Nginx安装中间证书 [英] Nginx install intermediate certificate

问题描述

我试图在Nginx（laravel forge）上安装中间证书。
现在证书已经正确安装，只是中间的缺少。

I'm trying to install an intermediate certificate on Nginx ( laravel forge ). Right now the certificate is properly installed, just the intermediate that is missing.

我看到我需要连接当前证书和中间。

I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.

此外，如果中间安装失败，我可以回滚到上一个证书，然后重新启动nginx？ （网站网站是活的，所以我不能有太长的停机时间）

Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )

推荐答案

Nginx期望所有 server 中引用的文件中的 server 节证书。 ssl_certificate 。只需将所有供应商的中间证书和您的域的证书放在一个文件中。它将如下所示。

Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

为了确保一切正常，避免停机，我建议您在本地设置Nginx，添加 127.0.0.1 yourdomain.com 到 / etc / hosts ，并尝试从主要浏览器打开它。当您验证一切正确后，即可将其复制到生产服务器。

To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.

完成后，最好使用一些SSL检查工具验证（例如这一个）。由于预先安装的CA证书可能会因浏览器和平台而异，因此您可以轻松忽略来自一个操作系统或有限的浏览器的错误配置检查。

When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.

正如@Martin指出的，文件中证书的顺序很重要。
RFC 4346 的TLS 1.1状态：

As @Martin pointed out, the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:

这是X.509v3证书的序列（链）。发件人的
证书必须在列表中排在第一位。以下
证书必须直接证明其前面的证书。

This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.

因此，顺序是：

• 1。您的域的证书


• 2。供应商的中间证书，证明（1）


• 3。供应商的中间证书，证明（2）


• ...


• 供应商的证书（n-1）的根证书。可选，因为它应该包含在客户端的CA存储中。

• 1. Your domain's certificate
• 2. Vendor's intermediate certificate that certifies (1)
• 3. Vendor's intermediate certificate that certifies (2)
• ...
• n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.

这篇关于Nginx安装中间证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！