AlphaSSL免费的泛域名证书

AlphaSSL 原价是$149一年 通过工具可以免费申请 (PS: 目前已失效!)

生成私有Key和CSR(Certificate Signing Request)

使用OpenSSL生成

  • 在Git Bash或者Linux下执行 获得 server.key 和 server.csr
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    shell> openssl genrsa -out server.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...................+++
    ................................+++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    Verifying - Enter pass phrase for server.key:

    shell> openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=YUMC Inc./OU=Web Security/CN=JiangTianbei/emailAddress=admin@yumc.pw"
    Enter pass phrase for server.key:

请自行修改-subj的内容

  • C(Country Name) 国家代码 默认写CN
  • ST(State or Province Name) 省份或区域
  • L(Locality Name) 地区名称
  • O(Organization Name) 组织或公司名称
  • OU(Organizational Unit Name) 团队或者部门名称
  • CN(Common Name) 你个人名称或者服务器域名
  • 下列内容摘自百度百科SSL条目
    DN字段名|缩写|说明|填写要求
    -|-|-|-
    Country Name|C|证书持有者所在国家|要求填写国家代码,用2个字母表示
    State or Province Name|ST|证书持有者所在州或省份|填写全称,可省略不填
    Locality Name|L|证书持有者所在城市|可省略不填
    Organization Name|O|证书持有者所属组织或公司|最好还是填一下
    Organizational Unit Name|OU|证书持有者所属部门|可省略不填
    Common Name|CN|证书持有者的通用名|必填。
    对于非应用证书,它应该在一定程度上具有惟一性;
    对于应用证书,一般填写服务器域名或通配符样式的域名。
    Email Address| |证书持有者的通信邮箱|可省略不填

或者用工具直接生成

提交CSR

  • 打开 ASSL
  • 黏贴 server.csr 文件的内容
  • 填写邮箱地址
  • 填写选填信息(推荐)
  • 点击验证按钮

验证邮箱

  • 在邮箱内打开链接 然后点击接受
  • 等大概10几分钟左右你会收到一封邮件

生成证书

  • 搜索 YOUR SSL CERTIFICATE 往下看
  • 把—–BEGIN CERTIFICATE—–到—–END CERTIFICATE—–复制下来 包含这两行
  • 新建文本文件 黏贴证书内容 重命名 server.crt

补全证书链

把AlphaSSL的中间证书追加到证书内容的下方 不然部分浏览器会提示证书不安全

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAwMDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAt
IFNIQTI1NiAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3
xhfjkmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKLdljlq10d
j0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFsMVtI5LHsuSPrVU3QfWJK
pbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAAcJjI4e00X9icxw3A1iNZRfz+VXqG7pRg
IvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGnkCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B
+Zpye1reTz5/olig4hetZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI
MAYBAf8CAQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYEVR0g
ADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYD
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEF
BQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfn
Fo3bXKFWKsv0XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eGl87qDBKOInDj
ZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCVodTvZy84IOgu/5ZR8LrYPZJw
R2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDmMTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRk
nl7OedSyps9AsUSoPocZXun4IRZZUw==
-----END CERTIFICATE-----

配置Nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# HTTPS server
server {
listen 443 ssl;
server_name localhost;

ssl_certificate /opt/ssl/server.crt; #fullchain.pem;
ssl_certificate_key /opt/ssl/server.key; #privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_session_cache builtin:1000 shared:SSL:10m;

location / {
root html;
index index.html index.htm;
}
}