今天花了点时间研究了SSL,发现好多免费的都不怎么靠谱,收费的也五花八门。最终选择了大品牌godaddy,先简单介绍下SSL https证书。证书主要分为三种
- DV,主要是验证域名,最便宜最实用
- OV,验证组织,不知道干嘛的
- EV ,验证公司,在地址栏也会显示公司名字,非常酷炫,但是巨贵,一般用于有付款的网站
我搞了个UCC,后来发现和正常不一样,他是一个主域名,几个别名。不过只需要生成一次用起来一样。只是生成方式不太相同,网上找了半天没找到,后来自己搞定了,贴出来给大家。
- 去一个目录,比如,/etc/nginx/ssl
- 生成一个key,openssl genrsa -out nginx.key 2048
- 创建一个配置文件
[ req ] default_bits = 2048 default_keyfile = nginx.key distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Virginia localityName = Locality Name (eg, city) localityName_default = Alexandria organizationName = Organization Name (eg, company) organizationName_default = Jingenius, LLC commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Jingenius, LLC commonName = Common Name (eg, YOUR name) commonName_default = jing.do commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = pjsky@foxmail.com [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = blog.jing.do DNS.2 = xxx.com DNS.3 = ss.com
4.生成csr。openssl req -new -key nginx.key -out nginx.csr -config san.cfg
———————————顺便写下正常的证书怎么做—————————————-
sudo mkdir /etc/nginx/ssl cd /etc/nginx/ssl
#生成private key
sudo openssl genrsa -des3 -out server.key 2048
这里问你输入一个passphrase,选择一个容易记得,下一步会需要输入。
#生成 CSR
sudo openssl req -new -key server.key -out server.csr Country Name (2 letter code) [AU]:US #国家代码 State or Province Name (full name) [Some-State]:New York #省份 Locality Name (eg, city) []:NYC #城市 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc #公司名称 Organizational Unit Name (eg, section) []: #部门名称 Common Name (e.g. server FQDN or YOUR name) []: www.example.com Email Address []: admin@example.com #管理员邮箱
————————Nginx———————–
server {
listen 443;
server_name example.com;
root /usr/share/nginx/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}
如果想把 http 的请求转到 https 的话:
server {
listen 80;
server_name example.me;
rewrite ^ https://$server_name$request_uri? permanent;
}
本站原创文章皆遵循“署名-非商业性使用-相同方式共享 3.0 (CC BY-NC-SA 3.0)”。转载请保留以下标注:
