我已经开始为API编写包装,该包装要求所有请求都通过HTTPS进行。我不想在开发和测试它时向实际的API发出请求,而是希望在本地运行自己的服务器来模拟响应。
我对如何生成创建HTTPS服务器并向其发送请求所需的证书感到困惑。
我的服务器看起来像这样:
var options = { key: fs.readFileSync('./key.pem'), cert: fs.readFileSync('./cert.pem') }; https.createServer(options, function(req, res) { res.writeHead(200); res.end('OK\n'); }).listen(8000);
Pem文件是使用以下命令生成的:
openssl genrsa 1024 > key.pem openssl req -x509 -new -key key.pem > cert.pem
一个请求看起来像这样:
var options = { host: 'localhost', port: 8000, path: '/api/v1/test' }; https.request(options, function(res) { res.pipe(process.stdout); }).end();
通过此设置,我得到了Error: DEPTH_ZERO_SELF_SIGNED_CERT,所以我认为我需要ca为该请求添加一个选项。
Error: DEPTH_ZERO_SELF_SIGNED_CERT
ca
所以我的问题是我应该如何生成以下内容:
key
cert
我已经阅读了一些有关使用openssl生成自签名证书的内容,但是似乎无法将其束缚住,也无法弄清楚在节点代码中的哪个位置使用哪些密钥和证书。
更新资料
API提供了要使用的CA证书,而不是默认证书。以下代码使用其证书进行工作,这就是我想在本地复制的内容。
var ca = fs.readFileSync('./certificate.pem'); var options = { host: 'example.com', path: '/api/v1/test', ca: ca }; options.agent = new https.Agent(options); https.request(options, function(res) { res.pipe(process.stdout); }).end();
还是真正的证书能使工作做得更好?您考虑过其中任何一个吗?
(注意:“让我们加密”还可以将证书颁发给专用网络)
https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa- pems/
https://github.com/coolaj86/nodejs-self-signed-certificate- example
使用localhost.greenlock.domains作为一个例子(它指向127.0.0.1):
localhost.greenlock.domains
'use strict'; var https = require('https') , port = process.argv[2] || 8043 , fs = require('fs') , path = require('path') , server , options ; require('ssl-root-cas') .inject() .addFile(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem')) ; options = { // this is ONLY the PRIVATE KEY key: fs.readFileSync(path.join(__dirname, 'server', 'privkey.pem')) // You DO NOT specify `ca`, that's only for peer authentication //, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))] // This should contain both cert.pem AND chain.pem (in that order) , cert: fs.readFileSync(path.join(__dirname, 'server', 'fullchain.pem')) }; function app(req, res) { res.setHeader('Content-Type', 'text/plain'); res.end('Hello, encrypted world!'); } server = https.createServer(options, app).listen(port, function () { port = server.address().port; console.log('Listening on https://127.0.0.1:' + port); console.log('Listening on https://' + server.address().address + ':' + port); console.log('Listening on https://localhost.greenlock.domains:' + port); });
'use strict'; var https = require('https') , fs = require('fs') , path = require('path') , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.cert.pem')) , port = process.argv[2] || 8043 , hostname = process.argv[3] || 'localhost.greenlock.domains' ; var options = { host: hostname , port: port , path: '/' , ca: ca }; options.agent = new https.Agent(options); https.request(options, function(res) { res.pipe(process.stdout); }).end();
以及制作证书文件的脚本:
#!/bin/bash FQDN=$1 # make directories to work from mkdir -p server/ client/ all/ # Create your very own Root Certificate Authority openssl genrsa \ -out all/my-private-root-ca.privkey.pem \ 2048 # Self-sign your Root Certificate Authority # Since this is private, the details can be as bogus as you like openssl req \ -x509 \ -new \ -nodes \ -key all/my-private-root-ca.privkey.pem \ -days 1024 \ -out all/my-private-root-ca.cert.pem \ -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com" # Create a Device Certificate for each domain, # such as example.com, *.example.com, awesome.example.com # NOTE: You MUST match CN to the domain name or ip address you want to use openssl genrsa \ -out all/privkey.pem \ 2048 # Create a request from your Device, which your Root CA will sign openssl req -new \ -key all/privkey.pem \ -out all/csr.pem \ -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}" # Sign the request from Device with your Root CA openssl x509 \ -req -in all/csr.pem \ -CA all/my-private-root-ca.cert.pem \ -CAkey all/my-private-root-ca.privkey.pem \ -CAcreateserial \ -out all/cert.pem \ -days 500 # Put things in their proper place rsync -a all/{privkey,cert}.pem server/ cat all/cert.pem > server/fullchain.pem # we have no intermediates in this case rsync -a all/my-private-root-ca.cert.pem server/ rsync -a all/my-private-root-ca.cert.pem client/ # create DER format crt for iOS Mobile Safari, etc openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
例如:
bash make-certs.sh 'localhost.greenlock.domains'
希望这能把棺材钉在棺材上。
还有更多说明:https : //github.com/coolaj86/node-ssl-root- cas/wiki/Painless-Self-Signed-Certificates-in- node.js
您需要创建扩展名为.crt的DER格式的根ca证书副本:
# create DER format crt for iOS Mobile Safari, etc openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
然后,您可以简单地通过Web服务器提供该文件。单击链接时,将询问您是否要安装证书。
有关如何工作的示例,可以尝试安装MIT的证书颁发机构:https : //ca.mit.edu/mitca.crt