產生自簽憑證(未完成)

# 產生自簽憑證(未完成) ###### tags: `憑證`, `SSL`, `未完成` ## 參考 [1] : 如何使用 OpenSSL 建立開發測試用途的自簽憑證 (Self-Signed Certificate) https://blog.miniasp.com/post/2019/02/25/Creating-Self-signed-Certificate-using-OpenSSL [2] : 產生自簽憑證筆記 https://malagege.github.io/blog/2020/07/18/%E7%94%A2%E7%94%9F%E8%87%AA%E7%B0%BD%E6%86%91%E8%AD%89%E7%AD%86%E8%A8%98/ [3] : TLS / SSL 金鑰轉檔，「.crt / .key」如何轉成「.pem」？( OpenSSL 教學) https://justhodl.blogspot.com/2018/04/tls-ssl-crt-key-to-pem-openssl.html ## 產生自簽憑證bat 將以下程式存成bat檔即可使用使用時會一併建立密碼~ 我比較懶直接Enter用一個空白密碼XD ``` @echo off "C:\Program Files\Git\usr\bin\openssl.exe" req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf "C:\Program Files\Git\usr\bin\openssl.exe" pkcs12 -export -in server.crt -inkey server.key -out server.pfx "C:\Program Files\Git\usr\bin\openssl.exe" rsa -in server.key -text > private.pem "C:\Program Files\Git\usr\bin\openssl.exe" x509 -inform PEM -in server.crt > server.pem :: 需要權限，加入本憑證到本地 ::certutil -addstore -f "ROOT" server.crt pause ``` 把上憑證帶入php的curl中 ``` CURLOPT_CAINFO => "C:\\xampp\\ssl\\private.pem", CURLOPT_SSLCERT => "C:\\xampp\\ssl\\server.pem", ``` 結果會出錯 `curl : SSL certificate problem: unable to get local issuer certificate` ## 改版所以再調整一下，但沒成功產出參考: 利用openSSL自簽憑證 https://blog.codebar.tw/self-signed-certificate-by-using-openssl-ec22a0257a28 ``` @echo off echo 1.建立CA "C:\Program Files\Git\usr\bin\openssl.exe" genrsa -aes256 -out ca.key 4096 "C:\Program Files\Git\usr\bin\openssl.exe" req -new -x509 -days 365 -sha256 -subj "/C=TW/ST=Taipei/O=Duotify Inc./OU=IT Department/CN=localhost/emailAddress=wewe987001@gmail.com" -key ca.key -out ca.crt echo 2.產生 Server/Client 的私鑰和 CSR "C:\Program Files\Git\usr\bin\openssl.exe" req -x509 -new -sha256 -utf8 -days 365 -newkey rsa:2048 -keyout server.key -out server.csr -config ssl.conf echo 3.建立憑證 "C:\Program Files\Git\usr\bin\openssl.exe" x509 -req -CAcreateserial -days 365 -sha256 -CA ca.crt -CAkey ca.key -in server.csr -out server.crt echo ============== echo 4.驗證: echo 如果輸出訊息是error 18 at 0 depth lookup:self signed certificate echo 則代表您的 CA 和 user 的 Common Name 重複了，請使用不同的 Common Name echo ============== "C:\Program Files\Git\usr\bin\openssl.exe" verify -CAfile ca.crt server.crt ``` 在 3.建立憑證的步驟出錯，錯誤訊息如下 ``` 34359836736:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE REQUEST ```