如何通过OpenSSL创建Chrome可信任的证书并更换过期的IIS/Tomcat服务器证书
首先验证自己的机器是tomcat版本的服务器,还是IIS的服务器:
在网页中输入:http://localhost 和https://localhost。来进行区分我的机器是使用的什么服务器:
1、通信服务器判断
1.1、IIS服务器
如果是IIS服务器,那么输入http://localhost ,那么我的计算机会弹出:
1.2、tomcat服务器
如果是tomcat服务器的话,在网页中输入http://localhost ,那么会弹出这个页面:
如果电脑的https配置完成的话,那么就说明我的计算机的https是计算机开启了:https://localhost
2、证书更新
2.1 OpenSSL创建的自签名证书
1、下载windows上适用的openssl,下载地址,因我的电脑是64位的,所以我选择下载OpenSSL 1.0.2t Light(64-bit)
点击:Win32OpenSSL进入下载
安装exe驱动程序;安装到windows:
进入到彬目录,我的电脑安装的是:
D:\Program Files\OpenSSL-Win64\bin
操作:
操作完整命令:
Microsoft Windows [版本 10.0.18363.1440]
(c) 2019 Microsoft Corporation。保留所有权利。
D:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out 136zhengshu.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
....+++++
e is 65537 (0x010001)
D:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out 222zhengshu.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
......+++++
e is 65537 (0x010001)
D:\Program Files\OpenSSL-Win64\bin>openssl req -new -key 222zhengshu.key -out 222zhengshu.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:XIAN
Locality Name (eg, city) []:XIAN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Esrichina
Organizational Unit Name (eg, section) []:Esrichina
Common Name (e.g. server FQDN or YOUR name) []:t460p222.geoscene.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:h123456
An optional company name []:esrichina
D:\Program Files\OpenSSL-Win64\bin>echo "subjectAltName=DNS:t460p222.geoscene.com" > cert_extensions
D:\Program Files\OpenSSL-Win64\bin>openssl x509 -req -sha256 -in 222zhengshu.csr -signkey 222zhengshu.key -extfile cert_extensions -out 222zhengshu.crt -days 3650
x509: Error on line 1 of config file "cert_extensions"
D:\Program Files\OpenSSL-Win64\bin>echo subjectAltName=DNS:t460p222.geoscene.com > cert_extensions
D:\Program Files\OpenSSL-Win64\bin>openssl x509 -req -sha256 -in 222zhengshu.csr -signkey 222zhengshu.key -extfile cert_extensions -out 222zhengshu.crt -days 3650
Signature ok
subject=C = CN, ST = XIAN, L = XIAN, O = Esrichina, OU = Esrichina, CN = t460p222.geoscene.com, emailAddress = [email protected]
Getting Private key
D:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -inkey 222zhengshu.key -in 222zhengshu.crt -export -out 222zhengshu.pfx
Enter Export Password:
Verifying - Enter Export Password:
D:\Program Files\OpenSSL-Win64\bin>
完整截图:
注:截图上面红框的原因是echo这句 ,加“”的话,后面会无法找到x509x错误;
最后生成了pfx证书:
注:需要查看证书,如何应用于IP,以及颁发给多机器IP域名的,参考大牛博客:
OpenSSL创建的自签名证书在chrome端无法信任之(II)
2.2、tomcat证书更新
证书创建完成了,那么接下来就是对tomcat或者IIS服务器,替换更新证书了;
找到tomcat的安装目前conf的server.xml文件,修改443端口的证书;
2.3 IIS证书更新
点击确定后是:
进入后查看,没有的话,添加https的443端口,并绑定刚才添加的证书;
如果有的话,直接点击编辑,然后下面绑定新添加的证书即可;
我的计算机是更换证书,那么我只需要选择我新更新的证书即可。
这样,IIS或者tomcat的过期证书即更新完完成了。