本地主机的自签名 SSL 证书,如何使可信
我有一个 Owin 自托管 C# 应用程序,它通过 127.0.0.1:5555 提供 Web API 服务(它只侦听 localhost,没有外部连接).
I have an Owin self-host C# app that provides Web API services over 127.0.0.1:5555 (it only listens on localhost, no external connections).
这些 Web API 服务是使用 AngularJS 应用程序中的 Ajax 调用的.顺便说一句:Owin 应用程序的原因是需要与硬件进行某些交互,而这在浏览器中是不可能的.另外,AngularJS 应用程序是供内部使用的,所以我可以控制所使用的浏览器.
These Web API services are called using Ajax from an AngularJS app. As an aside: the reason for the Owin app is that certain interaction with the hardware is needed, which is not possible from within a browser. Also, the AngularJS app is for internal use, so I have control over the browsers used.
以上内容在 HTTP 上运行良好,但 Angular JS 应用程序需要使用 SSL,除非 Owin 应用程序也使用 SSL,否则它不起作用(否则会出现混合内容"错误).
The above works very well over HTTP, but the Angular JS app needs to use SSL, which does not work unless the Owin app also uses SSL (otherwise you get "Mixed content" errors).
我已经为 AngularJS 应用程序购买了一个官方证书,并且我正在为 Owin localhost 的东西使用自签名证书.
I have bought an official cert for the AngularJS app, and I am using self-signed certs for the Owin localhost stuff.
问题是我在与 Owin Web API 交谈时从 AngularJS 应用程序中得到NET::ERR_CERT_AUTHORITY_INVALID"(从 Chrome 测试时)和net::ERR_INSECURE_RESPONSE".
The problem is that I get "NET::ERR_CERT_AUTHORITY_INVALID" (when testin from Chrome) and "net::ERR_INSECURE_RESPONSE" from the AngularJS app when talking to the Owin Web API.
这是我所做的,概括地说:
Here is what I have done, in broad strokes:
我使用 CentOS 机器为 localhost 生成证书并将其导出为 pkcs12/pfx 格式.我还生成了一个 CA 证书并以同样的方式导出.
I used a CentOS box to generate the cert for localhost and exported it to pkcs12 / pfx format. I also generated a CA cert and exported it the same way.
使用 MMC,我在运行 Angular & 的 Windows 7 机器上导入了 localhost 证书.Owin 应用进入证书(本地计算机)> 个人 > 证书.
Using MMC I imported the localhost cert on the Windows 7 machine running the Angular & Owin app into Certificates (Local Computer) > Personal > Certificates.
我还将 Windows 7 机器上的 CA 证书导入到证书(本地计算机)> 受信任的根证书权限 > 证书
I also imported the CA cert on the Windows 7 machine into Certificates (Local Computer) > Trusted Root Certification Auhorities > Certificates
查看 localhost 证书,它显示颁发给:localhost",颁发者:ca.acme.com",您有一个与此证书相对应的私钥",(在证书路径下)此证书没问题"
Looking at the localhost cert, it says "Issued to: localhost", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
CA 证书显示颁发给:ca.acme.com"、颁发者:ca.acme.com"、您拥有与此证书相对应的私钥"、(在证书路径下)此证书没问题"
The CA cert says "Issued to: ca.acme.com", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
netsh http show sslcert
IP:port : 127.0.0.1:5555
Certificate Hash : 1234555555555555555555511155555555555555
Application ID : {1234a123-1234-1234-1234-123412341234}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
我错过了什么?如何让 Chrome 等信任本地主机的 SSL 证书?
What am I missing? How can I make Chrome, etc. trust the SSL cert for localhost?
推荐答案
我得到了这个工作(至少足以满足我当前的需求).
I got this working (sufficiently for my current needs, at least).
我将 localhost 证书从证书(本地计算机)>个人>证书"复制到证书(当前用户)>个人>证书".这消除了 Chrome 中 https 的红叉(以及NET::ERR_CERT_AUTHORITY_INVALID"消息)以及 AngularJS 中的net::ERR_INSECURE_RESPONSE"错误.
I copied the localhost cert from "Certificates (Local Computer) > Personal > Certificates" to "Certificates (Current User) > Personal > Certificates". This got rid of the red cross-out of https in Chrome (and the "NET::ERR_CERT_AUTHORITY_INVALID" message) as well as the "net::ERR_INSECURE_RESPONSE" error in AngularJS.
请注意,在我的例子中,localhost 证书必须在本地计算机存储和当前用户存储中,否则将其绑定到端口 5555(用于 Owin 应用程序)的 netsh 命令将失败:
Note that in my case, the localhost cert had to be in both the Local Computer store and in the Current User Store, otherwise the netsh command for binding it to port 5555 (for the Owin app) would fail:
netsh http add sslcert ipport=127.0.0.1:5555 certhash=1234555555555555555555511155555555555555 appid={1234a123-1234-1234-1234-123412341234}
SSL Certificate add failed, Error: 1312, A specified logon session does not exist. It may already have been terminated.
Chrome中仍然没有漂亮的绿色挂锁(现在挂锁上有一个黄色的小三角形,该网站的身份已通过ca.acme.com验证,但没有公开审计记录"),但这似乎不会干扰 Web API 通信,所以应该没问题.
There is still no nice green padlock in Chrome (it now has a yellow little triangle on the pad lock, "The identity of this website has been verified by ca.acme.com but does not have public audit records"), but this does not seem to interfere with the Web API communication, so it should be fine.
如果有人知道一种简单的方法,可以在没有警告的情况下让它变得绿色和美观,我仍然很感兴趣,但这并不重要.
If anybody knows of an easy way to make it all green and nice with no warnings, I am still interested, but it is not critical.
相关文章