Let’s Encrypt 在签发证书之前,需要先通过ACME验证申请者对域名的控制权。验证方法是,ACME客户端产生一些临时文件放在指定的位置,并将该文件的相关信息发送给 Let’s Encrypt 。 Let’s Encrypt通过http协议访问域名下的对应文件,验证申请者对域名的控制权。因而申请证书前需要先配置Web服务器。
对于nginx服务器而言,可以这样配置:
server {
listen 80;
server_name www.wolfcstech.com wolfcstech.com;
server_tokens off;
access_log /dev/null;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location ^~ /.well-known/ {
alias /home/www-data/www/challenges/;
try_files $uri =404;
}
location / {
root /home/www-data/www/hanpfei-documents/public;
index index.html;
}
}
Certbot 功能非常强大,它支持许多的插件,为许多平台上的Web服务器自动地申请、安装及部署证书。对于nginx,目前还不支持证书的自动安装和部署,这里使用 certonly 命令单独地获取证书。
执行如下命令:
# ../certbot-auto certonly --rsa-key-size 4096 --webroot -w /home/www-data/www/chanllenges/ -d www.wolfcstech.com -d wolfcstech.com
主要的参数说明:
--rsa-key-size
:指定RSA密钥,即非对称加密私钥的强度,这里指定为4096位。这个参数用于生成RSA的私钥。--webroot
:webroot是一个插件,可以与网站的根目录路径一起工作。-w
:用于指定网站根目录路径。ACME客户端产生的临时文件都将放在这个参数指定的目录下。这个参数的值要与配置的Web服务器的网站根目录路径匹配。-d
:用于指定要认证的域名。可以用一个证书为多个域名签名。
Certbot 自动地完成证书的申请过程。
证书申请成功之后可以看到如下的提示:
更多关于使用 Certbot 申请 Let’s Encrypt 证书的信息,可以参考 Certbot 官网。
从上面的图可以看到证书申请的大体过程:
申请得到的证书及相关文件被放在/etc/letsencrypt/
目录下:
# find /etc/letsencrypt/
/etc/letsencrypt/
/etc/letsencrypt/accounts
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/c784b1e1bc605f9cffba9f0888f3e248
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/c784b1e1bc605f9cffba9f0888f3e248/regr.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/c784b1e1bc605f9cffba9f0888f3e248/meta.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/c784b1e1bc605f9cffba9f0888f3e248/private_key.json
/etc/letsencrypt/archive
/etc/letsencrypt/archive/www.wolfcstech.com
/etc/letsencrypt/archive/www.wolfcstech.com/cert.pem
/etc/letsencrypt/archive/www.wolfcstech.com/chain.pem
/etc/letsencrypt/archive/www.wolfcstech.com/fullchain.pem
/etc/letsencrypt/archive/www.wolfcstech.com/privkey.pem
/etc/letsencrypt/csr
/etc/letsencrypt/csr/0000_csr-certbot.pem
/etc/letsencrypt/keys
/etc/letsencrypt/keys/0001_key-certbot.pem
/etc/letsencrypt/live
/etc/letsencrypt/live/www.wolfcstech.com
/etc/letsencrypt/live/www.wolfcstech.com/cert.pem
/etc/letsencrypt/live/www.wolfcstech.com/chain.pem
/etc/letsencrypt/live/www.wolfcstech.com/privkey.pem
/etc/letsencrypt/live/www.wolfcstech.com/fullchain.pem
/etc/letsencrypt/options-ssl-apache.conf
/etc/letsencrypt/renewal
/etc/letsencrypt/renewal/www.wolfcstech.com.conf
/etc/letsencrypt/archive/[域名]
下保存与特定域名相关的文件,包括网站证书、中间证书链、完整证书链和私钥。如果多次为相同的域名申请证书,这个目录下将有多份证书相关文件,文件名后加数字以区分。/etc/letsencrypt/csr
下是申请证书的证书签名请求(CSR)
文件。如果多次申请了证书,这个目录下会保存所有申请的文件。/etc/letsencrypt/live/[域名]
下是最近一次为特定域名申请证书的相关文件,同样是网站证书、中间证书链、完整证书链和私钥。/etc/letsencrypt/renewal/[域名].conf
文件则保存证书申请的配置信息,以方便下次以相同配置为同样的域名更新证书。
可以看一下证书申请的配置文件内容来对证书申请过程做更多的了解:
# cat /etc/letsencrypt/renewal/www.wolfcstech.com.conf
# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/www.wolfcstech.com/cert.pem
privkey = /etc/letsencrypt/live/www.wolfcstech.com/privkey.pem
chain = /etc/letsencrypt/live/www.wolfcstech.com/chain.pem
fullchain = /etc/letsencrypt/live/www.wolfcstech.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = c784b1e1bc605f9cffba9f0888f3e248
webroot_path = /home/www-data/www/chanllenges,
rsa_key_size = 4096
[[webroot_map]]
www.wolfcstech.com = /home/www-data/www/chanllenges
wolfcstech.com = /home/www-data/www/chanllenges
证书主要是为网站的公钥签名的,但前面申请证书的过程却并没有看到网站公钥的生成。这是因为公钥是在产生CSR文件的过程中自动生成并保存在CSR文件中的。
使用openssl
解析前面我们申请Let’s Encrypt 证书时产生的CSR文件:
# openssl req -in /etc/letsencrypt/csr/0000_csr-certbot.pem -noout -text
Certificate Request:
Data:
Version: 2 (0x2)
Subject: CN=www.wolfcstech.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus: 00:b3:0d:f5:cb:a3:9b:94:fb:7e:83:15:72:65:db:
3c:56:1d:25:26:b5:5e:88:28:98:0f:c5:d7:df:78:
ee:8a:c3:aa:06:5c:0c:81:4d:4f:e6:d9:dd:ed:5d:
f2:47:2a:a0:d4:94:a2:18:3c:10:3a:73:0a:aa:24:
72:b3:5a:24:70:aa:ff:90:1c:5a:60:cd:f4:de:d6:
16:c2:e2:9f:df:d0:b1:ff:28:2d:2d:04:5d:7f:df:
aa:9a:11:99:d2:98:82:c1:16:9e:db:c6:d6:99:4f:
b8:b6:74:f8:15:47:41:d3:06:cf:10:59:77:f0:f6:
71:7d:73:c5:03:6f:d6:3a:fa:a8:bf:d3:c5:44:27:
5f:99:91:7f:83:74:b4:94:ee:be:19:da:2d:86:94:
1d:7e:7f:e9:5d:a2:15:1e:4d:09:13:4f:06:65:17:
95:82:66:5b:39:cb:76:42:87:db:2a:e2:a4:89:88:
16:64:d8:af:6a:80:f7:21:50:08:a4:2b:0f:78:36:
b3:50:3c:ec:eb:b0:27:5f:d1:89:ee:08:39:d8:71:
75:d0:0c:70:6c:c5:94:96:bf:45:cd:4d:8c:66:0d:
07:48:78:d5:94:e4:a4:4d:73:1c:7e:60:31:ae:5c:
72:4a:e4:11:9b:06:8b:2d:1c:69:54:f0:73:70:d8:
17:1c:2c:f9:24:20:e1:33:e0:dd:ec:a6:3c:53:0e:
1f:d7:83:24:cd:33:f9:94:e9:e6:3e:8e:76:e7:77:
3c:57:78:08:d4:ab:70:35:f6:a0:13:b5:ba:02:bc:
88:a9:9c:d5:47:62:99:f1:a4:08:a7:a3:22:79:73:
c4:77:2a:49:58:f2:ec:d1:87:13:ed:76:62:23:09:
1f:bf:22:e4:80:21:49:a1:43:7e:a6:76:67:30:32:
c3:9e:40:8e:a1:8c:d6:09:31:be:d9:7b:b3:73:8a:
a9:75:cf:66:2f:1e:a0:e3:01:5b:41:30:fd:68:ae:
88:cd:75:fa:72:32:d7:92:fc:a8:5c:eb:2b:82:c8:
06:e5:53:08:8d:14:92:ab:d9:81:96:45:16:43:5a:
52:12:ba:3c:51:55:c8:90:24:41:95:f7:bd:a0:d1:
7d:62:2a:56:30:a6:8e:5e:7c:8b:69:b3:ab:d3:24:
c7:35:89:eb:df:4d:c6:a8:0c:74:1d:d9:2b:30:67:
2b:ac:3f:a8:1a:c2:76:23:92:1d:00:96:1c:95:aa:
da:a6:51:61:30:b2:d0:42:a2:81:51:04:4c:5f:78:
e9:3c:6b:e6:1d:22:b2:80:3d:96:6c:2d:43:fd:ed:
82:9f:5f:59:f0:f3:44:a8:82:3f:5b:63:e1:4d:cb:
84:ce:dd
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:www.wolfcstech.com, DNS:wolfcstech.com
Signature Algorithm: sha256WithRSAEncryption
a5:e8:87:4a:fa:db:fe:b5:10:d5:39:c2:a5:88:79:9a:25:d9:
f2:3b:e2:ea:46:0d:18:28:b2:0d:87:df:85:9d:0e:4a:82:bd:
30:1c:74:6d:4c:43:46:33:82:b4:53:3b:a7:22:a5:29:04:92:
05:50:f9:9b:c7:33:d6:41:0d:5b:9a:bd:d5:d7:98:cc:5c:45:
13:46:8f:56:29:c7:ba:72:81:71:23:85:33:cb:68:d2:e7:b8:
08:9f:40:7e:9f:51:62:a9:50:6a:ab:63:de:f5:d5:30:ee:c4:
6b:40:4a:37:85:fb:51:15:a2:e4:de:58:cf:65:8c:c6:52:23:
2c:1c:6e:b0:32:bb:20:b8:a5:50:6c:0f:69:32:b2:58:e8:cd:
d9:11:47:eb:09:f2:d1:31:0c:0c:0a:6b:d9:64:ed:b7:8a:49:
e0:28:18:dd:3d:94:88:85:4d:bc:be:0b:96:bb:f9:f2:b4:83:
45:54:78:d2:12:a8:b9:28:f7:42:88:ab:31:74:0b:ea:7d:c9:
8f:0c:a1:ad:5d:28:b9:6f:da:02:6f:c6:ba:d7:77:22:bb:e4:
20:74:c6:75:85:63:1b:da:b8:59:50:1c:76:75:cc:c4:93:28:
cb:e4:c4:4b:dc:40:e6:b7:f5:dc:fd:5c:32:cf:8e:f5:03:9a:
0b:67:99:48:d2:88:ba:e4:97:fd:8e:17:ae:8f:fb:80:5b:32:
4c:d4:63:65:37:32:c7:4f:7f:9f:86:67:3e:20:fe:94:d1:b3:
82:7d:72:db:00:91:40:1a:9a:9b:82:38:9b:44:90:3e:36:4d:
fa:40:53:fc:18:4d:e1:78:21:b7:31:0e:62:9a:52:55:be:24:
96:07:2b:53:77:1f:5e:10:62:79:85:57:bc:4c:b7:f5:9b:47:
d3:00:72:dd:19:22:81:04:d6:77:26:47:2c:56:63:1d:e8:51:
ec:61:2e:ff:a4:c5:ea:1c:6d:c3:42:bc:bc:38:b8:6d:8d:c9:
cc:a5:67:35:26:dc:09:a7:c9:e7:0f:ee:82:7b:ac:59:4a:b8:
ee:75:2b:47:78:51:f4:b9:27:64:a0:af:18:3d:2a:d8:e7:34:
b7:0d:5e:c1:49:77:25:33:50:80:f8:8d:45:59:fd:18:c2:f4:
10:f0:7d:81:28:d0:16:c5:a5:3e:0b:53:78:99:19:10:50:95:
e6:41:4b:49:d6:61:b3:82:48:03:e9:ba:a1:aa:cc:73:f0:08:
83:44:88:cf:fc:64:03:5e:96:9d:2d:a3:fc:96:50:c9:73:3f:
3f:5b:92:46:d3:ec:2d:df:d1:a8:9d:87:be:fc:17:22:e2:21:
1b:2a:14:6a:e3:26:e5:7b
可以看到CSR文件包含了加密算法的信息(RSA),公钥,公钥的大小(4096位),签名算法 (sha256WithRSAEncryption),域名等信息。
上面的CSR文件实际通过类似下面的命令生成:
$ openssl req -new -sha256 -key /etc/letsencrypt/live/www.wolfcstech.com/privkey.pem -out /etc/letsencrypt/csr/0000_csr-certbot.pem
也可以借助于openssl,通过私钥单独生成公钥:
# openssl rsa -in /etc/letsencrypt/live/www.wolfcstech.com/privkey.pem -pubout -out rsa_public_key.pem
证书体系的安全性非常依赖CA的私钥的强度,以及CA的私钥的保密性。如果有财大气粗者,建造了计算能力超强的计算机,计算出了CA的私钥;或者CA的安全系统遭受了攻击,结果私钥被盗;又或者CA内部有图谋不轨者盗走了CA的私钥,则拿到私钥的人就可以随意为各网站的仿冒者签发可以通过安全验证的证书了。
不同CA在维护安全方面的实力的差异而造成了不同证书间安全性的差异。提供安全服务的人,可以根据自己对安全性的需求,选择适当的证书。购买收费的证书似乎主要是投资给CA,以促使其加强自身安全体系的建设,防止私钥出现安全性问题。
当前市场占有率排名前10的CA大概占有90%以上的市场份额。商业的CA主要有如下的这些:
Digicert – SSL Digital Certificate Authority
Comodo – SSL Certificate Authority
此外,还有一些非营利性质的CA,主要有如下这些:
What is a CSR (Certificate Signing Request)?
The Most Common OpenSSL Commands
Description of Symmetric and Asymmetric Encryption
How to choose the right Certificate Authority for your Web site
10 World Popular Cheap SSL Certificate Providers
10 best SSL certificate providers
数字签名、数字证书、对称加密算法、非对称加密算法、单向加密(散列算法)
相关阅读:非对称加密与证书(上篇)
网易云SSL证书服务提供云上证书一站式生命周期管理,与全球顶级的数字证书授权机构(CA,Certificate Authority)和代理商合作,为你的网站与移动应用实现 HTTPS 加密部署。
网易云新用户大礼包:https://www.163yun.com/gift
本文来自网易实践者社区,经作者韩鹏飞授权发布。