是真正的证书能使工作做得更好?您考虑过其中任何一个吗?
- 让我们通过Greenlock.js进行加密
- 让我们通过https://greenlock.domains加密
- Localhost中继服务,例如https://telebit.cloud
(注意:“让我们加密”还可以将证书颁发给专用网络)
ScreenCast
https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-
pems/
完整的工作示例
- 创建证书
- 运行node.js服务器
- node.js客户端中没有警告或错误
- cURL中没有警告或错误
https://github.com/coolaj86/nodejs-self-signed-certificate-
example
使用
localhost.greenlock.domains作为一个例子(它指向127.0.0.1):
server.js
'use strict';var https = require('https') , port = process.argv[2] || 8043 , fs = require('fs') , path = require('path') , server , options ;require('ssl-root-cas') .inject() .addFile(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem')) ;options = { // this is onLY the PRIVATE KEY key: fs.readFileSync(path.join(__dirname, 'server', 'privkey.pem')) // You DO NOT specify `ca`, that's only for peer authentication//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))] // This should contain both cert.pem AND chain.pem (in that order) , cert: fs.readFileSync(path.join(__dirname, 'server', 'fullchain.pem'))};function app(req, res) { res.setHeader('Content-Type', 'text/plain'); res.end('Hello, encrypted world!');}server = https.createServer(options, app).listen(port, function () { port = server.address().port; console.log('Listening on https://127.0.0.1:' + port); console.log('Listening on https://' + server.address().address + ':' + port); console.log('Listening on https://localhost.greenlock.domains:' + port);});client.js
'use strict';var https = require('https') , fs = require('fs') , path = require('path') , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.cert.pem')) , port = process.argv[2] || 8043 , hostname = process.argv[3] || 'localhost.greenlock.domains' ;var options = { host: hostname, port: port, path: '/', ca: ca};options.agent = new https.Agent(options);https.request(options, function(res) { res.pipe(process.stdout);}).end();以及制作证书文件的脚本:
make-certs.sh
#!/bin/bashFQDN=$1# make directories to work frommkdir -p server/ client/ all/# Create your very own Root Certificate Authorityopenssl genrsa -out all/my-private-root-ca.privkey.pem 2048# Self-sign your Root Certificate Authority# Since this is private, the details can be as bogus as you likeopenssl req -x509 -new -nodes -key all/my-private-root-ca.privkey.pem -days 1024 -out all/my-private-root-ca.cert.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"# Create a Device Certificate for each domain,# such as example.com, *.example.com, awesome.example.com# NOTE: You MUST match CN to the domain name or ip address you want to useopenssl genrsa -out all/privkey.pem 2048# Create a request from your Device, which your Root CA will signopenssl req -new -key all/privkey.pem -out all/csr.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"# Sign the request from Device with your Root CAopenssl x509 -req -in all/csr.pem -CA all/my-private-root-ca.cert.pem -CAkey all/my-private-root-ca.privkey.pem -CAcreateserial -out all/cert.pem -days 500# Put things in their proper placersync -a all/{privkey,cert}.pem server/cat all/cert.pem > server/fullchain.pem # we have no intermediates in this casersync -a all/my-private-root-ca.cert.pem server/rsync -a all/my-private-root-ca.cert.pem client/# create DER format crt for iOS Mobile Safari, etcopenssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt例如:
bash make-certs.sh 'localhost.greenlock.domains'
希望这能把棺材钉在棺材上。
还有更多说明:https : //github.com/coolaj86/node-ssl-root-
cas/wiki/Painless-Self-Signed-Certificates-in-
node.js
在iOS Mobile Safari上安装私人证书
您需要创建扩展名为.crt的DER格式的根ca证书副本:
# create DER format crt for iOS Mobile Safari, etcopenssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
然后,您可以简单地通过Web服务器提供该文件。单击链接时,将询问您是否要安装证书。
有关如何工作的示例,可以尝试安装MIT的证书颁发机构:https :
//ca.mit.edu/mitca.crt
相关例子
- https://github.com/coolaj86/nodejs-ssl-example
- https://github.com/coolaj86/nodejs-ssl-trusted-peer-example
- https://github.com/coolaj86/node-ssl-root-cas
- https://github.com/coolaj86/nodejs-https-sni-vhost-example
- (在同一服务器上具有SSL的多个虚拟主机)
- https://telebit.cloud
- (获取可以使用TODAY在本地主机上进行测试的REAL SSL证书)
