====== 给 localhost 添加CA证书 ======

参考 [[https://majing.io/posts/10000050311000]]

  - 在 Ubuntu 18.04 上执行<code bash>

openssl rand -writerand ~/.rnd

openssl req -x509 -nodes -new -sha256 -days 10240 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=WSS-Root-CA"

openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
</code>生成根证书
  - 创建文件 domains.ext， 写入以下内容<code>
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = oakfire-wss.local
</code>
  - 继续执行<code bash>
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Oakfire-Wss-Certificates/CN=localhost.local"
        
openssl x509 -req -sha256 -days 10240 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
</code>
  - 拷贝 localhost.key, localhost.crt 作为站点证书
  - 在 win10 上右键 RootCA.crt 导入 【受信任的根证书颁发机构】, 重启 chrome。  win7 打开''certmgr.msc'' 或 ''certlm.msc'' 来导入。