1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
| # 進入 Nginx 和建立存放證書的位置 cd /usr/local/nginx/conf mkdir certs cd certs
# 生成 2048 的 RSA 私匙和 CSR openssl req -new -newkey rsa:2048 -nodes -out example.com.csr -keyout example.com.key
Generating a 2048 bit RSA private key ..............................................................................................................+++ ..............................+++ writing new private key to 'example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:HongKong Locality Name (eg, city) []:Kowloon Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:*.example.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 改變生成的檔案權限
chmod 400 example.com.key chown root:root example.com.key
# 執行 `cat example.com.csr` 得出下面的 2048 CSR 內容,對應申請內容
Domain : *.example.com Server IP : 111.292.237.196 Email : admin@… 2048 CSR : -----BEGIN CERTIFICATE REQUEST----- MI..這裡是 CSR 檔案的內容..== -----END CERTIFICATE REQUEST-----
# 提交之後等電郵,如果確定無問題就點 I APPROVE # 之後會再收到電郵,裡面會有兩張證書並另存
- 第一張是 example.com.crt - 第二張是 example.com.DigiCertCA.crt
# 將兩張證合併
cat example.com.crt example.com.DigiCertCA.crt >> example.com.bundled.crt
# 進入 Server
ssh SERVER_IP
# 編輯 Nginx
vim /usr/local/nginx/conf/vhosts/example.com.conf
# 內容為
server { listen 80; server_name example.com; rewrite ^/(.*) https://$server_name/$1 permanent; } server { listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/certs/example.com.bundled.crt; ssl_certificate_key /usr/local/nginx/conf/certs/example.com.key; ssl_session_timeout 5m; charset utf-8; server_name example.com; root /home/user/example.com; index index.html index.htm index.php; access_log logs/example.com.access.log; location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; } location ~ /\.ht { deny all; } }
|