分类 默认分类 下的文章

快捷生成普通SSL证书

openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 3650 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=SwallowNetworks/OU=IT/CN=*.example.com/emailAddress=abuse@example.com" -addext "extendedKeyUsage = serverAuth, clientAuth" -addext "subjectAltName = DNS.1:*.google.com, DNS.2:*.g.com, IP:1.1.1.1, email:75311729@qq.com, URI:https://feng.cmd.gd/" -extensions v3_req -sha384

req  #引用openssl官方文档介绍: PKCS#10 certificate request and certificate generating utility
-newkey rsa:2048  #生成RSA 2048bit的key
-nodes #key不要密码, 删掉则要密码
-keyout ssl.key #保存key到文件
-x509 #创建证书, 删掉则创建证书请求CSR
-days 3650 #创建证书使用, CSR无需
-out ssl.crt #保存证书到文件
-subj "/C=CN/ST=GD/L=GZ/O=SwallowNetworks/OU=IT/CN=*.example.com/emailAddress=abuse@example.com" #使用者
-addext "extendedKeyUsage = serverAuth, clientAuth" #增加扩展提供服务器认证, 客户端认证. 可配置值: 
Value                  Meaning
 -----                  -------
 serverAuth             SSL/TLS Web Server Authentication.
 clientAuth             SSL/TLS Web Client Authentication.
 codeSigning            Code signing.
 emailProtection        E-mail Protection (S/MIME).
 timeStamping           Trusted Timestamping
 OCSPSigning            OCSP Signing
 ipsecIKE               ipsec Internet Key Exchange
 msCodeInd              Microsoft Individual Code Signing (authenticode)
 msCodeCom              Microsoft Commercial Code Signing (authenticode)
 msCTLSign              Microsoft Trust List Signing
 msEFS                  Microsoft Encrypted File System

-addext "subjectAltName = DNS.1:*.google.com, DNS.2:*.g.com, IP:1.1.1.1, email:75311729@qq.com, URI:https://feng.cmd.gd/" #SAN 俗称多域
include email (an email address) URI a uniform resource indicator, DNS (a DNS domain name), RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name) and otherName.

-addext "keyUsage=digitalSignature, nonRepudiation" #限定key的使用 
The supported names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.

-extensions v3_req #约束证书使用, openssl.conf默认配置是终端证书 basicConstraints = CA:FALSE, keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-sha384 #使用sha384摘要算法签名CSR

ESET:

*.aliyun.com/*,*.alicdn.com/*,*.taobao.com/*,*.alipay.com/*,*.alibabagroup.com/*,*.tmall.com/*,*.aliexpress.com/*,*.alibaba.com/*,*.1688.com/*,*.alimama.com/*,*.alibabacloud.com/*,*.cainiao.com/*,*.baidu.com/*

ECC publickey, SHA384 signature hash algorithm.

openssl ecparam -genkey -name secp384r1 -out private/cakey.pem
openssl req -new -sha384 -x509 -key private/cakey.pem -out cacert.pem
openssl ecparam -genkey -name secp384r1 -out feng.cmd.gd.key
openssl req -new -sha256 -key feng.cmd.gd.key -out feng.cmd.gd.csr
openssl ca -in nginx.csr -out nginx.crt

SAN

openssl req -new -sha256 \
    -key feng.cmd.gd.key \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=UnitedStack/OU=Devops/CN=www.ustack.com" \
    -reqexts SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:www.ustack.in,DNS:www.test.ustack.com")) \
    -out ustack.csr
openssl ca -in ustack.csr \
    -extensions SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:www.ustack.in,DNS:www.test.ustack.com")) \ 
    -out ustack.crt
openssl x509 -noout -fingerprint -sha256 -inform pem -in cacert.pem
openssl x509 -noout -fingerprint -sha1 -inform pem -in cacert.pem

https://social.technet.microsoft.com/Forums/ie/en-US/9543cd5b-c3b3-4d13-a9c4-46b97f2c6c18/signature-algorithm-shows-quotsha256quot-but-thumbprint-algorithm-still-says-quotsha1quot

如果您看到这篇文章,表示您的 blog 已经安装成功.


nginx:
官方提供packages,国内中科大有镜像
部分配置:

location / {
    index  index.php;
    if (!-e $request_filename) {
        rewrite ^(.*)$ /index.php$1 last;
    }
}
location ~ [^/]\.php(/|$) {
    fastcgi_pass   unix:/run/php/php7.2-fpm.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /typecho_folder$fastcgi_script_name;
    include        fastcgi_params;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    #try_files $fastcgi_script_name =404;
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

PHP:
使用Sury的packages
防止跨目录攻击sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/7.2/fpm/php.ini

MariaDB:
官方提供packages,国内中科大也有镜像