配置https
来源:互联网 发布:cpu 电压调试软件 编辑:程序博客网 时间:2024/04/29 13:46
安装 openssl
$ yum install openssl
创建证书
$ cd /etc/pki/CA$ /etc/pki/tls/misc/CA -newcaEnter PEM pass phrase: 123456Verifying - Enter PEM pass phrase: 123456Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:CNLocality Name (eg, city) [Default City]:CNOrganization Name (eg, company) [Default Company Ltd]:CNOrganizational Unit Name (eg, section) []:CNCommon Name (eg, your name or your server's hostname) []:chenliujin.comEmail Address []:liujin.chen@qq.com
Generate a CSR (Certificate Signing Request)
方法一:RSA
$ openssl req -nodes -newkey rsa:2048 -keyout domain.key -out domain.csrGenerating a 2048 bit RSA private key....................+++...................................................................................+++writing new private key to 'domain.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:CNLocality Name (eg, city) [Default City]:CNOrganization Name (eg, company) [Default Company Ltd]:CNOrganizational Unit Name (eg, section) []:CNCommon Name (eg, your name or your server's hostname) []:www.chenliujin.comEmail Address []:liujin.chen@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
方法二:DES
$ openssl genrsa -des3 -out server.key 2048Generating RSA private key, 2048 bit long modulus........+++..............................................+++e is 65537 (0x10001)Enter pass phrase for server.key:123456 #输入密码Verifying - Enter pass phrase for server.key:123456 #输入密码$ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key:123456 #输入密码You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:CNLocality Name (eg, city) [Default City]:CNOrganization Name (eg, company) [Default Company Ltd]:CNOrganizational Unit Name (eg, section) []:CNCommon Name (eg, your name or your server's hostname) []:www.chenliujin.comEmail Address []:liujin.chen@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:$ cp server.csr newreq.pem
对产生的服务器证书进行签证
$ /etc/pki/tls/misc/CA -sign$ cp newcert.pem server.crt
openssl genrsa -out server.key 1024openssl req -new -key server.key -out server.csropenssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
COMODO Certificate Installation: Nginx
* https - Nginx
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1365&nav=0,96,1,95
证书颁发链
根证书是CA认证中心给自己颁发的证书,是信任链的起始点。安装根证书意味着对这个CA认证中心的信任 。
查看进行签证的COMODO证书级别,这里是PositiveSSL,下载对应的PositiveSSL中间证书和根证书,把它们合并到你的证书文件中。
证书:www.chenliujin.com.cer
中间证书: PositiveSSLCA2.crt
根证书: AddTrustExternalCARoot.crt
按上面的顺序合并到 www.chenliujin.cer中,注意去掉多余的空格。
$ cat www.chenliujin.com.cer PositiveSSLCA2.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt
$ vim www.chengliujin.com.confserver {listen 443;server_name www.chenliujin.com;ssl on;ssl_certificate /etc/ssl/certs/ssl-bundle.crt;ssl_certificate_key /etc/ssl/private/mysite.key;#enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.ssl_protocols SSLv3 TLSv1;#Disables all weak ciphersssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;}
* COMODO Root & Intermediate(s)查询
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1182
* COMODO Root & Intermediate(s)下载
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&nav=0
证书颁发链
Common name: l.ygsm.comSANs: l.ygsm.com, www.l.ygsm.comValid from May 28, 2014 to May 28, 2019Serial Number: 1df5da786a91fda72040694f67f8a96dSignature Algorithm: sha256WithRSAEncryptionIssuer: COMODO RSA Domain Validation Secure Server CACommon name: COMODO RSA Domain Validation Secure Server CAOrganization: COMODO CA LimitedLocation: Salford, Greater Manchester, GBValid from February 11, 2014 to February 11, 2029Serial Number: 2b2e6eead975366c148a6edba37c8c07Signature Algorithm: sha384WithRSAEncryptionIssuer: COMODO RSA Certification AuthorityCommon name: COMODO RSA Certification AuthorityOrganization: COMODO CA LimitedLocation: Salford, Greater Manchester, GBValid from May 30, 2000 to May 30, 2020Serial Number: 2766ee56eb49f38eabd770a2fc84de22Signature Algorithm: sha384WithRSAEncryptionIssuer: AddTrust External CA Root
Q & A
* sec_error_unknown_issuer
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.Learn more about this error . You can fix this by following Comodo's Certificate Installation Instructions for your server platform (use these instructions for InstantSSL ). Pay attention to the parts about Intermediate certificates.
参考文献
Generate a CSR on a Linux server
http://hosting.com/support/ssl/generate-a-csr-on-a-linux-server/
Check your CSR
https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp
Check your certificate installation
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
Moving to a 2048-bit Certificate
http://www.thawte.com/resources/2048-bit-compliance/
SSL证书部署指南 - Nginx
http://www.willrey.com/support/SSL_Nginx.html
Certificate Installation
https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=95&pcid=1&nav=0,96,1
Firefox and SSL: sec_error_unknown_issuer
http://stackoverflow.com/questions/275878/firefox-and-ssl-sec-error-unknown-issuer
SSL Certificate Tools
http://www.sslshopper.com/ssl-certificate-tools.html
- HTTPS 配置
- https配置
- 配置https
- 配置https
- https配置
- https配置
- https配置
- Https配置
- 配置HTTPS
- 手把手配置https
- 配置HTTPS加密
- HTTPS配置教程1
- HTTPS配置教程2
- HTTPS配置教程3
- tomcat实现https配置
- tomcat配置Https
- 关于https的配置
- resin3配置https
- 1114第四周 图的表示
- 数据库里保存会话
- 老外分享的开发课程,不错的收集
- discuz代码解析(一、初始化应用的过程)
- SQL优化
- 配置https
- Oracle学习笔记 4 --单行函数
- 数学建模--常用算法及程序
- js 禁用右键
- history增加时间功能
- 《Learning Python》学习笔记
- Windows 9将至! 微软内部员工爆料新系统
- 《Head First Python》学习笔记
- HDU 1421 搬寝室