openssl 查看证书细节

测试环境如何搞定域名或者ip地址签https证书?

开发人员在测试环境甚至正式环境下,需要自签证书实现https访问,第一个想到的是openssl的套件工具,但是参数比较繁琐,不容易记住。

这种情况下,已经有人实现了工具提供给我们使用,就是mkcert命令。

是一个用于生成本地自签名 SSL 证书的开源工具,项目基于 Golang 开发,可跨平台使用,不需要配置,支持多域名以及自动信任 CA。

mac下安装:
brew install mkcert
如果想要在后续用Firefox浏览器进行测试,那么也要安装nss:
brew install nss

先看下帮助:
 mkcert --help
Usage of mkcert:

    $ mkcert -install
    Install the local CA in the system trust store.

    $ mkcert example.org
    Generate "example.org.pem" and "example.org-key.pem".

    $ mkcert example.com myapp.dev localhost 127.0.0.1 ::1
    Generate "example.com+4.pem" and "example.com+4-key.pem".

    $ mkcert "*.example.it"
    Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".

    $ mkcert -uninstall
    Uninstall the local CA (but do not delete it).

Advanced options:

    -cert-file FILE, -key-file FILE, -p12-file FILE
        Customize the output paths.

    -client
        Generate a certificate for client authentication.

    -ecdsa
        Generate a certificate with an ECDSA key.

    -pkcs12
        Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
        containing certificate and key for legacy applications.

    -csr CSR
        Generate a certificate based on the supplied CSR. Conflicts with
        all other flags and arguments except -install and -cert-file.

    -CAROOT
        Print the CA certificate and key storage location.

    $CAROOT (environment variable)
        Set the CA certificate and key storage location. (This allows
        maintaining multiple local CAs in parallel.)

    $TRUST_STORES (environment variable)
        A comma-separated list of trust stores to install the local
        root CA into. Options are: "system", "java" and "nss" (includes
        Firefox). Autodetected by default.

接下来的步骤:
1、生成根证书
mkcert -install
2、签发证书
mkcert youdomain.com
mkcert ip

查看根证书位置:
% mkcert -CAROOT
/Users/money/Library/Application Support/mkcert
这个目录下的根证书,如果用firefox浏览器进行测试的话,需要双击进行导入,实现信任。