最近跟风SSL,便搞了一个SSL证书到自己的网站。
到
https://startssl.com/Certificates 注册会员,验证邮箱和域名。
然后申请 Class 1 (Not Validated) 的 DV SSL Certificate for Free User (Not Validated),这是给初级别用户的证书,因为不用验证身份证,拍照啥的。
1.Please enter the full hostname for SSL certificate (e.g: mail.domain.com):
输入自己的域名,可以是好几个子域名,换行隔开。
2.Please submit your Certificate Signing Request (CSR):
选择第一个 Generated by Myself。
在shell 执行 “openssl req -newkey rsa:2048 -keyout xxx.key -out xxx.csr ”,需要安装openssl 套件。
cat xxx.csr
把内容贴入下方的文本域,点击提交。
如下:
[root@xzx ssl]# openssl req -newkey rsa:2048 -keyout blog.key -out blog.csr
Generating a 2048 bit RSA private key
..............................................................................................................................................+++
..................+++
writing new private key to 'blog.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Sharl Jimh Tsin
Organizational Unit Name (eg, section) []:Sharl
Common Name (eg, your name or your server's hostname) []:xiazhengxin.name
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xiazhengxin
An optional company name []:
[root@xzx ssl]# cat blog.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC/zCCAecCAQAwgZ0xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTER
MA8GA1UEBwwIU2hhbmdoYWkxGDAWBgNVBAoMD1NoYXJsIEppbWggVHNpbjEOMAwG
A1UECwwFU2hhcmwxGTAXBgNVBAMMEHhpYXpoZW5neGluLm5hbWUxIzAhBgkqhkiG
9w0BCQEWFHh6eEB4aWF6aGVuZ3hpbi5uYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAt7s1Nhtmt5ZeIkOXnMeH3fFl1neUjxun/aqf52If5tTkpVqp
UuKpkzOk8nXOYiFfHsdhormo57bTuDdnG/e2mz5KXR0uE2k3zqMGGFvRfeRQHGTz
eI/xP1GhLTI8KWfN2VP9hjV6KOd992OJkceoQ+qr8wmOpt+QEbMXi7taA/q5eBEc
vjEEeFRT8V0yV6CZcylQaKAtmcM73iR5siPi8DJap4WAkKgNdlC+XymO1eDY4TDY
JzzPPDo88+6+Y6DwfbDRSEjDS40byA0SovkDShLYFkxa5vHgLWsrFGEZzgyxa4ob
Ih0VxyrEFCdFVaQlnVIL38OCBw0fdWaa5FmzbwIDAQABoBwwGgYJKoZIhvcNAQkH
MQ0MC3hpYXpoZW5neGluMA0GCSqGSIb3DQEBBQUAA4IBAQBBo5b03ATzyMjaEYfk
uSoZV3dGNydqZvcUUnaV4TxkZnjG3TntUmrCqF9lja9XqjaKk4gRClUQqivGes6S
DcfTfCcleenAhgvCAOafuhEMfK0fSx7X9c9+Mrtntmdcx8By0dhEekVRJIO2f0KE
LO19OzVCKCLcaqMwShEAjeRzfd63LhU79xFZqsPT3XgRQQJuUlId6MakbvGUTGej
1z5n+ty/uKsh/VJXIhhFrkY1rSSeSWf9qYHzQwag41XrJ9JUCS9+cLmEnGKdLmYi
Kg1/QAyTluxjYW2NVvshvbhgL5Kx+WnO9DZcghqyV8UxBDGr+sbTN6p0TmTfr+rS
mE0F
-----END CERTIFICATE REQUEST-----
跳转页面后就可以下载对应的 xxxxx.xxx.pem 文件。也可以到 首页 的 Tool Box 下面的 Certificate List 页面去下载。
170112183726840 xiazhengxin.name Class 1 SSL 2017-01-12 2020-01-12 Issued “下载按钮”
到这里,startssl 网站的工作就搞完了。把 pem 文件上传到自己的服务器,把它和自己的私钥合并。
[root@xzx ssl]# cat blog.key xiazhengxin.name.pem > ssl.pem
[root@xzx ssl]# cp ssl.pem /home/http/blog_xiazhengxin_name/
[root@xzx ssl]# cd /home/http/blog_xiazhengxin_name/
[root@xzx blog_xiazhengxin_name]# ll
total 92
drwxrwx--- 5 http web 4096 Apr 11 2011 admin
-rwxrwx--- 1 http web 1547 Apr 23 2013 config.inc.php
-rwxrwx--- 1 http web 53 Dec 1 2010 google7a48cd06bd7c1d66.html
-rwxrwx--- 1 http web 685 Jul 2 2009 index.php
-rwxrwx--- 1 http web 37235 Jun 21 2010 install.php
-rwxrwx--- 1 http web 15255 May 14 2008 license.txt
lrwxrwxrwx 1 http web 30 Nov 8 2014 pub -> ../static_xiazhengxin_name/pub
-rw-r--r-- 1 root root 4285 Jan 12 18:43 ssl.pem
drwxrwx--- 5 http web 4096 Apr 11 2011 usr
drwxrwx--- 5 http web 4096 Aug 15 2010 var
[root@xzx blog_xiazhengxin_name]# chmod 777 ssl.pem
[root@xzx blog_xiazhengxin_name]# chmod a-x ssl.pem
之后就是配置 lighttpd 了。确认编译lighttpd 的时候启用了 openssl 模块。
[root@xzx sbin]# ./lighttpd -V
lighttpd/1.4.35 (ssl) - a light and fast webserver
Build-Date: Nov 7 2014 02:06:04
Event Handlers:
+ select (generic)
+ poll (Unix)
- rt-signals (Linux 2.4+)
+ epoll (Linux 2.6)
- /dev/poll (Solaris)
- eventports (Solaris)
- kqueue (FreeBSD)
- libev (generic)
Network handler:
+ linux-sendfile
- freebsd-sendfile
- solaris-sendfilev
+ writev
+ write
- mmap support
Features:
+ IPv6 support
+ zlib support
+ bzip2 support
+ crypt support
+ SSL Support
+ PCRE support
+ mySQL support
- LDAP support
- memcached support
+ FAM support
- LUA support
+ xml support
+ SQLite support
+ GDBM support
编辑位于 etc 下面的 lighttpd.conf 文件,加入以下配置:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/home/http/blog_xiazhengxin_name/ssl.pem"
server.name = "xiazhengxin.name"
server.document-root = "/home/http/blog_xiazhengxin_name"
}
重启 lighttpd,输入 密钥的短口令,启动成功。
[root@xzx blog_xiazhengxin_name]# service myservice start
*******starting Services*********
php-fpm Started
mysqld Started
NOW SLEEP 5 seconds for MySQL ready
170112 18:50:37 mysqld_safe Logging to '/var/log/mysqld.log'.
170112 18:50:37 mysqld_safe Starting mysqld daemon with databases from /var/mysql
vsftpd Started
Enter PEM pass phrase:
lighttpd Started
*******all services Started*********
访问
https://xiazhengxin.name/ 显示正常。就是由于是 Class 1 级别的SSL证书所以有警告。
注:文章撰写和实践时参考了一下连接
http://redmine.lighttpd.net/projects/li ... i/Docs_SSLhttps://startssl.com/Support?v=33