生成自签名证书的两种方式
生活随笔
收集整理的這篇文章主要介紹了
生成自签名证书的两种方式
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
目錄一、通過(guò)github上的項(xiàng)目來(lái)生成(比較簡(jiǎn)單)1.1 下載項(xiàng)目并設(shè)置有效期1.2 生成證書(shū)1.3 將所需證書(shū)文件copy到其他目錄,以便統(tǒng)一管理二、Let's encrypt2.1 letsencrypt有什么限制2.2 配置yum2.3 安裝certbor2.4 以命令交互方式開(kāi)始制作證書(shū)2.5 配置nginx使用生成的證書(shū)2.6 訪問(wèn)測(cè)試https是否生效2.7 設(shè)置自動(dòng)任務(wù),配置自動(dòng)續(xù)訂(防止證書(shū)過(guò)期)
有些時(shí)候我們需要生成自簽名的ssl證書(shū),該博文用于記錄下生成ssl證書(shū)的兩種方式。
一、通過(guò)github上的項(xiàng)目來(lái)生成(比較簡(jiǎn)單)
此方式不要求域名可以在公網(wǎng)解析(其實(shí)此項(xiàng)目就是封裝了openssl指令,做了一個(gè)自動(dòng)版的openssl生成證書(shū))。
1.1 下載項(xiàng)目并設(shè)置有效期
[root@test nginx]# git clone https://github.com/Fishdrowned/ssl.git
[root@test nginx]# cd ssl # 進(jìn)入下載的目錄
# 設(shè)置證書(shū)的有效期(可選配置)
[root@test ssl]# cat ca.cnf | grep days # ca.cnf文件中有一些默認(rèn)設(shè)置
default_days = 3650 # 此處是設(shè)置證書(shū)的有效期(默認(rèn)為730天,也就是兩年),我這里直接修改為十年
# 設(shè)置根證書(shū)的有效期(可選配置)
[root@test ssl]# cat gen.root.sh | grep days # 就是此文件
-new -x509 -days 7300 -out out/root.crt # 默認(rèn)天數(shù)為7300(二十年)
1.2 生成證書(shū)
[root@test ssl]# ./gen.cert.sh www.ljz.com # 執(zhí)行此腳本即可,后面的www.ljz.com是你的域名
腳本執(zhí)行后,輸出大概如下(所有和證書(shū)相關(guān)的文件都會(huì)保存在當(dāng)前目錄的out目錄下):
1.3 將所需證書(shū)文件copy到其他目錄,以便統(tǒng)一管理
[root@test ssl]# mkdir -pv /data/ssl/www.ljz.com # 此目錄用于存放證書(shū)文件
# *.key.pem為證書(shū)私鑰
[root@test ssl]# cp out/www.ljz.com/www.ljz.com.key.pem /data/ssl/www.ljz.com/
# *.bundle.crt為證書(shū)
[root@test ssl]# cp out/www.ljz.com/www.ljz.com.bundle.crt /data/ssl/www.ljz.com/
# root.crt為根證書(shū)(此證書(shū)用于給client使用,加載到瀏覽器中,以便信任這個(gè)證書(shū))
[root@test ssl]# cp out/www.ljz.com/root.crt /data/ssl/www.ljz.com/
[root@test ssl]# ./flush.sh # 證書(shū)相關(guān)文件copy走后,可以執(zhí)行此腳本來(lái)清空所有歷史(非必須執(zhí)行)。
至此,只要在你的網(wǎng)站中指定證書(shū)及其私鑰的位置,即可通過(guò)https來(lái)訪問(wèn)你的網(wǎng)站了。(若不將root.crt導(dǎo)入到client的瀏覽器,https訪問(wèn)時(shí)會(huì)提示不安全。)
二、Let's encrypt
注:此方式需要你的域名必須可以在公網(wǎng)解析。
Let’s Encrypt 是一個(gè)自動(dòng)簽發(fā) https 證書(shū)的免費(fèi)項(xiàng)目
Certbot是 Let’s Encrypt 官方推薦的證書(shū)生成客戶端工具。
注:每種操作系統(tǒng)及要綁定證書(shū)的網(wǎng)站不同,對(duì)應(yīng)的安裝操作可能也有出入,我這里以證書(shū)是在centos 7上給nginx使用,若你們的需求和我不一樣,可以去官網(wǎng)查詢安裝過(guò)程。
2.1 letsencrypt有什么限制
同一個(gè)頂級(jí)域名下的二級(jí)域名,一周做多申請(qǐng) 20 個(gè)
一個(gè)域名一周最多申請(qǐng) 5 次
1 小時(shí)最多允許失敗 5 次
請(qǐng)求頻率需要小于 20 次/s
一個(gè) ip 3 小時(shí)內(nèi)最多創(chuàng)建 10 個(gè)賬戶
一個(gè)賬戶最多同時(shí)存在 300 個(gè) pending 的審核
2.2 配置yum
[root@nginx ~]# yum -y install epel-release
[root@nginx ~]# yum -y install yum-utils
[root@nginx ~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
2.3 安裝certbor
[root@nginx ~]# yum -y install certbot python2-certbot-nginx
[root@nginx ~]# certbot --version # 確定已安裝
certbot 1.3.0
2.4 以命令交互方式開(kāi)始制作證書(shū)
[root@nginx ~]# certbot certonly # 進(jìn)入交互模式
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx) # 此方式需要修改配置文件
2: Spin up a temporary webserver (standalone) # 此方式需要停止服務(wù)
3: Place files in webroot directory (webroot) # 如果需要不影響服務(wù)器正常運(yùn)行的情況下制作證書(shū),可以選擇這種方式
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
# 在這里我們輸入1,選擇為nginx插件
Plugins selected: Authenticator nginx, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxxxxxx@qq.com # 這里輸入你的郵箱賬號(hào)(只有第一次使用時(shí)會(huì)出現(xiàn))
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a # 輸入“a”同意(只有第一次使用時(shí)會(huì)出現(xiàn))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y # 輸入“y”確認(rèn)
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.lvjianzhao.top # 這里輸入你的域名
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lvjianzhao.top
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.lvjianzhao.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.lvjianzhao.top/privkey.pem
Your cert will expire on 2020-07-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
# 假如你的域名解析沒(méi)有問(wèn)題,那么至此就是證書(shū)制作成功了。
2.5 配置nginx使用生成的證書(shū)
[root@nginx ~]# cd /etc/letsencrypt/live/www.lvjianzhao.top/ # 進(jìn)入證書(shū)存放目錄
[root@nginx www.lvjianzhao.top]# ll
total 4
# 下面兩個(gè)文件無(wú)需關(guān)注
lrwxrwxrwx 1 root root 42 Apr 19 21:20 cert.pem -> ../../archive/www.lvjianzhao.top/cert1.pem
lrwxrwxrwx 1 root root 43 Apr 19 21:20 chain.pem -> ../../archive/www.lvjianzhao.top/chain1.pem
# 下面是證書(shū)文件
lrwxrwxrwx 1 root root 47 Apr 19 21:20 fullchain.pem -> ../../archive/www.lvjianzhao.top/fullchain1.pem
# 下面是證書(shū)私鑰
lrwxrwxrwx 1 root root 45 Apr 19 21:20 privkey.pem -> ../../archive/www.lvjianzhao.top/privkey1.pem
# 此README為上面幾個(gè)文件的作用說(shuō)明
-rw-r--r-- 1 root root 692 Apr 19 21:20 README
# 將所需證書(shū)及其私鑰copy到指定目錄統(tǒng)一存放
[root@nginx www.lvjianzhao.top]# cp fullchain.pem privkey.pem /etc/nginx/ssl/www.lvjianzhao.top/
# 接下來(lái)就是要修改nginx的配置文件來(lái)引用這個(gè)證書(shū)了,不過(guò)關(guān)于nignx的配置文件修改不是此博文的重點(diǎn),所以就不解釋了
[root@nginx nginx]# egrep -v '^$|^#' nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.lvjianzhao.top;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
return 302 https://www.lvjianzhao.top;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.lvjianzhao.top;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/ssl/www.lvjianzhao.top/fullchain.pem";
ssl_certificate_key "/etc/nginx/ssl/www.lvjianzhao.top/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
2.6 訪問(wèn)測(cè)試https是否生效
參考博文:Certbot 自動(dòng)化生成 https 證書(shū)
2.7 設(shè)置自動(dòng)任務(wù),配置自動(dòng)續(xù)訂(防止證書(shū)過(guò)期)
[root@nginx nginx]# echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | tee -a /etc/crontab
*************** 當(dāng)你發(fā)現(xiàn)自己的才華撐不起野心時(shí),就請(qǐng)安靜下來(lái)學(xué)習(xí)吧!***************
總結(jié)
以上是生活随笔為你收集整理的生成自签名证书的两种方式的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 未上市已被root!三星Galaxy S
- 下一篇: 「原创」蒙娜丽莎的原型是谁