{"id":601,"date":"2024-05-15T17:11:17","date_gmt":"2024-05-15T09:11:17","guid":{"rendered":"https:\/\/www.madbull.site\/?p=601"},"modified":"2025-08-14T15:32:43","modified_gmt":"2025-08-14T07:32:43","slug":"%e8%87%aa%e7%ad%be%e5%90%8d%e8%af%81%e4%b9%a6","status":"publish","type":"post","link":"https:\/\/www.madbull.site\/?p=601","title":{"rendered":"\u81ea\u7b7e\u540d\u8bc1\u4e66"},"content":{"rendered":"\n
\n

1 \u751f\u6210\u79c1\u94a5<\/strong><\/p>\n\n\n\n

openssl genrsa -out server.key 2048<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

2 \u521b\u5efa\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6<\/strong><\/p>\n\n\n\n

openssl req -new -key server.key -out server.csr<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

3 \u7528\u79c1\u94a5\u548c\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6\uff0c\u751f\u6210\u7b7e\u540d\u6587\u4ef6<\/strong><\/p>\n\n\n\n

openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u53e6\u5916\u4e00\u79cd\u65b9\u6cd5\uff1a\u5feb\u901f\u751f\u6210\u79c1\u94a5 \u548c \u81ea\u7b7e\u540d\u8bc1\u4e66\uff0c\u7701\u53bb\u8bf7\u6c42\u6587\u4ef6<\/strong><\/p>\n\n\n\n

openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 36500 -out domain.crt -subj \"\/CN=xx.xx.xx.xx\"<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n\n\n\n

\u6269\u5c55 … <\/mark><\/strong><\/p>\n\n\n\n

<\/div>\n\n\n\n
\n

\u4ece\u79c1\u94a5\u91cc\u63d0\u53d6\u516c\u94a5<\/strong><\/p>\n\n\n\n

openssl rsa -in server.key -pubout -out server.pub<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u68c0\u67e5\u79d8\u94a5\u662f\u5426\u6709\u6548\uff0c\u67e5\u770b\u79c1\u94a5\u4fe1\u606f<\/strong><\/p>\n\n\n\n

openssl pkey -in server.key -check<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u67e5\u770b\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6\u4fe1\u606f<\/strong><\/p>\n\n\n\n

openssl req -in server.csr -noout -text<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u67e5\u770b\u8bc1\u4e66\u4fe1\u606f<\/strong><\/p>\n\n\n\n

openssl x509 -in server.crt -noout -text<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u67e5\u770b\u8bc1\u4e66\u6709\u6548\u671f<\/strong><\/p>\n\n\n\n

openssl req -in server.csr -noout -dates<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u8bc1\u4e66\u9a8c\u8bc1<\/strong><\/p>\n\n\n\n

openssl verify -CAfile root-ca.crt server.crt<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

\u4ece\u7f51\u7ad9\u63d0\u53d6\u8bc1\u4e66\u6587\u4ef6\uff0c\u793a\u4f8b\uff1a<\/strong><\/p>\n\n\n\n

openssl s_client -connect www.madbull.site:443 -showcerts <\/dev\/null 2>\/dev\/null | openssl x509 -outform PEM > \/opt\/xxx.perm<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

Let’s Encrypt \u5b89\u88c5\u8bc1\u4e66<\/strong><\/p>\n\n\n\n

\u9700\u8981\u5b89\u88c5 certbot \u5de5\u5177\u548c python3-certbot-nginx \u63d2\u4ef6<\/p>\n\n\n\n

yum install certbot python3-certbot-nginx<\/code><\/p>\n\n\n\n

\u9700\u8981\u63d0\u524d\u628a\u7f51\u7ad9\u5efa\u597d\uff0ccertbot\u4f1a\u5728\u7ebf\u751f\u6210\u79c1\u94a5\u3001\u8bc1\u4e66\u3001\u8bc1\u4e66\u94fe\u548c\u5b8c\u6574\u8bc1\u4e66\u94fe\uff0c\u7136\u540e\u4fee\u6539 nginx \u7684\u914d\u7f6e\u6587\u4ef6\u4e2d\u5bf9\u5e94\u57df\u540d\u7684\u8bc1\u4e66\u5730\u5740\uff0c\u6700\u540e\u505a\u7f51\u9875\u9a8c\u8bc1\u3002<\/p>\n\n\n\n

\u6307\u4ee4\uff1acertbot --nginx -d \"www.madbull.site\"<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n\n\n\n

\u81ea\u5df1\u521b\u5efa\u6839\u8bc1\u4e66\uff0c\u5bf9\u5176\u4ed6\u670d\u52a1\u6388\u6743\uff0c\u4ee5\u53ca\u5728linux\u73af\u5883\uff0c\u628a\u6839\u8bc1\u4e66\u52a0\u5165\u5230\u7cfb\u7edf\u4fe1\u4efb\u5217\u8868\u3002 <\/mark><\/strong><\/p>\n\n\n\n

<\/div>\n\n\n\n
\n

1.1 \u521b\u5efa\u6839\u7684\u79c1\u94a5<\/strong><\/p>\n\n\n\n

openssl genrsa -out root-ca.key 2048<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

1.2 \u521b\u5efa\u6839\u8bc1\u4e66<\/strong><\/p>\n\n\n\n

openssl req -x509 -new -nodes -key root-ca.key -sha256 -days 1024 -out root-ca.crt<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

2.1 \u521b\u5efa\u670d\u52a1\u7684\u79c1\u94a5<\/strong><\/p>\n\n\n\n

openssl genrsa -out server.key 2048<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

2.2 \u7ed9\u670d\u52a1\u521b\u5efa\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6<\/strong><\/p>\n\n\n\n

openssl req -new -key server.key -out server.csr<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

2.3 \u7ed9\u670d\u52a1\u9881\u53d1\u8bc1\u4e66<\/strong><\/p>\n\n\n\n

openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 36500 -sha256<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

3.1 \u628a\u6839\u8bc1\u4e66\u653e\u5230\u914d\u7f6e\u53ef\u4fe1\u4efb\u7684\u914d\u7f6e\u8bc1\u4e66\u6587\u4ef6\u4f4d\u7f6e<\/strong><\/p>\n\n\n\n

cp root-ca.crt \/etc\/pki\/ca-trust\/source\/anchors\/<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

3.2 \u66f4\u65b0\u7cfb\u7edf\u53ef\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66<\/strong><\/p>\n\n\n\n

update-ca-trust extract<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
\n

3.3 \u9a8c\u8bc1\u6839\u8bc1\u4e66\u662f\u5426\u5df2\u7ecf\u5728\u4fe1\u4efb\u5217\u8868\u91cc<\/strong><\/p>\n\n\n\n

\u67e5\u770b \/etc\/ssl\/certs\/ca-bundle.trust.crt \u6587\u4ef6\u4e2d\u662f\u5426\u6709 root-ca.crt \u8bc1\u4e66<\/code><\/p>\n\n\n\n

<\/div>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n

\u6dfb\u52a0\u591a\u4e2a\u4e3b\u9898\u66ff\u4ee3\u540d\u79f0\uff08SAN\uff09\u7684\u65b9\u6cd5\u53c2\u770b\uff1ahttps:\/\/www.madbull.site\/?p=1111<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

1 \u751f\u6210\u79c1\u94a5 2 \u521b\u5efa\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6 3 \u7528\u79c1\u94a5\u548c\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6\uff0c\u751f\u6210\u7b7e\u540d\u6587\u4ef6<\/p>\n","protected":false},"author":1,"featured_media":450,"comment_status":"open","ping_status":"open","sticky":false,"template":"single-with-sidebar","format":"standard","meta":{"footnotes":""},"categories":[135,131],"tags":[203,106,202,201],"class_list":["post-601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-131","tag-crt","tag-key","tag-openssl","tag-201"],"_links":{"self":[{"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/posts\/601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.madbull.site\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=601"}],"version-history":[{"count":20,"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/posts\/601\/revisions"}],"predecessor-version":[{"id":2298,"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/posts\/601\/revisions\/2298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.madbull.site\/index.php?rest_route=\/wp\/v2\/media\/450"}],"wp:attachment":[{"href":"https:\/\/www.madbull.site\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.madbull.site\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.madbull.site\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}