[Server] TLS/SSL憑證(Certificate)常用指令 – 製作CSR

簡介

詳細指令的可以參考:
The Most Common OpenSSL Commands

申請憑證流程概念:

自產Server Key生成CSR > 上傳至憑證組織基於CSR產出憑證下載 > 設定至Web Server

SSL基本指令

1. 產生 Private Key

openssl genrsa -out self-ssl.key

2. 產生 CSR (certificate signing request)

openssl req -new -key self-ssl.key -out self-ssl.csr

3. 產生自簽署金鑰

openssl x509 -req -days 365 -in self-ssl.csr -signkey self-ssl.key -out self-ssl.crt

自簽快速指令:openssl req -nodes -new -x509 -keyout server.key -out server.cert

CSR/CRT設定含SAN多網域:Certificate(CSR) configuration file


CSR 製作與設定

生成CSR時需輸入Owner資訊如下:

Country Name (2 letter code) [XX]:  TW
State or Province Name (full name) []:  Taiwan
Locality Name (eg, city) [Default City]:  Taipei
Organization Name (eg, company) [Default Company Ltd]: YIDAS Co., Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, your name or your server's hostname) []: code.yidas.com
Email Address []:myintaer@gmail.com

後面Extra的部分可以直接Enter略過

Common Name Case

1.單網域 (Single Domain)

code.yidas.com

2.多網域 (Multi-Domin)

Multi-Domain SSL Setup with “Subject Alternative Names”

可依據廠商的要求分隔

3.萬用網域 (Wildcard)

*.yidas.com

SSL進階指令

檢視 CSR

openssl req -text -noout -verify -in CSR.csr

SSL安裝

SSL提供商檔案(TWCA多中繼憑證為例):

root.cer //根憑證檔
server.cer //伺服器憑證檔(網域憑證)
uca_1.cer //中繼憑證檔1
uca_2.cer //中繼憑證檔1

其中,中繼憑證若為多個如上例,則將中繼憑證倒序合併至單檔:

cat uca_2.cer uca_1.cer > uca.cer

目前我尚未看過有人將Root CA也加入Chain

另外我方會有當時拿去申請憑證的CSR及其Pricate Key:

self-ssl.key // 所謂Server.key,HTTPS Server設定所需
self-ssl.csr // 由Private Key產生之CSR用於上傳申請憑證

Nginx SSL安裝

Configuring HTTPS servers – SSL certificate chains

不同於Apache,中繼憑證是可以直接Bundle至網域憑證中:

cat uca.cer server.cer > full-chained.cer
server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     full-chained.cer;
    ssl_certificate_key server.key;
    ...
}

憑證檔常態目錄:/etc/pki/tls/

注意:Nginx若沒有設定SSL憑證路徑,則HTTPS連線會自動被中斷

Apache SSL安裝

Apache SSL/TLS Strong Encryption: How-To
Apache SSLCertificateChainFile Directive

Apache的中繼憑證是獨立設定的。

SSLEngine On
SSLCertificateFile /etc/ssl/server.cer
SSLCertificateKeyFile /etc/ssl/server.key
SSLCertificateChainFile /etc/ssl/uca.cer

延伸文章

網站SSL加密原理簡介
深度解析HTTPS原理
憑證串鍊的解釋
SSL X.509 憑證教學
The Complete Guide To Switching From HTTP To HTTPS

Leave a Reply

Your email address will not be published. Required fields are marked *