SSL的那些事——三

为IIS和Nginx配置证书

 

IIS：

 

1. 服务器证书

 

2. 导入证书：pfx，需要密码

3. 目标站点，编辑绑定

 

4. 多证书绑定SNI

 

Nginx

 

1. 准备crt，key文件，放置到server的某个文件夹中

2. NGINX 配置文件

server {

    listen 443;

    server_name sample.com;

    ssl on;

    ssl_certificate /etc/nginx/ssl/sample.com.crt;

    ssl_certificate_key /etc/nginx/ssl/sample.com.key;

}

 

证书转换：

pfx -> crt, key(https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/)

 

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

• need to type in the importpassword of the .pfx file.
• need to type a new password will protect your .key file

 

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

 

openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

 

crt, key -> pfx

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

 

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt

 

pfx -> crt, key

Convert the .pfx file using OpenSSL

After you have exported the certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL (instead of using OpenSSL, you can use the SSL Converter to convert the .pfx file to a .pem file and then follow step 3).

 

Copy the .pfx file to the server or another computer that has OpenSSL installed.

Run this OpenSSL command to create a text file with the contents of the .pfx file:

 

openssl pkcs12 -in mydomain.pfx -out mydomain.txt -nodes

 

Open the mydomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the "

-----BEGIN RSA PRIVATE KEY-----"

and "

-----BEGIN CERTIFICATE-----

" headers. Save them with names such as mydomain.key, mydomain.crt, intermediateCA.crt, etc.