Nginx Modern Profile + OpenSSL

nginx 1.10.1 | modern profile | OpenSSL 1.0.1e
Oldest compatible clients : Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

Nginx Intermediate Profile + OpenSSL

nginx 1.10.1 | intermediate profile | OpenSSL 1.0.1e
Oldest compatible clients : Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

快速自颁CA根证书及SSL证书.bat

保存以下内容为.bat批处理文件,快速生成自己的根证书CA crt及私匙key:

@ECHO OFF
openssl genrsa -des3 -out CA.key 2048
ECHO.
ECHO ####### 私钥已生成,继续,可生成CA根证书! #######
ECHO.
openssl req -new -x509 -days 7300 -key CA.key -out CA.crt -config openssl.cnf
ECHO.
ECHO ####### CA根证书已生成! #######
ECHO.
pause

保存以下内容为.bat批处理文件,快速生成自己的证书请求文件csr、私匙key及SSL证书crt:

@ECHO OFF
openssl req -new -out server.csr -config openssl.cnf
ECHO.
ECHO ####### 证书请求文件已生成! #######
ECHO.
openssl rsa -in privkey.pem -out server.key
ECHO.
ECHO ####### 私钥已生成,继续,可生成SSL证书并签名! #######
ECHO.
openssl ca -policy policy_anything -in server.csr -out server.crt -config openssl.cnf
ECHO.
ECHO ####### SSL证书server.crt生成! #######
ECHO.
pause

注:把这两个bat文件放在openssl.exe相同的目录里。

OpenSSL建立自己的CA

一、准备工作如下:
1、在当前所在的目录下建立一个目录 mkdir demoCA
2、进入这个目录:cd demoCA/
3、建立空文件 index.txt 用来保存以后的证书信息,这是OpenSSL的证书数据库:touch index.txt
4、建立一个文件 serial 在文件中输入一个数字,做为以后颁发证书的序列号,以后颁发的证书序列号就从你输入的数字开始:

echo 100001 > serial

二、建立我们的CA根证书。
1、首先建立一个CA的根私钥文件,使用RSA格式,2048位:

openssl genrsa -des3 -out ca.key 2048

2、为CA自己建立一个自签名的证书文件:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt -config ..confopenssl.cnf

三、颁发客户的证书:
1、首先生成客户证书的私钥文件,与生成CA根证书文件的方法一样,这里我生成不需要密码保护的私钥:

openssl genrsa -des3 -out client.key 2048

2、生成证书请求文件csr:

openssl req -new -key client.key -out client.csr -config ..confopenssl.cnf

PEM生成:

openssl req -new -out client.csr -config ..confopenssl.cnf
openssl rsa -in privkey.pem -out client.key

3、有了证书请求文件之后,就可以使用CA的根证书、根私钥来对请求文件进行签名,生成客户端证书 client.pem 了:

openssl x509 -req -in client.csr -out client.crt -signkey privkey.pem -CA ca.crt -CAkey ca.key -days 365 -CAserial serial

到这里为止,根CA为客户端签发证书的过程就结束了。

四、撤销已签发的证书:
1、吊销已签发的证书可以使用ca中的 -revoke 命令:

openssl ca -revoke client.pem -keyfile ca.key -cert ca.crt

这里可能会有一个问题,因为默认的情况下index.txt文件应该放在demoCA文件夹下面,因此需要在这里建立一个demoCA文件夹并建立一个index.txt文件,就可以了

2、证书被吊销之后,还需要发布新的CRL文件:

openssl ca -gencrl -out ca.crl -keyfile ca.key -cert ca.crt

Windows下配置Apache + OpenSSL测试

1. 下载包含OpenSSL的Apache Http Server,如httpd-2.2.17-win32-x86-openssl-0.9.8o.msi
2. 安装Apache,例如:d:Apache. 安装时制定一个域名,因为是本机测试,在hosts文件中加入了127.0.0.1 www.xiaokyun.com;
3. 在d:Apacheconfhttpd.conf,去掉下面两行的注释:

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

4. 命令行切换到目录d:Apachebin。运行下面三行命令(执行第一个命令时,Common Name项的值输入www.xiaokyun.com):

openssl req -new -out www.xiaokyun.com.csr -config ..confopenssl.cnf
openssl rsa -in privkey.pem -out www.xiaokyun.com.key
openssl x509 -in www.xiaokyun.com.csr -out www.xiaokyun.com.crt -req -signkey www.xiaokyun.com.key -days 3650

5. 完成之后,将目录中的www.xiaokyun.com.key和www.xiaokyun.com.crt拷贝到d:Apacheconf目录中。
6. d:Apacheconfhttpd.conf中取消Include conf/extra/httpd-ssl.conf前的注释。
7. d:Apacheconfhttpd.confextrahttpd-ssl.conf中设置:

SSLCertificateFile “d:/apache/conf/www.xiaokyun.com.crt”
SSLCertificateKeyFile “d:/apache/conf/www.xiaokyun.com.key”

6. 重启Apache Http Server服务。
7. 测试访问http://www.xiaokyun.com/.自己颁发浏览器不信任的SSL证书成功!
免费SSL证书可参考StartSSL.