【申请HTTPS证书】

  • HTTPS这话题太大,只写申请证书。

  • 先枚举各种名词:

    CA:Certificate Authority,证书颁发机构。
    .crt后缀:crt格式的证书
    .pem后缀:pem格式的证书
    .key后缀:私钥
    .csr后缀:Cerificate Signing Request,证书请求文件,发给CA的
    私钥:用来解密数据的钥匙

  • 首先用openssl生成自己的key和csr:

    openssl req -nodes -newkey rsa:2048 -keyout q.key -out q.csr

    在里面q.key是私钥文件名,q.csr是证书请求文件。执行后提示如下,按照提示填写并回车确认。

    Generating a 2048 bit RSA private key
    ……………………………………………………………+++
    …………………………………………………………………………………………………………………………..+++
    writing new private key to ‘q.key’
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [XX]:两位大写国家缩写,这里写CN
    State or Province Name (full name) []:省份名称,例如Guangdong
    Locality Name (eg, city) [Default City]:市名称,例如Shenzhen
    Organization Name (eg, company) [Default Company Ltd]:公司名,例如Hostker
    Organizational Unit Name (eg, section) []:部门名称,例如IT
    Common Name (eg, your name or your server’s hostname) []:这里很重要,主机名不要带前缀,例如www.hostker.com这里写hostker.com
    Email Address []:你的邮箱

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:密码一定要留空!!!
    An optional company name []:留空

  • 生成两个文件,csr文件交给CA去签证书,一般会根据whois邮箱来验证你的身份。如果要你选环境,请选择OTHER。验证通过后签发证书给你。接下来是部署证书。

  • 部署证书需要在服务器设置好私钥和证书。私钥就是上面的q.key,某些廉价证书像COMODO几刀一张的可能会有比较长的证书链,证书链可以用cat命令合并起来,或者用靠谱的编辑器打开,打开之后按顺序粘贴证书和中间证书,要注意每个文件末尾都有一个换行符。如果你粘贴合并为一个文件,那么这个带证书链的文件后缀就是.pem。

  • 证书链的顺序是最终证书在前面,中间证书在后面。举个例子COMODO的PositiveSSL签发后会有4个文件,要按照q.crt(发给你的证书)、COMODORSADomainValidationSecureServerCA.crt、COMODORSAAddTrustCA.crt、AddTrustExternalCARoot.crt这样的顺序合并。如果不清楚顺序,打开证书文件找到证书路径,从最下面的那一级往上走。如果还是不行,只能联系SSL卖家咨询。

  • Leave a Reply

    Your email address will not be published. Required fields are marked *