90天的免费SSL:Free SSL Certificates and SSL Tools - ZeroSSL
申请教程:CNode:Node.js专业中文社区
我使用的是 https://www.startcomca.com/ 中的免费SSL证书,2016年的时候免费申请可以使用3年,你当前的时间就不确定了,还有startssl这个网站经常改版,所以这篇教程没有截图,下面介绍一个步骤:
1,第一步肯定就是登录startssl.com注册一个会员了,如果你注册过直接登录即可
2,登录后找到导航中的: ControlPanel,进入控制面板
3,进入后点击面板中的:Certificates Wizard,进入证书向导
4,里面有一个表格,看一下这个位置,应该在表格最右边的 Free User (Not Validated) ,免费用户,下面有一个 DV SSL Certificate 是可以点击的,点进去
5,点击进入后,他告诉你,Please enter the full hostname for SSL certificate (e.g: mail.domain.com): 意思就是让你填写你的域名,域名选择后,看下面
Please submit your Certificate Signing Request (CSR): 意思让你输入你的CSR,CSR我个人建议你到你服务器中使用openssl生成,生成方法很简单:
openssl req -newkey rsa:2048 -keyout yourname.key -out yourname.csr 就可以了,前提你得先安装openssl
输入并回车运行后:
Enter pass phrase for root.key: ← 输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 组织单位名称
Common Name (eg, YOUR name) []: ← 此时不输入
Email Address []:admin@mycompany.com ← 电子邮箱,可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 和上面的密码一样就行
An optional company name []: ← 一个可选的公司名称
6,完成之后会在当前目录生成两个文件,一个是yourname.key,一个是yourname.csr,把yourname.csr里面的信息粘到startssl.com网站中的 Generated by Myself (.cer PEM format certificate) 处点击 Submit
7,提交后的下一个页面会一段提示语:
Your certificate is issued, please click here to download the certificate, the intermediate certificate and the root CA certificate.
And you can retrieve your issued certificate at “Tool Box” – “Certificate List” at any time if you need.
翻译过来就是这样的:
您的证书已发出,请单击此处下载证书、中间证书和根CA证书.。
如果您需要,您可以随时在“工具箱”-“证书列表”中检索您颁发的证书.。
点击here或到你的工具箱去下载,下载出来的一个文件来zip文件,解压后会有不同web服务器的crt,把crt与刚刚生成的key拿到服务器就可做部署了
Nginx SSL 部署demo:
server {
listen 443;
server_name api.form1.com;
ssl on;
ssl_certificate server.crt; #你的crt
ssl_certificate_key server.key; #你的key
ssl_session_timeout 10m;
ssl_protocols TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/web;
index index.html index.htm index.php;
#下面是正则,用于Thinkphp
if (!-e $request_filename) {
rewrite ^/(.*)index.php(.*)$ $1/index.php?s=$2 last;
rewrite ^(.*)$ /index.php?s=$1 last;
break;
}
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
#下面是一个代理PHP的配置
location ~ \.php($|/index.php) {
root /var/www/web;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}