Chrome under the self-signed certificate is invalid prompt questions
Chrome found very strict verification certificate, must have a Subject Alternative Name.
When issuing csr, modify openssl.cnf (windows directory: \ OpenSSL \ bin \ cnf \ openssl.cnf)
in add [req] section
req_extetions = v3_req
generate a CSR file v3_req when reading the name of the configuration section,
[v3_req] # Extensions to the Add to a Certificate Request
basicConstraints = CA: FALSE
keyUsage = nonRepudiation, the digitalSignature, KeyEncipherment
subjectAltName = @alt_names
in alt_names add domain
DNS.1 = localhost DNS.2 = your.doman.com
生成csr
openssl req -sha256 -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 3650 -out ssl.crt -config ./cnf/openssl.cnf -extensions v3_req
After filling out the information, and to generate a corresponding key srt files;
The file on nginx corresponding ssl key configuration directory
The next, crucial step: the certificate into the current system
"Start" button in the "Search" box, type certmgr.msc by clicking, and then press Enter, open the "Certificate Manager." If you are prompted for an administrator password or for confirmation, you need to type the password or provide confirmation.
windows 7 Certificate Manager (certificates manager)
First launched on the left column of the "Trusted Root Certification Authorities", check under "Certificates", then click on the menu bar of the "Operation" -> "All Tasks" -> "Import" to open the certificate import Wizard. Can then be subsequently foregoing "Certificate Import Wizard" photograph of FIG ( fast jump ) starts the operation down.
In addition, in view certificate details that step, if you open the Details tab page, you can see a button to copy a file, click this button to save the CA certificate to a file.
Then restart the browser.
Reference: https: //blog.zencoffee.org/2013/04/creating-and-signing-an-ssl-cert-with-alternative-names/
http://blog.chinaunix.net/uid-192452-id-5772724.html
https://cnzhx.net/blog/self-signed-certificate-as-trusted-root-ca-in-windows/
Add SSL certificate issued from a trusted root certificate
Add SSL certificate issued from a trusted root certificate
By SSL encrypted HTTPS connection to access the site, you need to install and configure a trusted CA root certificate ( Trusted CA Root Certificate ). The reason usually visit some sites do not need to install encryption certificate, because the system or browser is already ahead of some of the trusted certificates issued by the agency installed. But some time to visit some of the sites of organizations or individuals to issue certificates of their own and they will receive a warning sent by the browser. At this point you can add the certificates to the "Trusted Root Certification Authorities" store, then you will not receive a security prompt.
1. Introduction ¶
Why should issue its own security certificate ( Self-Signed CA ) do? Because some of the trusted certificates issued by the agency annual fee is usually a lot of money, but then there are times when an internal company or organization small-scale use of no confidence problem, then you can issue a security certificate itself.
For this safety certificate, it can be trusted to require the user to identify the trained eyes. For example, a certificate issued by me, my friends probably think can be trusted, other people do not know me, then you probably do not trust.
After deploying the SSL service on the VPS, because the certificate (CA) to issue their own by the time HTTPS encrypted link to access the site will prompt certificate is not trusted and the like. You can add a certificate to the Windows Certificate Manager "trusted root certificate" directory, after HTTPS encryption to access your website will no longer receive a security prompt.
Warning: Only when the case you sure you want to install the security certificate can be trusted to install, it may cause serious security problems, and even property damage. The following describes how to install the security certificate issued by an unauthorized organization trusted root certificate.
Because different security certificate management, here are involved:
- Internet Explorer 9 - Microsoft system are similar, hereinafter referred to as IE.
- Chrome - Chrome version change frequently below to 21.0.1180.60 version, for example, and Windows systems because Chrome is used in the certificate, no separate certificate storage unit, so to get the Chrome IE will get. Methods Open Certificate Manager from Chrome is set (Settings) -> Advanced Settings (Advanced Settings) -> HTTPS / SSL -> Certificate Management (Manage Certificates ...).
- Firefox - Firefox version upgrade soon now, fortunately interface, function and operation of the change is not too large, use the following example it is Firefox 15. Firefox's security certificate is independent of management, please refer to another article: The self-signed SSL certificate imported as a trusted root certificates in Firefox .
2. Import from Windows built-in browser in Internet Explorer ¶
By using HTTPS IE open the site, you will receive the safety warnings shown below:
Internet Explorer 9 - Certificate Error: Access to process interrupts. Note that says "this website's security certificate problem." At this point we can click on the "Continue to this website (not recommended)" to continue.
Chinese shows:
This website's security certificate problem.
Site's security certificate is not issued by a Certificate Authority trusted issued.Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website.
- Click to close the page.
- Continue to this website (not recommended).
详细信息
如果通过单击链接到达此页面,请检查地址栏中的网站以确保该地址是您希望到达的页面。转到如https://example.com等网站时,请尝试将 “www” 添加到地址中,变为https://www.example.com。有关详细信息,请参阅 Internet Explorer 帮助中的“证书错误”。
在出现上图所示的证书错误警告时,如果幸运的话,可以在浏览器地址栏的最右边看到红色背景的文字“证书错误”(Certificate Error),如下图所示。
IE 地址栏红色背景的“证书错误”提示,单击“查看证书”后可以直接安装该证书
单击这个错误提示靠下位置的“查看证书(View certificates)”就可以看到该证书的详情,并可以直接安装该证书到 Windows 系统的证书管理器中。如下图所示。
IE 查看证书详情,单击“安装证书”按钮即可开始安装证书
因为是自己签发的安全证书而不是经过认证的机构签发的,所以 Windows 无法自动信任该证书:此 CA 根目录证书不被信任。要启用信任,请将该证书安装到“受信任的根证书颁发机构”存储区。单击“安装证书”按钮即可打开 Windows 证书导入向导,单击“下一步”即可开始安装证书,如下图所示。
证书导入向导
然后系统会询问该证书的存储位置。因为是未经认证的组织或个人自己签发的证书,如果选择让 Windows “根据证书类型,自动选择证书存储”的话,一般会给存储到“中级证书颁发机构”中。以后加密访问该网站的时候还是会收到安全警告。
根据我们的需要 —— 以后打开自己的网站时候不会再发出安全警告,也就是本文的目的,而且又是自己签发的证书,信任不成问题,咱就直接给添加到“受信任的根证书颁发机构”存储中。如下图所示。
Windows 安装安全证书:选择证书存储位置
点选“将所有的证书放入下列存储(P)”,然后单击“浏览(R)”,打开“选择证书存储”窗口来选择。有些时候可能需要选择“显示物理存储区(S)”,然后勾选“受信任的根证书颁发机构”下面的“本地计算机(Local Computer)”来存储。
选择后单击“确定”按钮,然后“下一步”。此时可能会收到安全警告(如下图),提示添加的是“根(root)”证书(信任级别最高)。下图中所示证书就是水景一页自己签发的了。
确认添加根证书
剩下的就是确认几次,任务完成!然后关闭浏览器重新打开,就可以试试效果了。
3. 通过 Windows 证书管理器安装¶
因为 Windows 和 IE 都是微软自家的,管理的是同一个证书管理器。所以不管是从 Windows 系统的证书管理器中导入安装证书,还是直接根据 IE 的提示来安装,效果都是一样的。唯一不同的是,通过 Windows 证书管理器来安装证书的话,需要先将安全证书(.crt 类型的那个文件)保存到本地磁盘。如果不能直接获取该证书,请先看另一篇文章介绍的从 Firefox 证书管理器中导出安全证书一节吧。
在 Windows 7 中(via 微软),要查看或管理证书,必须以管理员身份进行登录,才能执行这些步骤。可以使用“证书管理器”查看有关证书的详细信息,修改、删除这些证书,或者申请新证书。要打开证书管理器:
通过单击“开始”按钮,在“搜索”框中键入 certmgr.msc,然后按 Enter,打开“证书管理器”。 如果系统提示输入管理员密码或进行确认,则需要键入密码或提供确认。
windows 7 证书管理器(certificates manager)
先展开左边栏里的“受信任的根证书颁发机构”,选中其下的“证书”,然后点击菜单栏的“操作”——>“所有任务”——>“导入”,即可打开证书导入向导。然后就可以接着前面的“证书导入向导”那幅图(快速跳转)开始往下操作了。
另外,在查看证书详情那一步,如果打开详细信息标签页,可以看到有个复制到文件的按钮,单击此按钮即可保存该证书为一个 CA 文件。
4. Chrome 中的安全证书错误提示¶
因为 Chrome 使用的就是 Windows 系统里的证书,没有独立的证书存储单元,所以搞定 IE 也就搞定 Chrome 了。从 Chrome 中打开证书管理器的方法是,设置(Settings)——> 高级设置(Advanced Settings)——> HTTPS / SSL ——> 管理证书(Manage Certificates …)。
在 Chrome 中遇到网站证书问题时会收到类似下面的错误提示:
该网站的安全证书不受信任!
您尝试访问的是 cnzhx.net,但服务器出示的证书是由您计算机的操作系统不信任的实体所颁发。这可能表明服务器已自行生成了安全凭据,Google Chrome 浏览器认为其中的身份信息不可靠;也可能表明攻击者正试图拦截您的通信内容。
您不应再继续,尤其是如果您以前从未在此网站看到这一警告信息,则更不应继续操作。
- 仍然继续
- 返回安全连接
- Help me understand
the connection secure website, the server hosting that site to produce so-called "certificate" to your browser, used to verify their identity. This certificate contains the website address and other identifying information, your computer has been a trusted third-party verification. By verifying the certificate matches the address of the website address, you can confirm that you are securely communicating with the website you want to access, rather than is communicating with a third party (such as an attacker on your network). In this case, the certificate has not been trusted third parties to verify your computer. Anyone can create a certificate claiming to be whatever website, why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. Therefore, you can not verify with their own communication object is a real cnzhx.net, or generate a certificate claiming he was cnzhx.net attackers. You should not stop operating. However, if you worked for the organization that generates its own certificates, and you are trying to connect the internal site organization with such a certificate, you can solve this problem securely. You can root certificate of this organization as a "root certificate", issued by the organization or the verification of credentials will be trusted, this error does not occur when you try to connect the internal Web site next time. Please contact your organization's support staff and let them help you add a new root certificate to your computer.