# 客户端例子:不受信任的证书
我们知道,有些网站的HTTPS证书会被浏览器标识为不受信任,有可能是以下情况导致的:
- 颁发证书的机构不在操作系统的受信列表里
- 办法证书的机构在操作系统的受信列表里,但证书的安全级别不够
比如我们访问12306,chrome就会提示你“您的连接不是私密连接,攻击者可能会试图从kyfw.12306.cn窃取您的信息”。
那么,当我们用node向12306发起请求时,又会是什么状况呢?下面就来试下
var https = require('https');
https.get('https://www.baidu.com', function(res){
res.on('data', function(data){
process.stdout.write(data);
});
}).on('error', function(err){
console.error(err);
});
运行上面代码,输出如下。可以看到出现报错,提示信息是“self signed certificate in certificate chain”。大意就是说证书是网站自己签发的,不安全。
{ Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1055:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:580:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:412:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' }
出现上述错误怎么处理呢?我们知道,如果是在浏览器里访问,有两种处理方式:
- 忽略浏览器的安全提示,继续访问(浏览器可能会直接禁止你访问)
- 将网站的根证书导入到操作系统的受信任根证书列表里
# 入门示例
TODO
# 基础讲解
。。。
# 本地证书
。。。
# 服务器:自签名证书
➜ server git:(master) ✗ mkdir cert
➜ server git:(master) ✗ cd cert
➜ cert git:(master) ✗ openssl genrsa -out chyingp-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
..........................................+++
e is 65537 (0x10001)
➜ cert git:(master) ✗ openssl req -new -sha256 -key chyingp-key.pem -out chyingp-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YH
Organizational Unit Name (eg, section) []:web
Common Name (e.g. server FQDN or YOUR name) []:www.chyingp.com
Email Address []:416394284@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:YH
➜ cert git:(master) ✗ openssl x509 -req -in chyingp-csr.pem -signkey chyingp-key.pem -out chyingp-cert.pem
# 私有CA签名的证书
首先,创建自签名的CA证书
# 创建ca的私钥
openssl genrsa -out my-ca.key.pem 2048
# 创建ca的证书
openssl req \
-x509 \
-new \
-nodes \
-key my-ca.key.pem \
-days 1024 \
-out my-ca.crt.pem \
-subj "/C=CN/ST=Guandong/L=Shenzhen/O=YH Inc/CN=chyingp.com"
然后,创建用CA的私钥进行签名的网站证书
# 创建私钥
openssl genrsa \
-out my-server.key.pem \
2048
# 创建证书签名请求
openssl req -new \
-key my-server.key.pem \
-out my-server.csr.pem \
-subj "/C=CN/ST=Guandong/L=Shenzhen/O=YH Inc/CN=www.chyingp.com"
# 创建网站证书
openssl x509 \
-req -in my-server.csr.pem \
-CA my-ca.crt.pem \
-CAkey my-ca.key.pem \
-CAcreateserial \
-out my-server.crt.pem \
-days 500