AlphaSSL Wildcard SSL 证书安装记

昨天在某宝买了一个AlphaSSL Wildcard SSL的通配符证书，一切顺利，一会就收到了。

首先要使用通配符证书必须保证服务器支持SNI。Nginx可以使用 nginx -V来查看是否支持

[root@WebServer nginx]# nginx -V
nginx version: nginx/1.9.5
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-ipv6 --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module

如果支持那么就好办了，直接配置吧。。附上我的配置

# 以下为server段内容
listen 443 ssl http2;
keepalive_timeout   	20;
server_name test.bcsytv.com;
index index.html index.htm index.php default.html default.htm default.php;
root  /home/wwwroot/test;

ssl 						on;
ssl_certificate 			/usr/local/nginx/conf/vhost/test.crt;
ssl_certificate_key 		/usr/local/nginx/conf/vhost/test.key;
ssl_dhparam 				/usr/local/nginx/conf/vhost/dhparam.pem;

ssl_protocols 				TLSv1.2 TLSv1.1 TLSv1;
ssl_stapling 				on;
ssl_stapling_verify 		on;
resolver 					8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 			10s;
ssl_ciphers 				"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_cache       	shared:SSL:10m;
ssl_session_timeout     	10m;
ssl_prefer_server_ciphers 	on;
# 以下参数是个超级坑爹的东西！！千万不要尝试！
#ssl_session_tickets 		off;

# 强制使用HTTPS，includeSubdomains是否指定子域名
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# 不允许被任何页面嵌入
add_header X-Frame-Options DENY;

# 禁用浏览器的类型猜测行为
add_header X-Content-Type-Options nosniff;

小花絮：

直接给的证书是不带中级证书的，我们需要合并。。假如你收到的证书是demo.crt

wget https://jalena.bcsytv.com/uploads/2015/11/alpha.crt && cat alpha.crt >> demo.crt

dhparam.pem生成命令

openssl dhparam -out dhparam.pem 4096