配置https

安装 openssl

$ yum install openssl

创建证书

$ cd /etc/pki/CA$ /etc/pki/tls/misc/CA -newcaEnter PEM pass phrase:  123456Verifying - Enter PEM pass phrase: 123456Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:CNLocality Name (eg, city) [Default City]:CNOrganization Name (eg, company) [Default Company Ltd]:CNOrganizational Unit Name (eg, section) []:CNCommon Name (eg, your name or your server's hostname) []:chenliujin.comEmail Address []:liujin.chen@qq.com

Generate a CSR (Certificate Signing Request)

方法一：RSA

$ openssl req -nodes -newkey rsa:2048 -keyout domain.key -out domain.csrGenerating a 2048 bit RSA private key....................+++...................................................................................+++writing new private key to 'domain.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:CNLocality Name (eg, city) [Default City]:CNOrganization Name (eg, company) [Default Company Ltd]:CNOrganizational Unit Name (eg, section) []:CNCommon Name (eg, your name or your server's hostname) []:www.chenliujin.comEmail Address []:liujin.chen@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

方法二：DES

$ openssl genrsa -des3 -out server.key 2048Generating RSA private key, 2048 bit long modulus........+++..............................................+++e is 65537 (0x10001)Enter pass phrase for server.key:123456 #输入密码Verifying - Enter pass phrase for server.key:123456 #输入密码$ openssl req -new  -key server.key -out server.csrEnter pass phrase for server.key:123456 #输入密码You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:CNLocality Name (eg, city) [Default City]:CNOrganization Name (eg, company) [Default Company Ltd]:CNOrganizational Unit Name (eg, section) []:CNCommon Name (eg, your name or your server's hostname) []:www.chenliujin.comEmail Address []:liujin.chen@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:$ cp server.csr newreq.pem

对产生的服务器证书进行签证

$ /etc/pki/tls/misc/CA -sign$ cp newcert.pem server.crt

openssl genrsa -out server.key 1024openssl req -new -key server.key -out server.csropenssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

COMODO Certificate Installation: Nginx

* https - Nginx

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1365&nav=0,96,1,95

证书颁发链

根证书是CA认证中心给自己颁发的证书,是信任链的起始点。安装根证书意味着对这个CA认证中心的信任 。

查看进行签证的COMODO证书级别，这里是PositiveSSL，下载对应的PositiveSSL中间证书和根证书，把它们合并到你的证书文件中。

证书：www.chenliujin.com.cer

中间证书： PositiveSSLCA2.crt

根证书： AddTrustExternalCARoot.crt

按上面的顺序合并到 www.chenliujin.cer中，注意去掉多余的空格。

$ cat www.chenliujin.com.cer PositiveSSLCA2.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

$ vim www.chengliujin.com.confserver {listen 443;server_name www.chenliujin.com;ssl on;ssl_certificate /etc/ssl/certs/ssl-bundle.crt;ssl_certificate_key /etc/ssl/private/mysite.key;#enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.ssl_protocols SSLv3 TLSv1;#Disables all weak ciphersssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;}

* COMODO Root & Intermediate(s)查询

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1182

* COMODO Root & Intermediate(s)下载

https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&nav=0

证书颁发链

Common name: l.ygsm.comSANs: l.ygsm.com, www.l.ygsm.comValid from May 28, 2014 to May 28, 2019Serial Number: 1df5da786a91fda72040694f67f8a96dSignature Algorithm: sha256WithRSAEncryptionIssuer: COMODO RSA Domain Validation Secure Server CACommon name: COMODO RSA Domain Validation Secure Server CAOrganization: COMODO CA LimitedLocation: Salford, Greater Manchester, GBValid from February 11, 2014 to February 11, 2029Serial Number: 2b2e6eead975366c148a6edba37c8c07Signature Algorithm: sha384WithRSAEncryptionIssuer: COMODO RSA Certification AuthorityCommon name: COMODO RSA Certification AuthorityOrganization: COMODO CA LimitedLocation: Salford, Greater Manchester, GBValid from May 30, 2000 to May 30, 2020Serial Number: 2766ee56eb49f38eabd770a2fc84de22Signature Algorithm: sha384WithRSAEncryptionIssuer: AddTrust External CA Root

Q & A

* sec_error_unknown_issuer

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.Learn more about this error . You can fix this by following Comodo's Certificate Installation Instructions for your server platform (use these instructions for InstantSSL ). Pay attention to the parts about Intermediate certificates.

参考文献

• Generate a CSR on a Linux server

  http://hosting.com/support/ssl/generate-a-csr-on-a-linux-server/

• Check your CSR

  https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp

• Check your certificate installation

  https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

• Moving to a 2048-bit Certificate

  http://www.thawte.com/resources/2048-bit-compliance/

• SSL证书部署指南 - Nginx

  http://www.willrey.com/support/SSL_Nginx.html

• Certificate Installation

  https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=95&pcid=1&nav=0,96,1

• Firefox and SSL: sec_error_unknown_issuer

  http://stackoverflow.com/questions/275878/firefox-and-ssl-sec-error-unknown-issuer

• SSL Certificate Tools

  http://www.sslshopper.com/ssl-certificate-tools.html