开发人员在测试环境甚至正式环境下,需要自签证书实现https访问,第一个想到的是openssl的套件工具,但是参数比较繁琐,不容易记住。
这种情况下,已经有人实现了工具提供给我们使用,就是mkcert命令。
是一个用于生成本地自签名 SSL 证书的开源工具,项目基于 Golang 开发,可跨平台使用,不需要配置,支持多域名以及自动信任 CA。
mac下安装:
brew install mkcert
如果想要在后续用Firefox浏览器进行测试,那么也要安装nss:
brew install nss
先看下帮助:
mkcert --help
Usage of mkcert:
$ mkcert -install
Install the local CA in the system trust store.
$ mkcert example.org
Generate "example.org.pem" and "example.org-key.pem".
$ mkcert example.com myapp.dev localhost 127.0.0.1 ::1
Generate "example.com+4.pem" and "example.com+4-key.pem".
$ mkcert "*.example.it"
Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".
$ mkcert -uninstall
Uninstall the local CA (but do not delete it).
Advanced options:
-cert-file FILE, -key-file FILE, -p12-file FILE
Customize the output paths.
-client
Generate a certificate for client authentication.
-ecdsa
Generate a certificate with an ECDSA key.
-pkcs12
Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
containing certificate and key for legacy applications.
-csr CSR
Generate a certificate based on the supplied CSR. Conflicts with
all other flags and arguments except -install and -cert-file.
-CAROOT
Print the CA certificate and key storage location.
$CAROOT (environment variable)
Set the CA certificate and key storage location. (This allows
maintaining multiple local CAs in parallel.)
$TRUST_STORES (environment variable)
A comma-separated list of trust stores to install the local
root CA into. Options are: "system", "java" and "nss" (includes
Firefox). Autodetected by default.
接下来的步骤:
1、生成根证书
mkcert -install
2、签发证书
mkcert youdomain.com
mkcert ip
查看根证书位置:
% mkcert -CAROOT
/Users/money/Library/Application Support/mkcert
这个目录下的根证书,如果用firefox浏览器进行测试的话,需要双击进行导入,实现信任。