1  

In my experience, in most cases the validators are picky on self-signed certificates.

根据我的经验,在大多数情况下,验证者对自签名证书都很挑剔。

In general, when using "fake" certificates you should always take the extra step and create a fake CA and sign the fake cert with the CA. If nothing else, this makes your testing be more like a real life scenario.

通常,在使用“假”证书时,您应始终采取额外步骤并创建假CA并与CA签署假证书。如果不出意外,这会使您的测试更像现实生活场景。

Here are brief instructions on how to do this with OpenSSL:

以下是有关如何使用OpenSSL执行此操作的简要说明:

1. Create a CA (self signed) openssl req -x509 -new -out ca.crt -keyout ca.key -days 3650

创建一个CA(自签名)openssl req -x509 -new -out ca.crt -keyout ca.key -days 3650

2. Create a server key and csr openssl req -out server.csr -pubkey -new -keyout server.secure.key

创建服务器密钥和csr openssl req -out server.csr -pubkey -new -keyout server.secure.key

3. Take off the passphrase openssl rsa -in server.secure.key -out server.key

取下密码openssl rsa -in server.secure.key -out server.key

4. Sign the server certificate with the CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1825

使用CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1825签署服务器证书

5. (For futher certificates, use the existing serial number openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out server.crt -days 1825)

(对于更多的证书,请使用现有的序列号openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out server.crt -days 1825)

Whenever you have problems with any SSL (not just HTTPS) - use raw openssl to debug by doing

每当您遇到任何SSL(不仅仅是HTTPS)问题时 - 使用原始openssl进行调试

openssl s_verify -connect <hostname>:<portnumber> <options>

e.g.

openssl s_verify -connect localhost:443 -CAfile myfakeca.pem

This usually saves you a lot of trouble figuring out problems with your actual certificates that actually have nothing to do with your code.

这通常可以帮助您解决实际证书中与您的代码无关的问题。