生成 CRT &Let's Encrypt 从头开始的 KEY ssl 文件 [英] Generate CRT & KEY ssl files from Let's Encrypt from scratch
问题描述
我想使用 Let's Encrypt(手动质询)生成 CRT/KEY 对 SSL 文件.
I'd like to generate a CRT/KEY couple SSL files with Let's Encrypt (with manual challenge).
我正在尝试这样的事情:
I'm trying something like this :
certbot certonly --manual -d mydomain.com
但我只在我的 /etc/letsencrypt/live/mydomain.com 文件夹中获取这些文件:
- cert.pem
- 链.pem
- fullchain.pem
- privkey.pem
我错过了什么吗?
推荐答案
我是Greenlock,一个与 certbot 兼容的 Let's Encrypt v2 客户端,所以我还必须了解所有这些东西的来龙去脉.
I'm the author of Greenlock, a certbot-compatible Let's Encrypt v2 client, so I've had to learn the ins and outs of all these things as well.
希望这会有所帮助:
privkey.pem 是密钥";文件
有时它被错误地命名为 cert.key 或 example.com.key.
Sometimes it is improperly named as cert.key or example.com.key.
fullchain.pem 是你的crt".文件.
fullchain.pem is your "crt" file.
有时它被错误地命名为 example.com.crt.
Sometimes it is improperly named as example.com.crt.
bundle.pem 会这样写:cat fullchain.pem privkey.pem >bundle.pem
HAProxy 是我所知道的唯一使用 bundle.pem 的服务器.
HAProxy is the only server that I know of that uses bundle.pem.
cert.pem 仅包含您的证书,如果浏览器已经拥有签署它的证书,则只能由它自己使用,这可能在测试中起作用(这看起来可能是正确的文件),但实际上对于生产中的许多用户来说会失败,并出现不受信任的证书的安全错误.
cert.pem contains ONLY your certificate, which can only be used by itself if the browser already has the certificate which signed it, which may work in testing (which makes it seem like it may be the right file), but will actually fail for many of your users in production with a security error of untrusted certificate.
但是,您通常不会单独使用 cert.pem.它几乎总是与 chain.pem 作为 fullchain.pem 结合使用.
However, you don't generally use the cert.pem by itself. It's almost always coupled with chain.pem as fullchain.pem.
chain.pem 是中间签名权限,由根权限签名 - 这是所有浏览器都保证在其预构建缓存中拥有的内容.
chain.pem is the intermediary signed authority, signed by the root authority - which is what all browsers are guaranteed to have in their pre-built cache.
您只能像这样检查证书:
You can inspect the cert only like so:
openssl x509 -in cert.pem -text -noout
这里有一个有用的命令列表:
There's a list of useful commands here:
https://www.sslshopper.com/article-most-common-openssl-commands.html
这篇关于生成 CRT &Let's Encrypt 从头开始的 KEY ssl 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
