如何为HTTPS Node.js服务器使用自签名证书？

Question

我已经开始为API编写一个包装器,它要求所有请求都通过HTTPS.我在开发和测试时不是向实际的API发出请求,而是想在本地运行我自己的服务器来模拟响应.

我很困惑如何生成我需要创建HTTPS服务器并向其发送请求的证书.

我的服务器看起来像这样:

var options = {
  key: fs.readFileSync('./key.pem'),
  cert: fs.readFileSync('./cert.pem')
};

https.createServer(options, function(req, res) {
  res.writeHead(200);
  res.end('OK\n');
}).listen(8000);

pem文件生成为:

openssl genrsa 1024 > key.pem
openssl req -x509 -new -key key.pem > cert.pem

请求看起来像这样:

var options = {
  host: 'localhost',
  port: 8000,
  path: '/api/v1/test'
};

https.request(options, function(res) {
  res.pipe(process.stdout);
}).end();

有了这个设置,我想Error: DEPTH_ZERO_SELF_SIGNED_CERT,我想我需要ca为请求添加一个选项.

所以我的问题是我应该如何生成以下内容:

1. 服务器key？
2. 服务器cert？
3. 在ca为请求？

我已经阅读了一些关于使用openssl生成自签名证书的事情,但似乎无法绕过它并找出在我的节点代码中使用哪些密钥和证书.

更新

API提供要使用的CA证书而不是默认值.以下代码使用他们的证书,这是我想在本地重现.

var ca = fs.readFileSync('./certificate.pem');

var options = {
  host: 'example.com',
  path: '/api/v1/test',
  ca: ca
};
options.agent = new https.Agent(options);

https.request(options, function(res) {
  res.pipe(process.stdout);
}).end();

Answer 1

更新(2018年11月):您需要自签名证书吗？

或者真正的证书会更好地完成工作吗？你考虑过这些吗？

• 让我们通过Greenlock.js加密
• 我们通过https://greenlock.domains加密
• Localhost中继服务,如https://telebit.cloud

(注意:我们的加密也可以向专用网​​络颁发证书)

截屏

https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

完整的,工作的例子

• 创建证书
• 运行node.js服务器
• node.js客户端中没有警告或错误
• 没有cURL中的警告或错误

https://github.com/coolaj86/nodejs-self-signed-certificate-example

以使用localhost.greenlock.domains为例(它指向127.0.0.1):

server.js

'use strict';

var https = require('https')
  , port = process.argv[2] || 8043
  , fs = require('fs')
  , path = require('path')
  , server
  , options
  ;

require('ssl-root-cas')
  .inject()
  .addFile(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))
  ;

options = {
  // this is ONLY the PRIVATE KEY
  key: fs.readFileSync(path.join(__dirname, 'server', 'privkey.pem'))
  // You DO NOT specify `ca`, that's only for peer authentication
//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))]
  // This should contain both cert.pem AND chain.pem (in that order) 
, cert: fs.readFileSync(path.join(__dirname, 'server', 'fullchain.pem'))
};


function app(req, res) {
  res.setHeader('Content-Type', 'text/plain');
  res.end('Hello, encrypted world!');
}

server = https.createServer(options, app).listen(port, function () {
  port = server.address().port;
  console.log('Listening on https://127.0.0.1:' + port);
  console.log('Listening on https://' + server.address().address + ':' + port);
  console.log('Listening on https://localhost.greenlock.domains:' + port);
});

client.js

'use strict';

var https = require('https')
  , fs = require('fs')
  , path = require('path')
  , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.cert.pem'))
  , port = process.argv[2] || 8043
  , hostname = process.argv[3] || 'localhost.greenlock.domains'
  ;

var options = {
  host: hostname
, port: port
, path: '/'
, ca: ca
};
options.agent = new https.Agent(options);

https.request(options, function(res) {
  res.pipe(process.stdout);
}).end();

以及制作证书文件的脚本:

make-certs.sh

#!/bin/bash
FQDN=$1

# make directories to work from
mkdir -p server/ client/ all/

# Create your very own Root Certificate Authority
openssl genrsa \
  -out all/my-private-root-ca.privkey.pem \
  2048

# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req \
  -x509 \
  -new \
  -nodes \
  -key all/my-private-root-ca.privkey.pem \
  -days 1024 \
  -out all/my-private-root-ca.cert.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
  -out all/privkey.pem \
  2048

# Create a request from your Device, which your Root CA will sign
openssl req -new \
  -key all/privkey.pem \
  -out all/csr.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

# Sign the request from Device with your Root CA
openssl x509 \
  -req -in all/csr.pem \
  -CA all/my-private-root-ca.cert.pem \
  -CAkey all/my-private-root-ca.privkey.pem \
  -CAcreateserial \
  -out all/cert.pem \
  -days 500

# Put things in their proper place
rsync -a all/{privkey,cert}.pem server/
cat all/cert.pem > server/fullchain.pem         # we have no intermediates in this case
rsync -a all/my-private-root-ca.cert.pem server/
rsync -a all/my-private-root-ca.cert.pem client/

# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt

例如:

bash make-certs.sh 'localhost.greenlock.domains'

希望这能把钉子钉在这个棺材上.

还有一些解释:https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js

在iOS Mobile Safari上安装私有证书

您需要创建具有.crt扩展名的DER格式的根ca证书的副本:

# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt

然后,您只需使用您的网络服务器提供该文件即可.单击该链接时,系统会询问您是否要安装证书.

有关其工作原理的示例,您可以尝试安装MIT的证书颁发机构:https://ca.mit.edu/mitca.crt

相关实例

• https://github.com/coolaj86/nodejs-ssl-example
• https://github.com/coolaj86/nodejs-ssl-trusted-peer-example
• https://github.com/coolaj86/node-ssl-root-cas
• https://github.com/coolaj86/nodejs-https-sni-vhost-example
  • (在同一服务器上使用SSL的多个vhost)
• https://telebit.cloud
  • (获取REAL SSL证书,您可以使用TODAY在localhost上进行测试)

Answer 2

尝试将此添加到您的请求选项中

var options = {
  host: 'localhost',
  port: 8000,
  path: '/api/v1/test',
  // These next three lines
  rejectUnauthorized: false,
  requestCert: true,
  agent: false
};