安装 openssl
$ yum install openssl
创建证书
$ cd /etc/pki/CA $ /etc/pki/tls/misc/CA -newca Enter PEM pass phrase: 123456 Verifying - Enter PEM pass phrase: 123456 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:CN Locality Name (eg, city) [Default City]:CN Organization Name (eg, company) [Default Company Ltd]:CN Organizational Unit Name (eg, section) []:CN Common Name (eg, your name or your server's hostname) []:chenliujin.com Email Address []:liujin.chen@qq.com
Generate a CSR (Certificate Signing Request)
方法一:RSA
$ openssl req -nodes -newkey rsa:2048 -keyout domain.key -out domain.csr Generating a 2048 bit RSA private key ....................+++ ...................................................................................+++ writing new private key to 'domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:CN Locality Name (eg, city) [Default City]:CN Organization Name (eg, company) [Default Company Ltd]:CN Organizational Unit Name (eg, section) []:CN Common Name (eg, your name or your server's hostname) []:www.chenliujin.com Email Address []:liujin.chen@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
方法二:DES
$ openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ........+++ ..............................................+++ e is 65537 (0x10001) Enter pass phrase for server.key:123456 #输入密码 Verifying - Enter pass phrase for server.key:123456 #输入密码 $ openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:123456 #输入密码 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:CN Locality Name (eg, city) [Default City]:CN Organization Name (eg, company) [Default Company Ltd]:CN Organizational Unit Name (eg, section) []:CN Common Name (eg, your name or your server's hostname) []:www.chenliujin.com Email Address []:liujin.chen@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ cp server.csr newreq.pem
对产生的服务器证书进行签证
$ /etc/pki/tls/misc/CA -sign $ cp newcert.pem server.crt
openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
COMODO Certificate Installation: Nginx
* https - Nginx
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1365&nav=0,96,1,95
证书颁发链
根证书是CA认证中心给自己颁发的证书,是信任链的起始点。安装根证书意味着对这个CA认证中心的信任 。
查看进行签证的COMODO证书级别,这里是PositiveSSL,下载对应的PositiveSSL中间证书和根证书,把它们合并到你的证书文件中。
证书:www.chenliujin.com.cer
中间证书: PositiveSSLCA2.crt
根证书: AddTrustExternalCARoot.crt
按上面的顺序合并到 www.chenliujin.cer中,注意去掉多余的空格。
$ cat www.chenliujin.com.cer PositiveSSLCA2.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt
$ vim www.chengliujin.com.conf server { listen 443; server_name www.chenliujin.com; ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/mysite.key; #enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used. ssl_protocols SSLv3 TLSv1; #Disables all weak ciphers ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; }
* COMODO Root & Intermediate(s)查询
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1182
* COMODO Root & Intermediate(s)下载
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&nav=0
证书颁发链
Common name: l.ygsm.com SANs: l.ygsm.com, www.l.ygsm.com Valid from May 28, 2014 to May 28, 2019 Serial Number: 1df5da786a91fda72040694f67f8a96d Signature Algorithm: sha256WithRSAEncryption Issuer: COMODO RSA Domain Validation Secure Server CA Common name: COMODO RSA Domain Validation Secure Server CA Organization: COMODO CA Limited Location: Salford, Greater Manchester, GB Valid from February 11, 2014 to February 11, 2029 Serial Number: 2b2e6eead975366c148a6edba37c8c07 Signature Algorithm: sha384WithRSAEncryption Issuer: COMODO RSA Certification Authority Common name: COMODO RSA Certification Authority Organization: COMODO CA Limited Location: Salford, Greater Manchester, GB Valid from May 30, 2000 to May 30, 2020 Serial Number: 2766ee56eb49f38eabd770a2fc84de22 Signature Algorithm: sha384WithRSAEncryption Issuer: AddTrust External CA Root
Q & A
* sec_error_unknown_issuer
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.Learn more about this error . You can fix this by following Comodo's Certificate Installation Instructions for your server platform (use these instructions for InstantSSL ). Pay attention to the parts about Intermediate certificates.
参考文献
-
Generate a CSR on a Linux server
http://hosting.com/support/ssl/generate-a-csr-on-a-linux-server/
-
Check your CSR
https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp
-
Check your certificate installation
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
-
Moving to a 2048-bit Certificate
-
SSL证书部署指南 - Nginx
-
Certificate Installation
https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=95&pcid=1&nav=0,96,1
-
Firefox and SSL: sec_error_unknown_issuer
http://stackoverflow.com/questions/275878/firefox-and-ssl-sec-error-unknown-issuer
-
SSL Certificate Tools