Part 1: 自建 private key, 建立 CSR 申請第三方憑證
#private key, need password(keep it)
openssl genrsa -des3 -out private.key 2048
# certificate signing request (CSR)
openssl req -new -key private.key -out domaincsr.csr
#產生如下列問題:
Country Name (2 letter code) [XX]:TW => 填寫國名(兩碼),填完後按下enter
State or Province Name (full name) []:Taiwan =>填寫州或郡,填完後按下enter
Locality Name (eg, city) [Default City]:Taipei =>填寫城市名稱,填完後按下enter
Organization Name (eg, company) [Default Company Ltd]:MyCompany Inc =>填寫公司名稱,填完後按下enter
Organizational Unit Name (eg, section) []:IT Dept =>填寫部門名稱,填完後按下enter
Common Name (eg, your name or your server's hostname) []:www.mydomain.com =>填寫保護網域名稱,填完後按下enter
Email Address []: demo@mydomain.com=>填寫電子郵件地址(可不填),填完後按下enter
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: =>請留空白,按下enter
An optional company name []: =>填寫公司名稱(可不填),填完後按下enter
#利用 domaincsr.csr 申請第三方憑證
refrence url:
1. https://blog.longwin.com.tw/2014/08/apache2-ssl-create-build-setup-2014/
2. https://slproweb.com/products/Win32OpenSSL.html
3. http://wiki.gandi.net/zh-tw/ssl/dcv
Part 2: 申請到憑證之後下載憑證串鏈
至少包含 2 張憑證,分別是
1. 中繼憑證 (第三方單位會提供 or 直接下載)
ex: GandiStandardSSLCA2.pem
2. 第三方單位發下來的憑證 (第三方單位會提供 or 直接下載)
ex: mydomain.crt
Part 3: 製作 HTTP Server 憑證串
#產製沒有加密過的 private key
openssl rsa -in private.key -out server_no_pwd.key
#產製包含 key 和 第三方憑證 PEM 檔案
cat server_no_pwd.key > server.key
cat GandiStandardSSLCA2.pem mydomain.crt > server.pem
Part 4: 確認共有三個檔案內容:
1. 自行產生的 private key: server.key
2. 串聯的憑證: server.pem
3. 第三方認證公司發行的憑證: mydomain.crt
於 Apache2 的設定範例
ServerAdmin admin@mydomain.com.tw
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/gandi_key/server.pem
SSLCertificateKeyFile /var/www/html/gandi_key/server.key
SSLCertificateChainFile /var/www/html/gandi_key/mydomain.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
於 Ngnix 的設定範例
# HTTPS server
server {
listen 443 ssl;
server_name mydomain.com.tw;
access_log C://data//BackendService//logs//access_log.log;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /ngnix/gandi_key/server.pem
ssl_certificate_key /ngnix/gandi_key/server.key
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 5m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
ssl_trusted_certificate /ngnix/gandi_key/mydomain.crt
location / {
proxy_pass http://127.0.0.1:4001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
No comments:
Post a Comment