跳到主要内容

2 篇博文 含有标签「SSL」

查看所有标签

OpenSSL自签证书

· 阅读需 2 分钟

OpenSSL自签证书

第一步:创建私钥

openssl genrsa -out server.key 2048

第二步:创建证书配置文件 创建一个名为 cert.conf 的配置文件:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = CN
ST = Beijing
L = Beijing
O = Example Company
OU = IT Department
CN = localhost

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost
IP.1 = 127.0.0.1
IP.2 = ::1

第三步:生成证书签名请求(CSR)

openssl req -new -key server.key -out server.csr -config cert.conf

第四步:生成自签证书

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extensions v3_req -extfile cert.conf

第五步:验证证书

# 查看证书详情
openssl x509 -in server.crt -text -noout

# 验证证书和私钥是否匹配
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

第六步:配置使用

将生成的 server.crtserver.key 文件放置到适当的目录,并在应用程序中配置使用:

# 创建证书目录
sudo mkdir -p /etc/ssl/certs
sudo mkdir -p /etc/ssl/private

# 复制证书文件
sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/

# 设置权限
sudo chmod 644 /etc/ssl/certs/server.crt
sudo chmod 600 /etc/ssl/private/server.key

在 Nginx 中使用:

server {
    listen 443 ssl;
    server_name localhost;
    
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
    
    # 其他配置...
}

在 Apache 中使用:

<VirtualHost *:443>
    ServerName localhost
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    # 其他配置...
</VirtualHost>

注意事项:

  1. 自签证书只适用于测试环境或内部网络
  2. 浏览器会显示证书不受信任的警告
  3. 生产环境建议使用权威CA签发的证书
  4. 可以将根证书导入到客户端系统的受信任证书存储中以消除警告

Let's Encrypt 申请免费证书

· 阅读需 2 分钟

使用 Let's Encrypt 申请证书

Centos 7.9

安装 Let's Encrypt

yum install epel-release -y
yum install certbot python2-certbot-apache -y
certbot --version

配置 Nginx 处理 ACME Challenge 请求

# 允许 Nginx 在 /var/www/letsencrypt 目录下查找 ACME Challenge 字符串文件。
location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
}

# 创建目录 /var/www/letsencrypt/.well-known/acme-challenge/:
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/

# 给予 Nginx 读取权限
chown -R www-data:www-data /var/www/letsencrypt

# 重载 Nginx 以应用更改
nginx -t     # 检查配置文件是否正确
systemctl reload nginx    # 重新加载配置文件

运行 Let's Encrypt 命令以获取证书

certbot certonly --webroot -w /var/www/letsencrypt -d test.xxxxxx.com

证书位置

/etc/letsencrypt/live/test.sreproxy.com/fullchain.pem
/etc/letsencrypt/live/test.sreproxy.com/privkey.pem

证书自动续签

crontab -e
# 每天两次(在凌晨和正午)检查续签
0 0,12 * * * certbot renew --quiet

# 每个月的一号强制更新所有已安装的Lets Encrypt SSL证书
0 0 1 * * /usr/bin/certbot renew --force-renewal --deploy-hook "systemctl reload nginx"

转换 pem 证书(视情况转换)

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/test.sreproxy.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/test.sreproxy.com/privkey.pem Your certificate will expire on 2023-08-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew"
# 创建一个目录来存储您的 .crt 和 .key 文件
mkdir /etc/letsencrypt/live/test.sreproxy.com/crt_and_key

# 将 fullchain.pem 转换为 .crt 格式
openssl x509 -in /etc/letsencrypt/live/test.sreproxy.com/fullchain.pem -out /etc/letsencrypt/live/test.sreproxy.com/crt_and_key/certificate.crt

# 将 privkey.pem 转换为 .key 格式(实际上,您不需要转换,因为 .pem 和 .key 具有相同的格式,但是为了一致性,我们可以将其复制并重命名)
cp /etc/letsencrypt/live/test.sreproxy.com/privkey.pem /etc/letsencrypt/live/test.sreproxy.com/crt_and_key/private.key

ls -lh /etc/letsencrypt/live/test.sreproxy.com/crt_and_key