使用TLS和Auth保护NSQ

要生成新的公钥/私钥对：

openssl req -x509 -newkey rsa:2048 -keyout privatekey.pem -out cert.pem -days 3650 -nodes

提示：请确保“通用名称”是您的主机名或FQDN，无论您要连接到nsqd。

允许nsqd接受TLS升级请求：

nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem"

执行TLS：

nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem" -tls-required=1

注意：-tls-required=1有效地关闭HTTP端点。

要在HTTPS上侦听：

nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem" -tls-required=1 -https-address=0.0.0.0:4152

要将PEM格式的公钥/私钥对转换为PKCS＃12：

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out nsq.pfx

将PKSC＃12转换为PEM：

openssl pkcs12 -in nsq.pfx -out keystore.pem -nodes
openssl pkcs12 -in nsq.pfx -out cert.pem -nodes -nokeys
openssl pkcs12 -in nsq.pfx -out privatekey.pem -nodes -nocerts

资源：

• https://en.wikipedia.org/wiki/Public-key_cryptography
• https://www.sslshopper.com/article-most-common-openssl-commands.html
• https://jamielinux.com/docs/openssl-certificate-authority
• http://tools.ietf.org/html/rfc5280#page-71

视窗：

• http://stackoverflow.com/questions/7331666/c-sharp-how-can-i-validate-a-root-ca-cert-certificate-x509-chain
• http://stackoverflow.com/questions/23935820/how-can-i-create-a-p12-file-without-a-private-key

更多Windows

• http://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows
• http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development

转载于:https://my.oschina.net/jiangshanlinux/blog/1505799