10分钟完成基于IP地址免域名的国密SSL改造
一般选择免费SSL证书单域
注意:申请过程中需要保存RSA和SM2的私钥。
免费SSL证书单域
主域名:8.141.89.22
证书编号(Order #): 1956635926
以下命令需root用户操作
切换到root:
su root
一、安装和配置
1. 赋予安装脚本运行权限
chmod +x install.sh
2. 执行安装脚本
./install.sh
如果报错,执行下面语句:
yum install -y pcre pcre-devel
3. 转到nginx配置目录
cd /usr/local/nginx/conf
4. 使用vim或其他编辑器配置站点和证书
vim nginx.conf
5. 启动nginx
cd /usr/local/nginx/sbin
./nginx
二、nginx常用命令说明
1. 测试nginx配置是否成功
./nginx -t
2. 修改nginx配置后重新加载
./nginx -s reload
三、卸载和清理
chmod +x uninstall.sh
./uninstall.sh
四、问题
1.
./configure: error: the HTTP rewrite module requires the PCRE library.
执行:
apt-get install libpcre3-dev
yum install -y pcre pcre-devel
Nginx Config配置信息
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# 站点1
server {
listen 443 ssl;
server_name 8.141.89.22;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-SM3:ECDHE-SM4-SM3:SM2-WITH-SMS4-SM3:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_verify_client off; #关闭双向认证,如果需要,则设置为 on
# RSA证书
ssl_certificate /zotrus_nginx/8.141.89.22_cersign/CerSignDVSSLCA_Nginx/8.141.89.22.crt; # rsa证书路径
ssl_certificate_key /zotrus_nginx/8.141.89.22_cersign/CerSignDVSSLCA_Nginx/8.141.89.22_rsa.key; # rsa证书密钥路径
# 先签名证书和签名密钥
ssl_certificate /zotrus_nginx/8.141.89.22_cersign/8.141.89.22_SM2/8.141.89.22_sm2_sign.crt; # 国密签名证书路径
ssl_certificate_key /zotrus_nginx/8.141.89.22_cersign/8.141.89.22_SM2/8.141.89.22_sm2_sign.key; # 国密签名证书密钥路径
# 后加密证书和加密密钥
ssl_certificate /zotrus_nginx/8.141.89.22_cersign/8.141.89.22_SM2/8.141.89.22_sm2_encrypt.crt; # 国密加密证书路径
ssl_certificate_key /zotrus_nginx/8.141.89.22_cersign/8.141.89.22_SM2/8.141.89.22_sm2_encrypt.key; # 国密加密证书密钥路径
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
# 站点2
# server {
# listen 443 ssl;
# server_name your_domain_name2;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-SM3:ECDHE-SM4-SM3:SM2-WITH-SMS4-SM3:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
# ssl_verify_client off; #关闭双向认证,如果需要,则设置为 on
# # RSA证书
# ssl_certificate /path/to/rsa/certificate; # rsa证书路径
# ssl_certificate_key /path/to/rsa/key; # rsa证书密钥路径
# # 先签名证书和签名密钥
# ssl_certificate /path/to/sm2/signature/certificate; # 国密签名证书路径
# ssl_certificate_key /path/to/sm2/signature/key; # 国密签名证书密钥路径
# # 后加密证书和加密密钥
# ssl_certificate /path/to/sm2/encryption/certificate; # 国密加密证书路径
# ssl_certificate_key /path/to/sm2/encryption/certificate; # 国密加密证书密钥路径
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
# }
}
除Nginx中间件,还支持Tomcat等
其他中间件自行摸索尝试。
国密web服务器
https://www.gmssl.cn/gmssl/index.jsp
限制
1. 免费版本每年年底失效,程序会自动退出,需更新库,重新链接。请勿用于正式/生产环境,后果自负。
配置说明
1. 需要先配置国密签名证书/私钥,再配置国密加密证书/私钥
2. 证书及其私钥需要连续配置
3. 国密算法支持ECC-SM4-CBC-SM3、ECDHE-SM4-CBC-SM3、ECC-SM4-GCM-SM3、ECDHE-SM4-GCM-SM3
4. 国密协议内置,无需配置
5. 纯国密也需配置上标准算法(兼容性原因)
6. 国密证书链配置到国密签名证书里面
免费申请地址
https://www.cersign.com/free-ssl-certificate.html
Nginx国密算法模块
https://dl.zotrus.com/dl/sm2/zotrus_nginx.tar.gz
最终效果图
国密浏览器
https://www.zotrus.com/browser
普通浏览器