在 Azure 虛擬機上為 Apache 和 NGINX 添加 SSL TLS 證書 - daniel-qa/Azure-Kubernetes-Service GitHub Wiki
已預設匯出正確的 pfx 憑證檔
openssl pkcs12 -in <yourDownloadedKeyVaultCert>.pfx -nocerts -out <yourExtractedPem>.pem
openssl pkcs12 -in corekeyvaultjp.pfx -nocerts -out ExtractedPem.pem
- 系統將提示您輸入導入密碼和 PEM 密碼短語。
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
最初從 Azure下載證書時,導入密碼默認為空,如此處所示。
必須設置,PEM pass phrase不能留空。設置密碼短語並再次輸入以驗證它。
openssl rsa -in <yourExtractedPem>.pem -out <yourNewKey>.key
openssl rsa -in ExtractedPem.pem -out server.key
4. 最後,獲取服務器證書 openssl pkcs12 -in .pfx -clcerts -nokeys -out .pem。系統將Import Password再次提示您輸入一個,這是用於原始 Key Vault 證書的證書。如上所述,默認情況下這是空的,因此將提示留空並按回車鍵。
openssl pkcs12 -in <yourDownloadedKeyVaultCert>.pfx -clcerts -nokeys -out <serverCert>.pem
openssl pkcs12 -in corekeyvaultjp.pfx -clcerts -nokeys -out serverCert.pem
<yourDownloadedKeyVaultCert>.pfx(原始 Key Vault 證書)
<yourExtractedPem>.pem(第一次加密.pem)
<yourNewKey>.key(我們解密.key自<yourExtractedPem>.pem)
<serverCert>.pem(我們從中提取的證書<yourDownloadedKeyVaultCert>.pfx)
添加兩個指令,ssl_certificate和ssl_certificate_key. 下面我們再次假設我們的證書和密鑰分別位於 /etc/ssl/certs 和 /etc/ssl/private 下。相應地將此路徑更改為您的證書和密鑰。該文件應更新為以下內容
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/certs/<serverCert>.pem;
ssl_certificate_key /etc/ssl/private/<yourKey>.key;
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
ssl_certificate /etc/ssl/certs/serverCert.pem;
ssl_certificate_key /etc/ssl/private/server.key;