How to create a Chrome trusted certificate via OpenSSL and replace expired IIS/Tomcat server certificates
First verify whether your machine is a tomcat version server or an IIS server:
enter: http://localhost and https://localhost in the web page. To distinguish what server my machine is using:
1. Judgment by the communication server
1.1. IIS server
If it is an IIS server, then enter http://localhost, then my computer will pop up:
1.2, tomcat server
If it is a tomcat server, enter http://localhost in the webpage, then this page will pop up:
If the computer's https configuration is complete, it means that my computer's https is turned on by the computer: https://localhost
2. Certificate update
2.1 Self-signed certificate created by OpenSSL
1. Download the applicable openssl on windows, the download address, because my computer is 64-bit, so I choose to download OpenSSL 1.0.2t Light (64-bit) Click: Win32OpenSSL to download and install the exe driver; install to
windows
:
enter Go to the bin directory, my computer is installed:
D:\Program Files\OpenSSL-Win64\bin
Operation:
Operation full command:
Microsoft Windows [版本 10.0.18363.1440]
(c) 2019 Microsoft Corporation。保留所有权利。
D:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out 136zhengshu.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
....+++++
e is 65537 (0x010001)
D:\Program Files\OpenSSL-Win64\bin>openssl genrsa -out 222zhengshu.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
......+++++
e is 65537 (0x010001)
D:\Program Files\OpenSSL-Win64\bin>openssl req -new -key 222zhengshu.key -out 222zhengshu.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:XIAN
Locality Name (eg, city) []:XIAN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Esrichina
Organizational Unit Name (eg, section) []:Esrichina
Common Name (e.g. server FQDN or YOUR name) []:t460p222.geoscene.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:h123456
An optional company name []:esrichina
D:\Program Files\OpenSSL-Win64\bin>echo "subjectAltName=DNS:t460p222.geoscene.com" > cert_extensions
D:\Program Files\OpenSSL-Win64\bin>openssl x509 -req -sha256 -in 222zhengshu.csr -signkey 222zhengshu.key -extfile cert_extensions -out 222zhengshu.crt -days 3650
x509: Error on line 1 of config file "cert_extensions"
D:\Program Files\OpenSSL-Win64\bin>echo subjectAltName=DNS:t460p222.geoscene.com > cert_extensions
D:\Program Files\OpenSSL-Win64\bin>openssl x509 -req -sha256 -in 222zhengshu.csr -signkey 222zhengshu.key -extfile cert_extensions -out 222zhengshu.crt -days 3650
Signature ok
subject=C = CN, ST = XIAN, L = XIAN, O = Esrichina, OU = Esrichina, CN = t460p222.geoscene.com, emailAddress = [email protected]
Getting Private key
D:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -inkey 222zhengshu.key -in 222zhengshu.crt -export -out 222zhengshu.pfx
Enter Export Password:
Verifying - Enter Export Password:
D:\Program Files\OpenSSL-Win64\bin>
Full screenshot:
Note: The reason for the red box on the screenshot is the echo sentence, if you add "", the x509x error will not be found later;
Finally, a pfx certificate is generated:
Note: You need to check the certificate, how it is applied to IP, and issued to multi-machine IP domain names, refer to Daniel Blog: The
self-signed certificate created by OpenSSL cannot be trusted on the chrome side (II)
2.2. Tomcat certificate update
After the certificate is created, the next step is to replace and update the certificate for the tomcat or IIS server;
find the server.xml file in the current conf of tomcat installation, and modify the certificate for port 443;
2.3 IIS certificate update
After clicking OK:
Check after entering, if not, add the 443 port of https, and bind the certificate just added;
if there is, just click edit, and then bind the newly added certificate below;
my computer is to replace the certificate, then I Just had to select my newly updated certificate.
In this way, the expired certificate of IIS or tomcat is updated.