在Nginx中,如何使用有密钥和证书的PEM密钥?

分享于 

7分钟阅读

互联网

  繁體

问题:

我从客户端获得了一个文件(匹配的密码),替换letsencrypt设置,它看起来像这样:

[domain.pem]


subject=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


-----BEGIN CERTIFICATE-----


bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla==


-----END CERTIFICATE-----



subject=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


-----BEGIN CERTIFICATE-----


bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla


-----END CERTIFICATE-----



subject=CN=domain, SERIALNUMBER=11 111 111 111, OID.2.5.4.15=Private Organization, O=Corp, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=CITY, S=STATE, C=US


issuer=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


-----BEGIN CERTIFICATE-----


-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla


-----END CERTIFICATE-----



-----BEGIN RSA PRIVATE KEY-----


Proc-Type: 4,ENCRYPTED


DEK-Info: SOME-LETTERS



-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla


-----END RSA PRIVATE KEY-----



我的Nginx配置如下所示:


server {


 listen 443 ssl http2;


 listen [::]:443 ssl http2;


 # [...]



 ssl on;


 ssl_certificate /etc/path/to/domain.pem; # assuming I need the same file here?


 ssl_certificate_key /etc/path/to/domain.pem;



 ssl_session_timeout 1d;


 ssl_session_cache shared:SSL:50m;


 ssl_session_tickets off;



 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


 ssl_prefer_server_ciphers on;


 ssl_dhparam /etc/nginx/ssl/dhparam.pem;


 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';



 # OCSP Stapling ---


 # fetch OCSP records from URL in ssl_certificate and cache them


 ssl_stapling on;


 ssl_stapling_verify on;



 # [...]


}



当我尝试在测试模式下运行它时,我得到:


$ sudo nginx -t


nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/path/to/domain.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)


nginx: configuration file /etc/nginx/nginx.conf test failed



我尝试了什么

我尝试通过以下方式从文件创建普通密钥:


openssl rsa -in domain.pem -out domain-plain.key



但是哈希现在不再匹配:


$ openssl x509 -noout -modulus -in domain.pem | openssl md5


206508ae007125edb1b6a26db39213c2



$ openssl rsa -noout -modulus -in domain-plain.key | openssl md5


050b90ff7080b1b1b550ea401b15aaee



有没有方法可以分别提取密钥和证书?


答案1:

把私钥放在一个单独的文件中,确保权限非常严格。

ssl_certificate指向证书文件。ssl_certificate_key指向密钥文件。

重要的部分是那些以破折号开头和结尾的部分,包括那些破折号。其他文字只是注释,确保注释与ASCI证书和密钥匹配。openssl s_client -text -in file_with_only_one_cert.txt


答案2:

主key必须首先跟随CA key,http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

只需重新安排key就行了,所以:


subject=CN=domain, SERIALNUMBER=11 111 111 111, OID.2.5.4.15=Private Organization, O=Corp, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=CITY, S=STATE, C=US


issuer=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


-----BEGIN CERTIFICATE-----


-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla


-----END CERTIFICATE-----



subject=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


-----BEGIN CERTIFICATE-----


bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla


-----END CERTIFICATE-----



subject=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US


-----BEGIN CERTIFICATE-----


bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla==


-----END CERTIFICATE-----



-----BEGIN RSA PRIVATE KEY-----


Proc-Type: 4,ENCRYPTED


DEK-Info: SOME-LETTERS



-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla


-----END RSA PRIVATE KEY-----



还要注意的是,OpenSSL忽略了-----BEGIN CERTIFICATE----------END CERTIFICATE-----之外的所有其他文本。



文件  KEY  Nginx  cer  PEM  
相关文章