Linux命令(7)openssl

Posted on Edited on In Word count in article: 373 Reading time ≈ 1 mins.

常用方法

查看证书过期时间

直接登录服务器看。

1
2
$ openssl x509 -enddate -noout -in file.crt
notAfter=Aug 10 23:59:59 2024 GMT

或者使用:

1
$ openssl x509 -in server.crt -noout -dates

或者查看远程服务器的过期时间。

1
2
3
$ openssl s_client -servername www.baidu.com -connect www.baidu.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jul  6 01:51:06 2023 GMT
notAfter=Aug  6 01:51:05 2024 GMT

查看证书信息

1
$ openssl x509 -in file.crt -text -noout

自签名证书

生成私钥。

1
$ openssl genrsa -out server.key 2048

生成证书请求csr文件。

1
$ openssl req -new -key server.key -out server.csr

生成CA证书。

1
$ openssl genrsa -out ca.key 2048

生成CA证书请求csr文件。

1
$ openssl req -new -key ca.key -out ca.csr

生成自签名根证书,过期时间根据需要设置,这里设置成1年。

1
$ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days 365

创建主题备用名(SubjectAltName)配置文件ext.ini(如果不配置这个,chrome就无法识别)。

1
2
3
4
5
6
7
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.domain1.com
DNS.2 = *.domain2.com

生成服务器证书。

1
$ openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -days 365 -extfile ext.ini

Nginx配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
server {
        listen 443 ssl;
        server_name domain.com;
        ssl_certificate /path/to/server.crt;
        ssl_certificate_key /path/to/server.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;

        gzip on;
        gzip_min_length 1k;
        gzip_buffers 4 16k;
        gzip_comp_level 2;
        gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
        gzip_vary on;
        gzip_disable "MSIE [1-6]\.";
        error_page 404 /404.html;
        access_log /var/log/access.log;
        error_log /var/log/error.log;
        location / {
                proxy_pass http://ip:port/;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
}
server {
        listen 80;
        server_name domain.com;
        rewrite ^(.*)$ https://$host$1;
}