用户工具

站点工具


linux:openssl
certbot -d "*.xlongwei.com" --server https://acme-v02.api.letsencrypt.org/directory --manual certonly
certbot renew --cert-name xlongwei.com --dry-run  //renew仅支持自动更新命令,不支持交互式
https://gethttpsforfree.com/
  • 申请证书
1,打开网址:https://t.xlongwei.com/https/,admin@xlongwei.com
2,生成私钥:openssl genrsa 4096 > account.key,如果已有私钥则可跳过
3,打印私钥:openssl rsa -in account.key -pubout,输出内容粘贴到页面
4,生成证书签名请求:openssl genrsa 4096 > domain.key,如果已有
5,打印证书签名请求:openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:xlongwei.com,DNS:*.xlongwei.com"))
6,域名验证:nslookup -q=TXT _acme-challenge.xlongwei.com;文件验证:/soft/statics,/soft/share/https
7,依次按步骤执行,最后生成的文本保存为chain.pem(公钥证书复制为xlongwei.pem),domain.key(私钥复制为xlongwei.key)
8,配置nginx:
ssl_certificate /soft/cert/xlongwei.pem;
ssl_certificate_key /soft/cert/xlongwei.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout  5m;
9,http => https,使用root指令返回静态目录
server {
      server_name wiki.xlongwei.com pdf.xlongwei.com;
      return 301 https://$host$request_uri;
}
  • 生成私钥,检查私钥
openssl genrsa -out yourdomain.key 2048
openssl rsa -in privateKey.key -check
  • 生成CSR,检查CSR
openssl req -new -key yourdomain.key -out yourdomain.csr   //需要填写相关信息
openssl req -text -noout -verify -in CSR.csr    //检查CSR
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key  //两步合一
//一步到位:CountryName国家码 State/Province省 City市 OrganizationName组织 Unit单位 CommonName域名 Email可选
openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl x509 -in certificate.crt -text -noout //检查证书crt
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key //证书请求CSR
openssl rsa -in privateKey.pem -out newPrivateKey.pem //移除密码
openssl s_client -connect www.paypal.com:443  //打印域名证书
openssl req -noout -modulus -in CSR.csr | openssl md5  //打印md5值
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -outform der -in certificate.pem -out certificate.der  //pem =》 der
openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt // der crt =》 pem crt
openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key // der key =》 pem key
openssl pkcs12 -info -in keyStore.p12 //检查文件.pfx
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt // pem =》 pfx
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes // pfx =》 pem crt
openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes // pfx =》 pem key
  • 反向代理给http
proxy_redirect http:// https://; #后端使用http跳转时,自动修改Location地址为https,不要写proxy_redirect off;
proxy_set_header X-Forwarded-Proto https; #提示后端协议为https
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
linux/openssl.txt · 最后更改: 2020/02/13 18:40 由 admin