部署证书链:证书链(Certificate Chain)包括信任锚(CA 证书)和签名证书,是由一系列 CA 证书发出的证书序列,最终以根 CA 证书结束;Web 浏览器已预先配置了一组浏览器自动信任的根 CA 证书,来自其他证书授权机构的所有证书都必须附带证书链,以检验这些证书的有效性。在很多部署场景中,单一的服务器证书显得不足,而多个证书则需要建立一个信任链。一个常见的问题是正确的配置了服务器证书但却搞忘了包含其他所需要的证书。此外,虽然其他证书通常有很长的有效期,但它们也会过期,如果它们过期就会影响整个链条。一个无效证书链会导致服务器证书失效和客户端浏览器报警告,这个问题有时候不是那么容易被检测到,因为有些浏览器可以自己重构一个完整的信任链而有些则不行。关于Nginx上部署证书链:
if you have a chain certificate file (sometimes called an intermediate certificate)
you don't specify it separately like you do in Apache. Instead you need to add the
information from the chain cert to the end of your main certificate file. This can be done
by typing "cat chain.crt >> mysite.com.crt" on the command line. Once that is done you
won't use the chain cert file for anything else, you just point Nginx to the main certificate file
ssl:开启HTTPS syntax:ssl [on|off] default:ssl off context:main, server
ssl_certificate:证书文件,默认证书和密钥都位于cert.pem中,该文件还可以包含其他证书。自version 0.6.7起,ssl_certificate的默认关联目录为nginx.conf所在的目录。 syntax:ssl_certificate file default:ssl_certificate cert.pem context:main, server
ssl_certificate_key:证书密钥文件,默认密钥位于cert.pem中。自version 0.6.7起,ssl_certificate_key的默认关联目录为nginx.conf所在的目录。 syntax:ssl_certificate_key file default:ssl_certificate_key cert.pem context:main, server
ssl_client_certificate:Indicates file with certificates CA in PEM format, utilized for checking the client certificates. syntax:ssl_client_certificate file default:none context:main, server
ssl_dhparam:Indicates file with Diffie-Hellman parameters in PEM format, utilized for negotiating TLS session keys. syntax:ssl_dhparam file default:none context:main, server
ssl_ciphers:Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL. syntax:ssl_ciphers file default:ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP context:main, server
Complete list can be looked with the following command:
openssl ciphers
ssl_prefer_server_ciphers:Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers. syntax:ssl_prefer_server_ciphers [on|off] default:ssl_prefer_server_ciphers off context:main, server
ssl_protocols:Directive enables the protocols indicated. TLS v1.0以上的版本是比较安全的,最好是弃用SSLv3以下的版本,SSLv2以下坚决不用 syntax:ssl_protocols [SSLv2] [SSLv3] [TLSv1] default:ssl_protocols SSLv2 SSLv3 TLSv1 context:main, server
ssl_session_cache:The directive sets the types and>syntax:ssl_session_cache off|none|builtin:size and/or shared:name:sizedefault:ssl_session_cache off context:main, server
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout:Assigns the time during which the client can repeatedly use the parameters of the session, which is stored in the cache. syntax:ssl_session_timeout time default:ssl_session_timeout 5m context:main, server