创建自签名ssl证书_IT:如何创建自签名安全性(SSL)证书并将其部署到客户端计算机...
创建自签名ssl证书
Developers and IT administrators have, no doubt, the need the deploy some website through HTTPS using an SSL certificate. While this process is pretty straightforward for a production site, for the purposes of development and testing you may find the need to use an SSL certificate here as well.
毫无疑问,开发人员和IT管理员需要使用SSL证书通过HTTPS部署某些网站。 尽管此过程对于生产站点而言非常简单,但是出于开发和测试的目的,您可能会发现也需要在此处使用SSL证书。
As an alternate to purchasing and renewing a yearly certificate, you can leverage your Windows Server’s ability to generate a self signed certificate which is convenient, easy and should meet these types of needs perfectly.
作为购买和更新年度证书的替代方法,您可以利用Windows Server的功能来生成自签名证书,该证书既方便,又容易,并且可以完全满足这些类型的需求。
在IIS上创建自签名证书 (Creating a Self Signed Certificate on IIS)
While there are several ways to accomplish the task of creating a self signed certificate, we will use the SelfSSL utility from Microsoft. Unfortunately, this doesn’t ship with IIS but it is freely available as part of the IIS 6.0 Resource Toolkit (link provided at the bottom of this article). Despite the name “IIS 6.0” this utility works just fine in IIS 7.
尽管有多种方法可以完成创建自签名证书的任务,但我们将使用Microsoft的SelfSSL实用程序。 不幸的是,IIS不附带此功能,但它可以作为IIS 6.0资源工具包的一部分免费提供(本文底部提供了链接)。 尽管名称为“ IIS 6.0”,但该实用程序在IIS 7中仍然可以正常工作。
All that is required is to extract the IIS6RT to get the selfssl.exe utility. From here you can copy it to your Windows directory or a network path/USB drive for future use on another machine (so you don’t have to download and extract the full IIS6RT).
所需要做的就是提取IIS6RT以获取selfssl.exe实用程序。 在这里,您可以将其复制到Windows目录或网络路径/ USB驱动器,以备将来在另一台计算机上使用(这样就不必下载并提取完整的IIS6RT)。
Once you have the SelfSSL utility in place, run the following command (as the Administrator) replacing the values in <> as appropriate:
设置好SelfSSL实用程序后,运行以下命令(以管理员身份)(适当时)替换<>中的值:
selfssl /N:CN=<your.domain.com> /V:<number of valid days>
selfssl / N:CN = <您的域名.com> / V:<有效天数>
The example below produces a self signed wildcard certificate against “mydomain.com” and sets it to be valid for 9,999 days. Additionally, by answering yes to the prompt, this certificate is automatically configured to bind to port 443 inside the Default Web Site of IIS.
下面的示例针对“ mydomain.com”生成一个自签名的通配符证书,并将其设置为有效9,999天。 此外,通过对提示回答“是”,此证书将自动配置为绑定到IIS默认网站内的端口443。
While at this point the certificate is ready to use, it is stored only in the personal certificate store on the server. It is a best practice to also have this certificate set in the trusted root as well.
此时可以准备使用证书,但证书仅存储在服务器上的个人证书存储中。 最好的做法是在受信任的根中也设置此证书。
Go to Start > Run (or Windows Key + R) and enter “mmc”. You may receive a UAC prompt, accept it and an empty Management Console will open.
转到“开始”>“运行”(或Windows键+ R),然后输入“ mmc”。 您可能会收到UAC提示,接受它,然后将打开一个空的管理控制台。
In the console, go to File > Add/Remove Snap-in.
在控制台中,转到“文件”>“添加/删除管理单元”。
Add Certificates from the left side.
从左侧添加证书。
Select Computer account.
选择计算机帐户。
Select Local computer.
选择本地计算机。
Click OK to view the Local Certificate store.
单击确定以查看本地证书存储。
Navigate to Personal > Certificates and locate the certificate you setup using the SelfSSL utility. Right-click the certificate and select Copy.
导航到个人>证书,然后使用SelfSSL实用程序找到您设置的证书。 右键单击证书,然后选择复制。
Navigate to Trusted Root Certification Authorities > Certificates. Right-click on the Certificates folder and select Paste.
导航到受信任的根证书颁发机构>证书。 右键单击“证书”文件夹,然后选择“粘贴”。
An entry for the SSL certificate should appear in the list.
SSL证书的条目应出现在列表中。
At this point, your server should have no problems working with the self signed certificate.
此时,您的服务器在使用自签名证书时应该没有问题。
导出证书 (Exporting the Certificate)
If you are going to be accessing a site which uses the self signed SSL certificate on any client machine (i.e. any computer which is not the server), in order to avoid a potential onslaught of certificate errors and warnings the self signed certificate should be installed on each of the client machines (which we will discuss in detail below). To do this, we first need to export the respective certificate so it can be installed on the clients.
如果要访问在任何客户端计算机(即不是服务器的任何计算机)上使用自签名SSL证书的站点,为了避免潜在的证书错误和警告冲击,应安装自签名证书在每台客户端计算机上(我们将在下面详细讨论)。 为此,我们首先需要导出相应的证书,以便可以将其安装在客户端上。
Inside of the console with the Certificate Management loaded, navigate to Trusted Root Certification Authorities > Certificates. Locate the certificate, right-click and select All Tasks > Export.
在加载了证书管理的控制台内部,导航到“受信任的根证书颁发机构”>“证书”。 找到证书,右键单击并选择所有任务>导出。
When prompted to export the private key, select Yes. Click Next.
当提示您导出私钥时,选择是。 点击下一步。
Leave the default selections for the file format and click Next.
保留文件格式的默认选择,然后单击“下一步”。
Enter a password. This will be used to protect the certificate and users will not be able to import it locally without entering this password.
输入密码。 这将用于保护证书,并且用户如果不输入此密码将无法在本地导入证书。
Enter a location to export the certificate file. It will be in PFX format.
输入导出证书文件的位置。 它将是PFX格式。
Confirm your settings and click Finish.
确认设置,然后单击完成。
The resulting PFX file is what will be installed to your client machines to tell them that your self signed certificate is from a trusted source.
生成的PFX文件是将安装到客户端计算机的文件,告诉客户端计算机您的自签名证书来自受信任的来源。
部署到客户端计算机 (Deploying to Client Machines)
Once you have the created the certificate on the server side and have everything working, you may notice that when a client machine connects to the respective URL, a certificate warning is displayed. This happens because the certificate authority (your server) isn’t a trusted source for SSL certificates on the client.
一旦在服务器端创建了证书并且一切正常,您可能会注意到,当客户端计算机连接到相应的URL时,将显示证书警告。 发生这种情况是因为证书颁发机构(您的服务器)不是客户端上SSL证书的受信任来源。
You can click through the warnings and access the site, however you may get repeated notices in the form of a highlighted URL bar or repeating certificate warnings. To avoid this annoyance, you simply need to install the custom SSL security certificate on the client machine.
您可以单击警告并访问该网站,但是您可能会以高亮显示的URL栏或重复的证书警告的形式收到重复的通知。 为了避免这种烦恼,您只需要在客户端计算机上安装自定义SSL安全证书即可。
Depending on the browser you use, this process can vary. IE and Chrome both read from the Windows Certificate store, however Firefox has a custom method of handling security certificates.
根据您使用的浏览器,此过程可能会有所不同。 IE和Chrome均从Windows证书存储区读取,但是Firefox具有处理安全证书的自定义方法。
Important Note: You should never install a security certificate from an unknown source. In practice, you should only install a certificate locally if you generated it. No legitimate website would require you to perform these steps.
重要说明:切勿安装来自未知来源的安全证书。 实际上,如果您生成了证书,则仅应在本地安装证书。 没有合法的网站会要求您执行这些步骤。
Internet Explorer和Google Chrome –在本地安装证书 (Internet Explorer & Google Chrome – Installing the Certificate Locally)
Note: Even though Firefox does not use the native Windows certificate store, this is still a recommended step.
注意:即使Firefox不使用本机Windows证书存储,仍然建议这样做。
Copy the certificate which was exported from the server (the PFX file) to the client machine or ensure it is available in a network path.
将从服务器导出的证书(PFX文件)复制到客户端计算机,或确保该证书在网络路径中可用。
Open the local certificate store management on the client machine using the exact same steps as above. You will eventually end up on a screen like the one below.
使用与上面完全相同的步骤在客户端计算机上打开本地证书存储管理。 您最终将在下面的屏幕上显示。
On the left side, expand Certificates > Trusted Root Certification Authorities. Right click on the Certificates folder and select All Tasks > Import.
在左侧,展开证书>受信任的根证书颁发机构。 右键单击“证书”文件夹,然后选择“所有任务”>“导入”。
Select the certificate which was copied locally to your machine.
选择本地复制到您的计算机的证书。
Enter the security password assigned when the certificate was exported from the server.
输入从服务器导出证书时分配的安全密码。
The store “Trusted Root Certification Authorities” should be prefilled as the destination. Click Next.
应预先填写“受信任的根证书颁发机构”商店作为目的地。 点击下一步。
Review the settings and click Finish.
查看设置,然后单击完成。
You should see a success message.
您应该看到一条成功消息。
Refresh your view of the Trusted Root Certification Authorities > Certificates folder and you should see the server’s self signed certificate listed in the store.
刷新“受信任的根证书颁发机构”>“证书”文件夹的视图,您应该会在商店中看到服务器的自签名证书。
One this is done, you should be able to browse to an HTTPS site which uses these certificates and receive no warnings or prompts.
完成一项操作后,您应该能够浏览到使用这些证书的HTTPS站点,并且不会收到任何警告或提示。
Firefox –允许例外 (Firefox – Allowing Exceptions)
Firefox handles this process a bit differently as it does not read certificate information from the Windows store. Rather than installing certificates (per-se), it allows you to define exceptions for SSL certificates on particular sites.
Firefox处理此过程的方式有所不同,因为它不会从Windows存储区读取证书信息。 它允许您为特定站点上的SSL证书定义例外,而不是安装证书(按秒)。
When you visit a site which has a certificate error, you will get a warning like the one below. The area in blue will name the respective URL you are trying to access. To create an exception to bypass this warning on the respective URL, click the Add Exception button.
当您访问的网站存在证书错误时,您将收到类似以下的警告。 蓝色区域将命名您要访问的相应URL。 要创建例外以绕过相应URL上的此警告,请单击“添加例外”按钮。
In the Add Security Exception dialog, click the Confirm Security Exception to configure this exception locally.
在“添加安全例外”对话框中,单击“确认安全例外”以在本地配置此例外。
Note that if a particular site redirects to subdomains from within itself, you may get multiple security warning prompts (with the URL being slightly different each time). Add exceptions for those URLs using the same steps as above.
请注意,如果特定站点从自身内部重定向到子域,则可能会收到多个安全警告提示(URL每次都略有不同)。 使用与上述相同的步骤为这些URL添加例外。
结论 (Conclusion)
It is worth repeating the notice above that you should never install a security certificate from an unknown source. In practice, you should only install a certificate locally if you generated it. No legitimate website would require you to perform these steps.
值得重复上面的提示,即永远不要安装来自未知来源的安全证书。 实际上,如果您生成了证书,则仅应在本地安装证书。 没有合法的网站会要求您执行这些步骤。
链接 (Links)
Download IIS 6.0 Resource Toolkit (includes SelfSSL utility) from Microsoft
从Microsoft下载IIS 6.0资源工具包(包括SelfSSL实用程序)
创建自签名ssl证书