证书申请
从阿里云可以申请免费版本的单域名ssl证书,有效期一年。申请时选择 产品与服务 -> SSL证书 -> 购买证书,并勾选如下:
证书下载
证书申请并校验完成后,很快会收到域名申请成功的短信提示。再登录阿里云,下载Nginx版本证书。
Ubuntu 18.04 Nginx配置PEM格式
解压Nginx版本的证书后,会包含.pem 与 .key两个文件,对服务器文件 /etc/nginx/sites-enabled/default 增加配置如下,配置完成后重启Nginx服务器即可。
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /root/ssl2020/xxx.pem;
ssl_certificate_key /root/ssl2020/xxx.key;
...
}
Ubuntu 18.04 Openfire配置JKS格式
对Openfire的配置首先需要将PEM格式转换成JKS格式,再创建Keystore和Truststore文件.假设证书的域名为domaon.com,则使用如下命令.
另外说明:
1. 使用过程中如果需要输入password的地方,建议统一使用同一password, Openfire4.4版本的默认密码为 changeit。
2. 需要输入证书信息的地方,随便写。
~/ssl2020# openssl pkcs12 -export -out certificate.p12 -inkey xxx.key -in xxx.pem
Enter Export Password:
Verifying - Enter Export Password:
~/ssl2020# keytool -genkey -keyalg RSA -alias domain.com -keystore truststore.ks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <domain.com>
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore truststore.ks -destkeystore truststore.ks -deststoretype pkcs12".
~/ssl2020# keytool -delete -alias domain.com -keystore truststore.ks
Enter keystore password:
~/ssl2020# keytool -import -v -trustcacerts -alias domain.com -file xxx.pem -keystore truststore.ks
Enter keystore password:
...
Trust this certificate? [no]: yes
Certificate was added to keystore
~/ssl2020# keytool -genkey -keyalg RSA -alias domain.com -keystore keystore.ks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <domain.com>
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".
~/ssl2020# keytool -delete -alias domain.com -keystore keystore.ks
Enter keystore password:
~/ssl2020# keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS
Importing keystore certificate.p12 to keystore.ks...
Enter destination keystore password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.ks]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".
生成 keystore.ks和truststore.ks后,将其拷贝到openfire配置目录重启服务即可:
~/ssl2020# cp ./keystore.ks /root/bak/root/openfire/openfire/resources/security/keystore
~/ssl2020# cp ./truststore.ks /root/bak/root/openfire/openfire/resources/security/truststore