Nginx 部署Comodo Positive SSL证书

生成2048位key

root@sg:/etc/nginx# openssl genrsa -out ssl2.me.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
..................................................................................................................................+++
e is 65537 (0x10001)

生成SCR文件

root@sg:/etc/nginx# openssl req -new -key ssl2.me.key -out ssl2.me.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN  (这里输入两位大写字母的国家代码 CN是中国)
State or Province Name (full name) [Some-State]:BJ (这里省份 可以填写简称,一般填写拼音)
Locality Name (eg, city) []:BJ  (这里是城市可以填写简称,一般填拼音)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssl2 (组织或公司名)
Organizational Unit Name (eg, section) []: (不填写直接回车)
Common Name (eg, YOUR name) []:ssl2.me  (输入使用ssl的域名,一般不带www)
Email Address []:admin@ssl2.me (填写邮箱,有时候证书是发送到这个邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  (不填写直接回车)
An optional company name []:  (不填写直接回车)


收到的Comodo Positive SSL有2个文件jalena_bcsytv_com.ca-bundle、jalena_bcsytv_com.crt,我们要将jalena_bcsytv_com.ca-bundle合并到我们的证书里面(否则有些浏览器因为没有根证书会认为你的加密是无效的)

cat jalena_bcsytv_com.ca-bundle >> jalena_bcsytv_com.crt

nginx配置

[root@Server vhost]# cat blog.conf
server {
	listen 					80;
	server_name 			jalena.bcsytv.com;
    rewrite     			^(.*) https://$server_name$request_uri? permanent;
}

server {
	listen 			443 ssl spdy;
	server_name 		jalena.bcsytv.com;
	root 			/home/wwwroot/blog;
	ssl 			on;
	ssl_certificate 	/usr/local/nginx/conf/vhost/jalena_bcsytv_com.crt;
	ssl_certificate_key 	/usr/local/nginx/conf/vhost/jalena_bcsytv_com.key;
	ssl_session_timeout  	10m;

	ssl_protocols 			SSLv2 SSLv3 TLSv1;  
	ssl_ciphers 			ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;  
	ssl_prefer_server_ciphers 	on;
  1. Jeremy 2014.07.27 9:07am

    ssl啊。这么好的教程。证书是免费的不?

    • Jalena 2014.07.28 10:00am

      之前用的免费的,但是还是不太支持很多手机浏览器。这个淘宝便宜,不到10元,直接的浏览器也多。主要是下放速度超快~

HTML tag cannot be used in this comment.