SRE文档

深浅模式

注意:这里的pem 文件是下面两个文件合并而成: #cat servername.crt servername.key |tee servername.pem

.key 转换成 .pem

openssl rsa -in temp.key -out temp.pem
openssl rsa -in temp.key -out temp.pem

.crt 转换成 .pem

openssl x509 -in tmp.crt -out tmp.pem
openssl x509 -in tmp.crt -out tmp.pem

查看证书时间

 openssl x509 -in turebcw.crt -noout -dates
 openssl x509 -in turebcw.crt -noout -dates

查看key 和crt 是否一致 

[root@hkapp bcwex.me_ssl]# openssl x509 -noout -modulus -in bcwex_me.crt | openssl md5
(stdin)= 925e20129411180ac7d76145ae0b96bb

[root@hkapp bcwex.me_ssl]# openssl rsa -noout -modulus -in bcwex_me.key | openssl md5
(stdin)= bf164248910d2fe5220d71b2a829dff4
[root@hkapp bcwex.me_ssl]# openssl x509 -noout -modulus -in bcwex_me.crt | openssl md5
(stdin)= 925e20129411180ac7d76145ae0b96bb

[root@hkapp bcwex.me_ssl]# openssl rsa -noout -modulus -in bcwex_me.key | openssl md5
(stdin)= bf164248910d2fe5220d71b2a829dff4

查看证书类型

bash
# 查看证书内容,
# -in指定证书位置(是key,不是cert)
# -text 输出证书所有信息
# -noout 不输出证书本身
openssl x509 -in xxx.key.pem -text -noout
# 查看公钥算法和签名算法
openssl x509 -in xxx.key.pem -text -noout | awk '/Public Key|Signature Algorithm/'
# 查看证书内容,
# -in指定证书位置(是key,不是cert)
# -text 输出证书所有信息
# -noout 不输出证书本身
openssl x509 -in xxx.key.pem -text -noout
# 查看公钥算法和签名算法
openssl x509 -in xxx.key.pem -text -noout | awk '/Public Key|Signature Algorithm/'

sslscan

bash
# 安装sslscan
# centos如果提示没有zlib.h需要安装这个(可以先不安装)
yum install -y zlib zlib-devel
# clone
git clone https://github.com/rbsec/sslscan
cd sslscan/
make static
# 查看是否安装成功
./sslscan
# 使用,就可以出现上面的图片类似的结果
./sslscan xxx.com
# 安装sslscan
# centos如果提示没有zlib.h需要安装这个(可以先不安装)
yum install -y zlib zlib-devel
# clone
git clone https://github.com/rbsec/sslscan
cd sslscan/
make static
# 查看是否安装成功
./sslscan
# 使用,就可以出现上面的图片类似的结果
./sslscan xxx.com
server {
	listen 443 ssl;
	server_name xxx.com;
	ssl_certificate /etc/nginx/conf.d/ssl/xxx.com.cert.pem;
	ssl_certificate_key /etc/nginx/conf.d/ssl/xxx.com.key.pem;
    # TLS版本
	ssl_protocols TLSv1.2 TLSv1.3;
    # 加密套件
	ssl_ciphers HIGH:!aNULL:!MD5;
	location / {
		root /usr/share/nginx/html/fanli;
	}
}
server {
	listen 443 ssl;
	server_name xxx.com;
	ssl_certificate /etc/nginx/conf.d/ssl/xxx.com.cert.pem;
	ssl_certificate_key /etc/nginx/conf.d/ssl/xxx.com.key.pem;
    # TLS版本
	ssl_protocols TLSv1.2 TLSv1.3;
    # 加密套件
	ssl_ciphers HIGH:!aNULL:!MD5;
	location / {
		root /usr/share/nginx/html/fanli;
	}
}