中间人代理配置

创建CA证书

生成rootCA私钥: rootCA-key.pem

openssl genrsa -out rootCA-key.pem 2048

使用上面的私钥，生成rootCA证书: rootCA.pem

openssl req -x509 -new -nodes -key rootCA-key.pem -sha256 -days 3650 -out rootCA.pem -subj "/O=Organization/OU=OrgUnit/CN=CommonName"

代理服务需要根据该rootCA证书生成域名证书

要实现中间人代理，该CA证书需要同时被连接代理服务器的客户端信任。

创建域名证书

生成域名私钥: _wildcard.example.org-key.pem

openssl genrsa -out _wildcard.example.org-key.pem 2048

创建证书签名请求: _wildcard.example.org.csr

openssl req -new -key _wildcard.example.org-key.pem -out _wildcard.example.org.csr -subj "/O=Organization/OU=OrgUnit/CN=CommonName"

使用rootCA.pem, rootCA-key.pem生成域名证书: _wildcard.example.org.pem

openssl x509 -req -in _wildcard.example.org.csr -CA rootCA.pem -CAkey rootCA-key.pem -CAcreateserial -out _wildcard.example.org.pem -days 365 -sha256 -extfile <(printf "subjectAltName=DNS:*.example.org,DNS:example.org")

使用_wildcard.example.org-key.pem, _wildcard.example.org.pem生成对应的PKCS#12域名证书文件: _wildcard.example.org.pfx

openssl pkcs12 -export -out _wildcard.example.org.pfx -inkey _wildcard.example.org-key.pem -in _wildcard.example.org.pem

代理服务使用该域名证书_wildcard.example.org.pfx

JAVA应用配置代理

应用启动时增加以下VM参数，假设代理服务器端口为13000

-Dhttp.proxyHost=localhost -Dhttp.proxyPort=13000 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=13000

同时需要信任上面生成的CA证书，使用keytool添加rootCA.pem

keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts -file rootCA.pem -alias [alias] -storepass changeit

iOS设备配置代理

将生成的CA证书rootCA.pem文件发到iOS设备

安装该CA证书

同时在Settings > General > About > Certificate Trust Settings里信任安装好的CA证书

域名证书生成脚本

当前目录下已存在rootCA证书rootCA.pem, rootCA-key.pem及证书签名请求文件certificate.csr, certificate-key.pem

运行命令sh [your_script.sh] -h "*.example.org"

#!/bin/bash

CA=rootCA.pem
CA_KEY=rootCA-key.pem
CERT_CSR=certificate.csr
CERT_KEY=certificate-key.pem
HOSTNAME=
while getopts 'h:' OPTION; do
    case "$OPTION" in
        h)
            HOSTNAME="$OPTARG"
        ;;
        ?)
            echo "script usage: $(basename $0) [-h hostname]"
            exit 1
        ;;
    esac
done
shift "$(($OPTIND - 1))"

if [ -z "${HOSTNAME}" ]; then
    echo "argument [-h hostname] is required"
    exit 1
fi

# replace '*' with '_wildcard', e.g. *.example.org => _wildcard.example.org
FILENAME="${HOSTNAME}"
if [[ "$HOSTNAME" == *\** ]]; then
    FILENAME="${HOSTNAME//\*/_wildcard}"
fi

EXTFILE=$(mktemp)
printf "subjectAltName=DNS:${HOSTNAME}" > "$EXTFILE"

openssl x509 -req -in "${CERT_CSR}" -CA rootCA.pem -CAkey rootCA-key.pem -CAcreateserial -out "${FILENAME}.pem" -days 365 -sha256 -extfile "$EXTFILE"

rm -f "$EXTFILE"

openssl pkcs12 -export -out "${FILENAME}.pfx" -inkey "${CERT_KEY}" -in "${FILENAME}.pem" -passout pass:

rm -f "${FILENAME}.pem"

echo "hostname ${HOSTNAME} added"
exit 0