SSL证书单次授权年限降低为2年

根据全球SSL行业协会(CAB/FORUM)颁布的新规定,所有的SSL证书单次授权有效期降低为2年。该项规定正式在2018年4月30日生效,生效后用户可申请的SSL证书最长有效期为2年。

更准确的说可申请27个月有效期的SSL证书,但是SSL证书需要在到期前三个月内进行续费。

了解该项规定更多的信息,您可以访问: https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

我们将会在2018年4月20日-30日期间下限所有的SSL证书3年计费项。

这项政策并不影响您/您的客户正常的SSL证书申请,我们的系统会在证书到期之前提醒您并协助完成续费和重新部署。

如果您需要帮助,敬请联系我们。

V2SSL-全方位数字证书服务提供商

致电: 029-88188289

支持QQ: 415652555   624323436   2848832423

邮件: support@qiaokr.com

Client Side Certificate Auth in Nginx

Why Client-Side Certificate Authentication? Why nginx?

I sometimes peruse the ReST questions of stackoverflow.com. Many times I see questions about authentication. There are many options (Basic HTTP Auth, Digest HTTP Auth, OAuth, OAuth Wrap, etc.) however when security is of importance, I like to recommend client side certificates. This is the route our team at ShowClix chose when implementing our API.

When first implementing the API Authentication, we were using Apache for our ReST API Servers. It took some serious google-fu and tinkering to get Apache cooperating with the client-side certs and passing that info into our PHP App layer. I remember it being a semi-painful process.

Lately, I’ve become a huge fan of nginx. Its clean, familiar config syntax and speed make it a great alternative for Apache in many cases. Its reverse proxy capabilities are quite nice as well. So, I thought I’d give client-side cert authentication a shot in nginx. Whereas a quick search for “Client Side Certs in Apache” yielded a few relevant results, a similar search for nginx yielded no results, so I figured I’d share here.

I ran this on a small 256MB Rackspace cloudserver instance running Arch Linux, nginx 0.7.65, PHP 5.3.2 and PHP FPM.

Creating and Signing Your Certs

This is SSL, so you’ll need an cert-key pair for you/the server, the api users/the client and a CA pair. You will be the CA in this case (usually a role played by VeriSign, thawte, GoDaddy, etc.), signing your client’s certs. There are plenty of tutorials out there on creating and signing certificates, so I’ll leave the details on this to someone else and just quickly show a sample here to give a complete tutorial. NOTE: This is just a quick sample of creating certs and not intended for production.

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here.  This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Configuring nginx

server {
    listen        443;
    ssl on;
    server_name example.com;

    ssl_certificate      /etc/nginx/certs/server.crt;
    ssl_certificate_key  /etc/nginx/certs/server.key;
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    ssl_verify_client optional;

    location / {
        root           /var/www/example.com/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_param  SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php;
        fastcgi_param  VERIFIED $ssl_client_verify;
        fastcgi_param  DN $ssl_client_s_dn;
        include        fastcgi_params;
    }
}

The main things to note here are…

We specify our the server’s certificate (server.crt) and private key (server.key) We specify the CA cert that we used to sign our client certificates (ca.crt) We set the ssl_verify_client to optional. This tells nginx to attempt to verify to SSL certificate if provided. My API allows both authenticated and unauthenticated requests, however if you only want to allow authenticated requests, you can go ahead and set this value to on. Lastly, you’ll notice that I add a location directive that routes all the requests to a single PHP script. You can handle this differently (and technically don’t even need to use PHP as there are other fast cgi options) Passing to PHP

There are several options for running PHP from nginx. I chose to use PHP FPM, however these steps should also work for any of the fast cgi options in theory. You’ll notice I added a few additional fastcgi_params to the usual fastcgi_params.

First, we pass in the $ssl_client_verify variable as the VERIFIEDparameter. This is useful when we are allowing authenticated and unauthenticated requests. When the client certificate was able to be verified against our CA cert, this will have the value of SUCCESS. Otherwise, the value will be NONE.

Second, you’ll notice we pass the $ssl_client_s_dn variable to the DNparameter. This will provide “the line subject DN of client certificate for established SSL-connection”. The Common Name part of this certificate may be of most interest for you. Here is an example value for DN…

/C=US/ST=Florida/L=Orlando/O=CLIENT NAME/CN=CLIENT NAME

Nginx also provides the option to pass in the entire client certificate via $ssl_client_cert or $ssl_client_cert_raw. For more details on the SSL options available to you in nginx, checkout the Nginx Http SSL Module Wiki.

Consuming the ReST Service

So, we’ve created our certs, signed our client certs, installed nginx and PHP, and setup nginx verify the certs and finally pass along client cert details. Now we are ready to consume our ReSTful service.

There are lots of tools out there for consuming true HTTP based ReSTful services. Some of them are prettier than others, but I prefer the good old cli version of cURL.

NOTE: This is run from your client computer. Make certain that you have scp’d your client.key and client.crt files from your server onto your client machine that is making the requests. You’ll also be prompted for the pass phrase you used when you first created the client cert. There are ways to remove the need for pass phrases. Also, you don’t need the verbose flag (-v) or silent flags (-s). We’re using the -k flag here because we used a self-signed cert for the server.

curl -v -s -k --key client.key --cert client.crt https://example.com

Source code is also available on github.

From: nategood.com

Linke: http://nategood.com/client-side-certificate-authentication-in-ngi

科莫多COMODO EV开始接受友好化的企业英文翻译名称

越来越多的国内/国外企业客户选择我们提供的EV认证服务,其中大部分是外贸行业的客户。外贸行业的客户都希望在浏览器的地址栏展示他们的英文公司名字或者中文企业的英文公司名字。COMODO作为EV扩展验证证书的CA,在过去一长段时间里都是将中文公司名称进行“拼音+英文”的格式进行翻译来进行EV展示。这样显得非常不友好。

但这似乎是COMODO的规定,每当V2SSL的EV订单递交到COMODO中国验证团队进行审核时,对方都会将企业名称翻译为拼音+英文的形式进行认证。

比如:

西安乔客信息科技有限公司

以前翻译为:

Xian Qiaoke Xinxi Keji Co., Ltd.

现在开始, COMODO接受更友好的英文翻译公司名称,如:

西安乔客信息科技有限公司 =》Xian Qiaoke Information Technology Co., Ltd.

西安乔客信息科技有限公司 =》Xian Qiaoke Information Technology Corporation Limited

均可。

 

V2SSL – 全方位的数字证书服务商

https://www.v2ssl.com/

致电: 029-88188289

合并SSL服务器证书和CA包(证书链文件)

这篇文章是《Nginx服务器安装SSL证书》的一部分,请您查看完整教程进行服务器证书配置。

内容概要

总所周知,证书颁发机构CA基本不会直接采用内置在操作系统或者浏览器中的ROOT-CA证书进行客户证书的签发。而是使用ROOT-CA下的Sub-CA也就是Issuing-CA进行客户证书的签发。

但并不是每一个CA的Issuing-CA都被浏览器或者操作系统内置好的,用户在访问您的网站时候就有可能出现不信任的情况,而且会提示NET:ERROR_UNKNOW_CERTIFICATE_AUTHORITY错误。但实际上,我们申请的证书确实是授信的CA签发的,怪只怪客户端的操作系统或者浏览器太过于陈旧,在出厂时并未预装对应的Issuing-CA证书。这种问题通常会出现在移动手机端上。

对于这个问题,很早之前就已经有了解决方案,无论是IIS Tomcat Nginx Aphache 或是其他WEB服务器都提供了服务器推送证书的功能,只要发现客户机的Issuing-CA未找到,那么下一步会将存在服务器的对应的Issuing-CA主动推送至客户端,这样,客户访问的我们的站点就显示问新人了!

所以,我们在配置服务器证书的额时候一定要同时配置好证书链,也就是常说的证书链补全。

各种WEB服务器的证书链补全方式不一样,这里我们先讨论Nginx的补全方式,其他的WEB服务器我们将在额外的教程赘述。

下载SSL证书和证书链文件

这一部分内容我们已经在《下载已经签发的SSL证书和CA包》详细介绍过了,请您暂时移步阅读,但记得回来。

合并证书文件

我们需要分别打开两个已经下载证书.PEM文件。

SSL服务器证书文件内容
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgIQehT7FZCtsS8s7MtWdJL6GDANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNjEwMjMwMDAwMDBaFw0xNzAxMjEyMzU5NTlaMFMxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UECxMIRnJlZSBTU0wxGzAZBgNV
BAMTEmFwaXRlc3Q5LmxvbmRyeS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALEqENrjYcHMnpQ7MalUSk3P6K5DBden5Ltz8ByyCi+EJZjZx6HFb8Cg
oO1zzkX0tFenZXq8Ao7DId1LRqx8KagF7dit3i3/K8G7iRkZUXRxc7xGJI9FYDEN
vs+Vb/gVA5KhSuOrASFirLgKaxzwTD8uRZ/EAZDhidHhzF+QqHBt/58b7gU6vfHF
vOl0n1QwcQF+bRxxFu5hFbx7r9eMduM5aS2+ZauKSTmll4QIg27UUhkBQgIFikFT
WWfO5D0RD+oajjDE9NmK4yDaQLE6Uw6ZpQvhFRwTEQK1l19w7JDkd0/IEj1EwqW8
uSQOXIewVDp04hH0a6OcDACDvJtslxkCAwEAAaOCAecwggHjMB8GA1UdIwQYMBaA
FJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQ2/14q8cI5UTrAG5WDOm1T
VlDr2DAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkG
CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
AgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYB
BQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wNQYDVR0RBC4wLIISYXBp
dGVzdDkubG9uZHJ5LmNughZ3d3cuYXBpdGVzdDkubG9uZHJ5LmNuMA0GCSqGSIb3
DQEBCwUAA4IBAQBP4zd/tnM3ZXLyOJu2WGPrs18EnXtWEjIn8fGx3bjGhKQbAfzw
CmbRQXNj8lW2VNNAG2/GQhirQrmif4sX80PKBZ8ZwPZhNOexBDP250fcJxgiODH1
a1CIKhJ7FF4by4roXBnIpQJuAWcrT2ASUalG08H54hrsKfpiPyNsxDRBTMNaZl7e
9nWAZ98tPfkOyrqQ6nCA8xpmNlsFYTVQBlFIubGLzUZDOTVukPsvrVT7V1sCDmWc
4OcIM7MdTij8TY2SMXCKar6XDPbaNPJsUVtR2og8bwOXIsSy2kEfCpBZvGevdixG
q+11ubGIGGRWDRPUDw3bw11ala7TQWDMRVVB
-----END CERTIFICATE-----
对应的证书链文件内容
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----

并且将CA证书链的文件内容完全的复制黏贴到SSL服务器证书内容的后面并保存,保存后,证书文件内容就像这样。

合并后的证书内容
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgIQehT7FZCtsS8s7MtWdJL6GDANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNjEwMjMwMDAwMDBaFw0xNzAxMjEyMzU5NTlaMFMxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UECxMIRnJlZSBTU0wxGzAZBgNV
BAMTEmFwaXRlc3Q5LmxvbmRyeS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALEqENrjYcHMnpQ7MalUSk3P6K5DBden5Ltz8ByyCi+EJZjZx6HFb8Cg
oO1zzkX0tFenZXq8Ao7DId1LRqx8KagF7dit3i3/K8G7iRkZUXRxc7xGJI9FYDEN
vs+Vb/gVA5KhSuOrASFirLgKaxzwTD8uRZ/EAZDhidHhzF+QqHBt/58b7gU6vfHF
vOl0n1QwcQF+bRxxFu5hFbx7r9eMduM5aS2+ZauKSTmll4QIg27UUhkBQgIFikFT
WWfO5D0RD+oajjDE9NmK4yDaQLE6Uw6ZpQvhFRwTEQK1l19w7JDkd0/IEj1EwqW8
uSQOXIewVDp04hH0a6OcDACDvJtslxkCAwEAAaOCAecwggHjMB8GA1UdIwQYMBaA
FJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQ2/14q8cI5UTrAG5WDOm1T
VlDr2DAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkG
CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
AgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYB
BQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wNQYDVR0RBC4wLIISYXBp
dGVzdDkubG9uZHJ5LmNughZ3d3cuYXBpdGVzdDkubG9uZHJ5LmNuMA0GCSqGSIb3
DQEBCwUAA4IBAQBP4zd/tnM3ZXLyOJu2WGPrs18EnXtWEjIn8fGx3bjGhKQbAfzw
CmbRQXNj8lW2VNNAG2/GQhirQrmif4sX80PKBZ8ZwPZhNOexBDP250fcJxgiODH1
a1CIKhJ7FF4by4roXBnIpQJuAWcrT2ASUalG08H54hrsKfpiPyNsxDRBTMNaZl7e
9nWAZ98tPfkOyrqQ6nCA8xpmNlsFYTVQBlFIubGLzUZDOTVukPsvrVT7V1sCDmWc
4OcIM7MdTij8TY2SMXCKar6XDPbaNPJsUVtR2og8bwOXIsSy2kEfCpBZvGevdixG
q+11ubGIGGRWDRPUDw3bw11ala7TQWDMRVVB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----

像这样,我们的证书文件就已经合并完成,证书链就补全了。请您保存至桌面v2ssl_com_domain_certificate_chainfiles_include.pem 备用。

Nginx配置SSL证书

这篇文章是《Nginx服务器安装SSL证书》的一部分,请您查看完整教程进行服务器证书配置。

内容概要

经过前几章的介绍之后,我们现在应该准备好了需要配置Nginx的证书文件,同时,您还需要保存生成CSR时获得的KEY文件(建议保存文件名v2ssl_com_doamin.key)到桌面备用。

上传证书文件和Key

这里我们假设您的Nginx配置文件地址是/usr/local/nginx/conf/vhost/v2ssl_com_domain.conf。请将您的证书文件和Key文件上传至/usr/local/nginx/conf/ssl,如果ssl文件夹不存在请您自行创建。

编辑您的Nginx配置文件

默认情况下,HTTP是可以访问的,现在请您打开您的站点配置文件并加入下列几行代码至listen 80;之后。

listen 443 ssl; # 开启443端口监听
ssl on; # 开启SSL
ssl_certificate /usr/local/nginx/conf/ssl/v2ssl_com_doamin.pem; # 证书文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl/v2ssl_com_doamin.key; # KEY文件路径
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 开启TLS版本支持
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS; # 加密方式支持 这里可以支持ECC
ssl_session_cache builtin:1000 shared:SSL:10m;

加入以上内容后您的站点配置文件就类似于:

server
{
listen 80;
listen 443 ssl; # 开启443端口监听
ssl on; # 开启SSL
ssl_certificate /usr/local/nginx/conf/ssl/v2ssl_com_doamin.pem; # 证书文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl/v2ssl_com_doamin.key; # KEY文件路径
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 开启TLS版本支持
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS; # 加密方式支持 这里可以支持ECC
ssl_session_cache builtin:1000 shared:SSL:10m;
server_name www.v2ssl.com v2ssl.com api.v2ssl.com;
index index.html index.htm index.php default.html default.htm default.php;
root  /home/wwwroot/vhost/v2ssl.com.root/;

#        include other.conf;
#error_page   404   /404.html;
include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
    expires      30d;
}

location ~ .*\.(js|css)?$
{
    expires      12h;
}

location ~ /\.
{
    deny all;
}
location ~* \.(tpl|inc|cfg)$ {
        deny  all;
}

access_log off;
}

这里需要注意的是证书文件的路径,务必正确。保存您的配置文件,即可完成配置。

测试Nginx配置文件

这篇文章是《Nginx服务器安装SSL证书》的一部分,请您查看完整教程进行服务器证书配置。

内容概要

Nginx提供了一个方法,让我们能够测试我们编辑过得站点配置文件是否有效,如果有错,命令行会反馈详细的错误信息,帮助我们修改。

执行配置文件测试

利用您的命令行程序(如Putty)登录您的服务器并执行命令

[root@v2node5 vhost]# service nginx configtest

如果您的配置正确,将会获得一下的反馈

[root@v2node5 vhost]# service nginx configtest
Test nginx configure files... nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@v2node5 vhost]# 

如果出现错误,您应该根据错误提示重新编辑配置文件,直到通过检查为止。

配置成功后,您需要重启Nginx使得编辑过后的配置文件生效。

[root@v2node5 vhost]# service nginx restart

[扩展阅读]Nginx强制HTTP跳转HTTPS访问

这篇文章是《Nginx服务器安装SSL证书》的一部分,请您查看完整教程进行服务器证书配置。

内容概要

为服务器部署可信的SSL证书仅仅是第一步,为了让用户一直使用HTTPS访问我们的站点。我们需要配置Nginx服务器,让从http方式访问站点的用户强制跳转到https访问地址。

主要实现思路

这里我们选择为同一个站点配置两个server节点,一个为http server一个为https server。我们让从http访问的用户全部自动跳转到https协议来访问,也就实现我们的预期目的了。

代码示例

请您参考下面配置文件,配置自己的站点文件。

server
{
listen 80;
server_name www.v2ssl.com v2ssl.com api.v2ssl.com;
rewrite ^(.*)$  https://$host$1 permanent;    # 跳转到https://*
}

server
{
listen 443 ssl; # 开启443端口监听
ssl on; # 开启SSL
ssl_certificate /usr/local/nginx/conf/ssl/v2ssl_com_doamin.pem; # 证书文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl/v2ssl_com_doamin.key; # KEY文件路径
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 开启TLS版本支持
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS; # 加密方式支持 这里可以支持ECC
ssl_session_cache builtin:1000 shared:SSL:10m;
server_name www.v2ssl.com v2ssl.com api.v2ssl.com;
index index.html index.htm index.php default.html default.htm default.php;
root  /home/wwwroot/vhost/v2ssl.com.root/;

#        include other.conf;
#error_page   404   /404.html;
include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
    expires      30d;
}

location ~ .*\.(js|css)?$
{
    expires      12h;
}

location ~ /\.
{
    deny all;
}
location ~* \.(tpl|inc|cfg)$ {
        deny  all;
}

access_log off;
}

最后记得测试配置文件,并且重启您的nginx,即可生效。

[V2SSL] Apache配置安装SSL证书

内容介绍

这里我们主要介绍常见的WDCP面板、LAMP环境、PHPStudy环境下的Apache作为前端WEB服务的情况,如何配置并安装SSL证书。

如果您现在Nginx作为前端WEB服务器,请您移步至《Nginx服务器安装SSL证书》查看配置步骤。

环境假设

1.这里我假设您已经申请并获取到了授信CA签发的数字证书。如果您还未申请,请先到这里递交申请
2.这里我们假设您已经下载好了申请的证书并在证书管理台下载好了服务器证书、CA证书链保存到了本地。如果您还未下载,请先到这里查看如何下载SSL证书
3.假设您的Apache配置文件地址为:

/etc/apache/conf/httpd.conf

对应的vhost站点配置文件地址就为:

/etc/apache/conf/httpd.conf
上传证书配置所需文件

请您准备好申请证书的CSR文件对应的KEY文件、下载的证书文件、下载的CA证书链文件:

--- v2ssl_com_key.key
--- v2ssl_com_certificate.pem
--- v2ssl_com_ca_bundle.pem

新建保存证书所需要的文件夹:

/etc/apache/conf/ssl/

我们将如上三个文件上传至路径:

/etc/apache/conf/ssl/v2ssl_com_key.key
/etc/apache/conf/ssl/v2ssl_com_certificate.pem
/etc/apache/conf/ssl/v2ssl_com_ca_bundle.pem
新增SSL-Vhost配置文件

这里我们新增一个用于专门存放支持SSL的虚拟主机的配置文件:

/etc/apache/conf/vhost-ssl.conf # 现在是空文件
添加SSL站点到配置文件

编辑上述vhost-ssl.conf添加如下内容:

Listen 443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/etc/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost *:443>
DocumentRoot "/www/web/v2ssl.com/public_html" # 网站根目录路径
ServerName v2ssl.com:443
ServerAlis www.v2ssl.com
ServerAdmin certificate@v2ssl.com
ErrorLog "/etc/apache/logs/error_log" # apache日志目录
TransferLog "/etc/apache/logs/access_log" # apache日志目录

SSLEngine on
SSLCertificateFile "/etc/apache/conf/ssl/v2ssl_com_certificate.pem" # 服务器证书文件路径
SSLCertificateKeyFile "/etc/apache/conf/ssl/v2ssl_com_key.key" # 对应KEY文件路径
SSLCertificateChainFile "/etc/apache/conf/ssl/v2ssl_com_ca_bundle.pem" # CA证书链文件路径

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/etc/apache/cgi-bin"> # apache cgi-bin目录
    SSLOptions +StdEnvVars
</Directory>
CustomLog "/etc/apache/logs/ssl_request_log" \ # apache日志目录
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                  
编辑httpd.conf

现在我们需要编辑httpd.conf文件,引入刚才的vhost-ssl.conf并开启相关模块:

1.请在 httpd.conf 文件内增加一行:

Include conf/vhost-ssl.conf # 请确认文件路径正确

2.请去除以下两行代码之前的#号:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so

编辑后,保存以上文件。

测试配置文件

配置好之后,为了确定我们的配置文件格式正确和文件路径正确,我们需要执行以下命令验证:

httpd configtest

如果返回了OK字样或没有错误提示,则配置成功,请您重启apache即可访问HTTPS站点。如果报错,请您根据错误提示进行更改,并重新测试配置文件。

接下来您可以参考《Apache强制跳转HTTP到HTTPS访问》实现强制HTTPS访问您的站点。

如遇困难,欢迎加群进行交流获取帮助,点击加入”全球SSL证书交流QQ群”

Apache强制跳转HTTP到HTTPS访问

这篇文章依赖于您已经配置好了Apache的SSL站点,如果没有配置好,请您参考《[V2SSL] Apache配置安装SSL证书》 进行配置。

内容概要

某些时候,我们需要用户一直都使用HTTPS访问我们的站点。对于Apache我们可以使用rewrite实现。

开启步骤

1.我们需要确认 Apache 开启 mod_rewrite 模块,如果没开启,请使用 编辑您的 httpd.conf文件,去掉mod_rewrite模块行前面的#号。或者执行Linux命令 sudo a2enmod rewrite 命令开启。
2.你需要在站点配置文件中开启 AllowOverride,这样 .htaccess 文件才会起作用。
开启并重启 Apache 后,复制下列代码到你网站根目录下的 .htaccess 文件中(没有请新建)。

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

如遇困难,欢迎加群进行交流获取帮助,点击加入”全球SSL证书交流QQ群”

贺! V2SSL(即西安乔客信息科技有限公司) 同DigiCert建立合作伙伴关系!

DigiCert是全球最专业的数字证书颁发机构,总部位于美国犹他州,公司发展至今已有10年历史。DigiCert不同于其他的权威证书颁发机构,DigiCert仅仅致力于数字证书产品的研发和提升,并且有着简单、高效、适用的数字证书产品线。这使得DigiCert公司专注为客户提供最好的数字证书产品和无与伦比的客户售前售后服务。

DigiCert公司已经为来自一百四十多个国家的七十多万位客户提供了数字证书服务,当中涵盖了商业,电子商务,教育,金融和政府等领域。同事包括PayPal,亚马逊,Overstock.com,美国联邦调查局,美国航空航天局和美国能源部,美国司法部门都信任DigiCert公司提供的安全数字证书。

V2SSL作为DigiCert的官方代理商(Official Partner),将为国内的企业或政府组织提供来自DigiCert的下列数字证书产品:

  • 邮件加密证书
  • 文件签名证书
  • 软件代码签名证书
  • EV软件代码签名证书
  • EV服务器域名证书
  • OV服务器域名证书
  • 普通服务器域名证书

V2SSL同样为大家提供OV EV证书全程协助办理服务,以及认证协助服务。欢迎广大企业、政府组织客户与我们联系并展开广泛合作。

西安乔客信息科技有限公司
https://www.v2ssl.com/
029-88188289
Email: support@email.v2ssl.com