環境: Ubuntu 14.04 x64
- 產生key
1 2 3 4 5 6 7 |
root@Wordpress:/tmp# openssl genrsa -des3 -out site.key 2048 Generating RSA private key, 2048 bit long modulus ..........................+++ ....................................+++ e is 65537 (0x10001) Enter pass phrase for site.key: Verifying - Enter pass phrase for site.key: |
2.產生 csr
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
root@Wordpress:/tmp# openssl req -new -key site.key -out site.csr Enter pass phrase for site.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:Taiwan Locality Name (eg, city) []:Taipei City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cowman Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:cowman.ip Email Address []:cowman.chiang@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
- cat csr,貼至申請處
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
root@Wordpress:/tmp# cat site.csr -----BEGIN CERTIFICATE REQUEST----- MIIC1DCCAbwCAQAwgY4xCzAJBgNVBAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xFDAS BgNVBAcMC1RhaXBlaSBDaXR5MQ8wDQYDVQQKDAZDb3dtYW4xCzAJBgNVBAsMAklU MRIwEAYDVQQDDAljb3dtYW4uaXAxJjAkBgkqhkiG9w0BCQEWF2Nvd21hbi5jaGlh bmdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oNl FGzEzzpVSvFkwrYegC1VxoznmsPp2UrImb+w2M4ZLLuqdAqjhLs1atnPaQZsQlOF wfbnbGvcdwULuIzU8o1o1v7KS7TmWfi7P3oYG5GBRq/j3QuOQEwQ1s0QFAnulso9 rAHCt4i1rFg8wNF6mEF1Ghd2DzzD8P7Ew+LCYq+C4G8yq44RD+WJ8DccA4OQfzou mcstrRkXWmoYyrICepCE4eqxSdlNH3dyZbSmG4yKC1gQc60/Utm5o8lGynvS0pBh PUx124eMsWz80wZ0xAkE6Ma24XgOHied3XuaiRfBi5/tql+wfEQBrIOZ0DJ1DAhN J723zUMw9amQ8cF4zQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGeLtDAWlgh6 ag+PP8YqXrxGSAkkyL8EKdrPEntgYEPIkKt9to+h0tKBCZ5kCvG4bL6V5zRhtx4f ViqTzh9itOI3MDfvE5o8vxhed4jzevIifpKDONt0bAOC73STpv9+HCR+CMNX0Erf tmhD+zuLwHcBl5qoZqaPQobPF1VR1U2jsGBZ2HTTamtjGcr0mkso3MO5QxcV8JkP DwAc/PGn06zzKUyPeGPY2PE2xAppcof8B/WOYLvRx202YeoG6Cp1hLT94GoN+ef/ aDwd7WgaFpC1sXTnjoOlzpsxoovHmaJMTskncYkUZIsg4ZvhJnF9trqu9XlUKBh7 vDAfX3ZNzCs= -----END CERTIFICATE REQUEST----- |
-
這裡一樣以namecheap的comodo ssl為例,會收到下面四個檔案
伺服器類型選nginx
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
cowman_ip.crt -
產生 ssl-bundle.crt
1 |
cat cowman_ip.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt |
- 移除需要輸入 phase 的機制
1 2 3 |
root@Wordpress:/tmp# openssl rsa -in site.key -out site-nopass.key Enter pass phrase for site.key: writing RSA key |
- 修改 nginx 設定檔,位置在 /etc/nginx/sites-enabled/default,這裡把設定檔整併在server中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
root@Wordpress:/tmp# vim /etc/nginx/sites-enabled/default server { #listen 80 default_server; #listen [::]:80 default_server ipv6only=on; listen 80; listen 443 default ssl; ssl_certificate /opt/local/nginx/conf/certs/ssl-bundle.crt; ssl_certificate_key /opt/local/nginx/conf/certs/site_ip.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; |
- 重新啟動 nginx
1 |
service nginx restart |