侧边栏
linux:openssl
- 免费证书https
certbot -d "*.xlongwei.com" --server https://acme-v02.api.letsencrypt.org/directory --manual certonly certbot renew --cert-name xlongwei.com --dry-run //renew仅支持自动更新命令,不支持交互式 https://gethttpsforfree.com/
- 申请证书
1,打开网址:https://t.xlongwei.com/https/,admin@xlongwei.com
2,生成私钥:openssl genrsa 4096 > account.key,如果已有私钥则可跳过
3,打印私钥:openssl rsa -in account.key -pubout,输出内容粘贴到页面
4,生成证书签名请求:openssl genrsa 4096 > domain.key,如果已有
5,打印证书签名请求:openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:xlongwei.com,DNS:*.xlongwei.com"))
6,域名验证:nslookup -q=TXT _acme-challenge.xlongwei.com;文件验证:/soft/statics,/soft/share/https
7,依次按步骤执行,最后生成的文本保存为chain.pem(公钥证书复制为xlongwei.pem),domain.key(私钥复制为xlongwei.key)
8,配置nginx:
ssl_certificate /soft/cert/xlongwei.pem;
ssl_certificate_key /soft/cert/xlongwei.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
9,http => https,使用root指令返回静态目录
server {
server_name wiki.xlongwei.com pdf.xlongwei.com;
return 301 https://$host$request_uri;
}
- 生成私钥,检查私钥
openssl genrsa -out yourdomain.key 2048 openssl rsa -in privateKey.key -check
- 生成CSR,检查CSR
openssl req -new -key yourdomain.key -out yourdomain.csr //需要填写相关信息 openssl req -text -noout -verify -in CSR.csr //检查CSR openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key //两步合一 //一步到位:CountryName国家码 State/Province省 City市 OrganizationName组织 Unit单位 CommonName域名 Email可选 openssl req -new \ -newkey rsa:2048 -nodes -keyout yourdomain.key \ -out yourdomain.csr \ -subj "/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
- 自签名证书openssl
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt openssl x509 -in certificate.crt -text -noout //检查证书crt openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key //证书请求CSR openssl rsa -in privateKey.pem -out newPrivateKey.pem //移除密码 openssl s_client -connect www.paypal.com:443 //打印域名证书 openssl req -noout -modulus -in CSR.csr | openssl md5 //打印md5值 openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5
- 证书密钥转换openssl
openssl x509 -outform der -in certificate.pem -out certificate.der //pem =》 der openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt // der crt =》 pem crt openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key // der key =》 pem key openssl pkcs12 -info -in keyStore.p12 //检查文件.pfx openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt // pem =》 pfx openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes // pfx =》 pem crt openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes // pfx =》 pem key
- 反向代理给http
proxy_redirect http:// https://; #后端使用http跳转时,自动修改Location地址为https,不要写proxy_redirect off; proxy_set_header X-Forwarded-Proto https; #提示后端协议为https proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
linux/openssl.txt · 最后更改: 2020/02/13 18:40 由 admin
