專有名詞:
DV: Domain Validation
OV: Organization Validation
EV: Extended Validation
1. 確認網域資訊
在購買 SSL 之前,必須先擁有一個認證的網域。我們可以使用 whois 來查詢網域的申請資料。whois 查詢出來的資料,請確定 “Administrative Contact Email” 的電子信箱是正確的。因為 SSL 會以此信箱為對象寄發。
首先我們要先在CentOS 上面產生兩個檔案 server.key 跟 server.csr
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Country Name (2 letter code) [AU]: TW
State or Province Name (full name) [Some-State]: Taiwan
Locality Name (eg, city) []: Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]: NA
Organizational Unit Name (eg, section) []: NA
Common Name (eg, YOUR name) []: <your-domain> (這裡一定要輸入正確的網域)
Email Address []: (網域註冊的信箱)
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: (可不填)
An optional company name []: (可不填)
2.到 Namecheap 申請 Comodo PositiveSSL 認證
身請時 Namecheap 會要求你提供 CSR (Certificate signing request) ,請將先前產生的 server.csr 的內容全部貼上。
設定完成後,Namecheap 會寄發 whois 提供的電子信箱,裡面附著認證碼。唯有通過認證後,SSL 才會由 “Pending Request” 變更為 “Certificates"。
3. 收到認證檔後序處理:
你會從Comodo 收到 crt的認證檔如下:
yourdomain_com.crt
yourdomain_com.ca-bundle
接著在系統下組合:
# cat yourdomain_com.crt yourdomain_com.ca-bundle > mysite_com.crt
由於 comodo 寄出的認證都沒提供 root 憑證..所以這部份要自己加
# vi mysite_com.crt
在最後面加上 comodo 的根憑證:
QUOTE:
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
4. 在Nginx 下設定 SSL
Example of an SSL configured Virtual Host for nginx
QUOTE:
server {
listen 443;
server_name mysite.com;
ssl on;
ssl_certificate /etc/nginx/certs/mysite_com.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
}
最後將Nginx 重啟就可以看到SSL認證的網站囉~~
這時你也可以使用 command 指令check是否正常:
# openssl s_client -showcerts -connect www.adj.com.tw:443
如果最後出現 ok 的訊息...就代表沒問題了~
QUOTE:
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 067D516F10A75EA8325AD71E866A85CF1E172B69CF7E194240DD66EB0D89A92C
Session-ID-ctx:
Master-Key: 70ECDC0D12E8A28C00D2943D5357C6A7E2C499C6BD45DE6BA24F24123DCF63F63477A9CCD9FE5B3D6757DF2BFB5C6AA8
Key-Arg : None
Start Time: 1447806637
Timeout : 300 (sec)
Verify return code: 0 (ok)
你也可以到這邊檢視一下 SSL 的分數:
https://www.ssllabs.com/ssltest/index.html
設定參考說明:
https://support.comodo.com/index.php?/Knowledgebase/Article/View/789/37/certificate-installation-nginx
https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx