Sunday, May 26, 2019

Namecheap購買的PositiveSSL證書激活使用教程

在Namecheap購買域名的同時可以1.99美元/年的價格購買Comodo PositiveSSL證書,雖然SSL認證和https加密傳輸不是每個網站都必須的功能,但是對於需要保護隱私的網站進行https加密數據傳輸還是必須的。PositiveSSL認證是Comodo的入門級產品,PositiveSSL只對你的域名所有權進行認證,並且價格便宜,是目前能買到的最便宜的一款SSL認證服務。

SSL證書不是必須與Namecheap購買的域名關聯,你也可以將此ssl證書用在其他地方購買的域名中其他主機上使用,即SSL證書與在哪兒註冊域名無關,需要與主機空間關聯。

PositiveSSL已經被幾乎所有流行的瀏覽器支持,只要你的PositiveSSL認證正常,用瀏覽器打開你提供的https網頁就像普通的http網頁一樣,瀏覽器不會彈出安全警告。

具體步驟:

進入Namecheap網站,點擊SSL CERTIFICATES菜單中的My Account下方的Your SSL Certificates,如圖所示:

選擇你未曾使用過的SSL認證服務,點擊右邊的Active鏈接,既可以開始申請激活你的SSL認證。

接下來我們要發送一個認證簽名請求文件給Namecheap來完成激活過程,通常情況下,選擇Apache+OpenSSL類型的簽名即可,如果你的網絡服務器不是Apache或其兼容服務器,可以在列表裡面選擇適合你的認證類型。

我們可以從Comodo官方CSR Generation教程中選擇CSR Generation: Using OpenSSL (Apache & mod_ssl, NGINX)來學習Comodo PositiveSSL的CSR生成方法。

用SSH客戶端連接你的主機,用Linux帶的openSSL來生成自己的CSR文件。在命令行中輸入:

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

接下來會詢問你有關域名,公司,國籍等信息,按照你的情況回答即可,其中有個需要特別注意到地方是Common Name的提問,回答時一定要注意,必須填寫你的域名( yourdomain.com ),而且不能有大寫字母,否則認證申請會失敗,你需要重新聯繫客服再次申請。

You will now be asked to enter details to be entered into your CSR.

What you are about to enter is what is called a Distinguished Name or a DN.

For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:
Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password []:
An optional company name []:
Use the name of the web-server as Common Name (CN). If the domain name (Common Name) is mydomain.com append the domain to the hostname (use the fully qualified domain name).

The fields email address, optional company name and challenge password can be left blank for a webserver certificate.

生成兩個文件,myserver.key是私鑰,server.csr是CSR文件。

一定要備份私鑰,如果丟失,沒有辦法恢復。可以通過輸入命令使用私有密鑰來生成CSR(Certificate Signing Request)。

打開CSR文件server.csr,把這個CSR文件的內容複製到剛才申請時頁面上的文本輸入框裡面了,並且點擊NEXT,進行下一步。

接下來要求你提供一個能表明你是域名所有者的郵箱來進行驗證,一般可以是[email protected],root,webmaster等,你可以從他提供的選項中選擇一個,確保你的郵箱有效並且你的郵件服務器可以正常接收郵件。選擇一個郵箱後,點擊next,你的申請就算提交了,下面需要等授權公司Comodo來驗證你是域名所有者身份。

等幾個小時之後,Comodo會發送一封郵件給你剛才提供的信箱。

點擊郵箱裡面的 here 鏈接,並且輸入下面的驗證碼,提交給Comodo即可。接着繼續等,comodo會在數個小時之內將生成的ssl證書文件發送給你。其中郵件包含一個附件,裡面有四個文件,之一就是你的認證文件,另外有個重要的是positivessl根認證證書。你需要在apache或者其他網絡服務器正確配置它們來保證你的ssl網絡服務工作正常。

http://www.bsmdevelopment.com/Reference/Sections/InstallNotes-Apache.html

If your CA sends you individual certificates for the certificate chain, you’ll have to concatenate them together in order, from their certificate up to the root certificate, to create the bundle file. Here’s an example of how to do it for a Comodo-issued certificate, given that the cert chain is as follows:

website.com.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
Use cat to concatenate the certs together into the bundle:

cat COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt
>CA-bundle.crt
You can now use this bundle as described above.

Incidentally, if you’d like to verify that your certificate and bundle are correct, you can do so like this:

openssl verify -CAfile CA-bundle.crt website.com.crt
Or, if you are using GnuTLS, you’ll have to concatenate all of the certificates together into a single file. Be sure that your certificate preceeds the certificate chain in the file and give the file a name something like website.com_CA-bundle.crt. If the CA sent you a bundle file (or you created one with your text editor), do it like this:

cat website.com.crt CA-bundle.crt >website.com_CA-bundle.crt
If you were given individual certificates for the certificate chain, as in the Comodo-issued certificate example above, do it like this:

cat website.com.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt
>website.com_CA-Bundle.crt
Once you have all the certificates concatenated into a single file, point to it in the Apache config file like this:

GnuTLSCertificateFile /etc/httpd/ssl/website.com_CA-bundle.crt
If you ever need to port your cert to an IIS server, you will need to convert it to pkcs12 format and include the key, along with the cert and CA bundle. This can all be done with a single OpenSSL command:

openssl pkcs12 -export -out website.com.pfx -inkey website.com.key
-in website.com.crt -certfile website.com_CA-bundle.crt
Since the resultant “.pfx” file contains your private key, along with your certificate, be sure to password protect the exported file with a strong password, especially if you are planning to send it anywhere via an insecure channel (e.g. email). If this file should fall into the wrong hands, it would allow the bad guys to masquerade as you with impunity. And, as far as we know, there’s no such thing as certificate revocation that actually works so they’ll be doing it for the life of the cert. There will be nothing you can do about it, short of getting a new domain name and convincing all of your users to switch.

If at any time, you need to list the contents of a pkcs12 format cert, you can do so like this:

openssl pkcs12 -in website.com.pfx -nodes

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.