avatar
童琦杰
Nov 12, 2024Technology

代理服务

创建证书

生成证书文件certificate.crt

bash
openssl req -x509 -newkey rsa:2048 -keyout [certificate.key] -out [certificate.crt] -days 365 -nodes -subj "/CN=*.example.com" -addext "subjectAltName=DNS:*.example.com"

sans.cnf
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca
prompt             = no

[ req_distinguished_name ]
C            = US
ST           = California
L            = San Francisco
O            = Example Company
OU           = IT Department
CN           = *.example.com  # Primary common name (CN)

[ req_ext ]
subjectAltName = @alt_names

[ v3_ca ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.example.com          # First alternative name
DNS.2 = *.example2.com         # Second alternative name
bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout [certificate.key] -out [certificate.crt] -config [sans.cnf]

生成pfx文件certificate.pfx

bash
openssl pkcs12 -export -out [certificate.pfx] -inkey [certificate.key] -in [certificate.crt]

可以将生成的pfx文件导入代理服务

JAVA应用配置代理

增加以下VM参数

bash
-Dhttp.proxyHost=localhost -Dhttp.proxyPort=13000 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=13000

添加证书信任

bash
keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts -file [certificate.crt] -alias [alias] -storepass changeit

iOS设置代理

1.手动生成rootCA证书和私钥(如果需要)

bash
# 生成 rootCA 私钥
openssl genrsa -out rootCA-key.pem 2048

# 生成 rootCA 自签名证书
openssl req -x509 -new -nodes -key rootCA-key.pem -sha256 -days 3650 -out rootCA.pem -subj "/O=Organization/OU=OrgUnit/CN=example.com"

2.将rootCA证书rootCA.pem文件发到iOS设备,安装证书,同时在Settings > General > About > Certificate Trust Settings里信任该rootCA,如果已安装过则跳过此步骤

3.生成通配符域名证书(_wildcard.example.org.pem 和 _wildcard.example.org-key.pem)

bash
# 生成通配符域名私钥
openssl genrsa -out _wildcard.example.org-key.pem 2048

# 创建证书签名请求 (CSR)
openssl req -new -key _wildcard.example.org-key.pem -out _wildcard.example.org.csr -subj "/O=Organization/OU=OrgUnit/CN=example.com"

# 使用 rootCA 签署通配符证书
openssl x509 -req -in _wildcard.example.org.csr -CA rootCA.pem -CAkey rootCA-key.pem -CAcreateserial -out _wildcard.example.org.pem -days 365 -sha256 -extfile <(printf "subjectAltName=DNS:*.example.org,DNS:example.org")

4.使用_wildcard.example.org.pem_wildcard.example.org-key.pem生成PKCS#12文件_wildcard.example.org.pfx

bash
openssl pkcs12 -export -out _wildcard.example.org.pfx -inkey _wildcard.example.org-key.pem -in _wildcard.example.org.pem
© 2015-2022 tongqijie.com 版权所有沪ICP备17000682号