mkcert生成自签https证书过程记录

丁毅桂大约 4 分钟

mkcert生成自签https证书过程记录

安装mkcert

安装mkcert工具

sudo apt-get install mkcert

生成用户证书

生成证书:cert.crt 和私钥:cert-key.key

mkcert -cert-file ~/.ssl/cert.crt -key-file ~/.ssl/cert-key.key cn-zz-bgp-2.natfrp.cloud 43.249.193.55 localhost 127.0.0.1 ::1

# 输出结果:
# Created a new local CA 💥
# Note: the local CA is not installed in the system trust store.
# Note: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store.
# Run "mkcert -install" for certificates to be trusted automatically ⚠️
# 
# Created a new certificate valid for the following names 📜
#  - "cn-zz-bgp-2.natfrp.cloud"
#  - "43.249.193.55"
#  - "localhost"
#  - "127.0.0.1"
#  - "::1"
# 
# The certificate is at "~/.ssl/cert.crt" and the key at "~/.ssl/cert-key.key" ✅
# 
# It will expire on 22 November 2024 🗓
# 
#

配置服务器安装用户证书(以code-server为例)

# vi ~/.config/code-server/config.yaml
# code-server的配置文件:
bind-addr: 0.0.0.0:8080
auth: password
password: ???????????????????????
# cert 为刚刚生成的证书
cert: /home/userName/.ssl/cert.crt
# cert-key 为刚刚生成的私钥
cert-key: /home/userName/.ssl/cert-key.key

此时访问localhost将依然报错,因为没有为浏览器安装颁发者的证书

安装颁发者证书

在PC端安装

方法1:使用命令将颁发者mkcert机构证书添加到系统信任,同时安装到本机的火狐浏览器和谷歌浏览器

mkcert -install

# 输出结果:
# 
# The local CA is now installed in the system trust store! 
# 翻译:本地证书已经添加到到系统信任仓库
# Warning: "certutil" is not available, so the CA can't be automatically installed in Firefox and/or Chrome/Chromium! ⚠️
# 翻译:certutil(证书工具)不可用,所以证书无法自动安装到本机的浏览器
# Install "certutil" with "apt install libnss3-tools" and re-run "mkcert -install" 👈
# 翻译: 执行 "apt install libnss3-tools"来安装"certutil",然后 重新执行 "mkcert -install"

# 安装libnss3-tools
apt install libnss3-tools
# 重新执行 "mkcert -install"
mkcert -install

此时浏览器就能正常访问了

方法2:手动将颁发者mkcert机构证书手动添加到客户端的浏览器
查看 CA 证书的存放位置

mkcert -CAROOT
# 输出结果:
# /root/.local/share/mkcert

tree $(mkcert -CAROOT)
# 输出结果: 
# /home/dyg/.local/share/mkcert
# ├── rootCA-key.pem 颁发者机构的私钥
# └── rootCA.pem 颁发者机构的证书