1、首先檢視一下pki文檔目錄結構
drwxr-xr-x. 6 root root 4096 Aug 4 2017 CA
drwxr-xr-x. 4 root root 4096 Jan 19 20:16 ca-trust
drwxr-xr-x. 2 root root 4096 Jan 19 20:16 java
drwxr-xr-x. 2 root root 4096 Jan 19 20:44 nssdb
drwxr-xr-x 2 root root 4096 Jan 19 20:16 nss-legacy
drwxr-xr-x. 2 root root 4096 Jan 19 20:16 rpm-gpg
drwx------. 2 root root 4096 Aug 7 2017 rsyslog
drwxr-xr-x. 5 root root 4096 May 10 00:33 tls pki:指的是公鑰基礎設施
解釋一下這些檔案夾:
CA
認證中心
通過發放和維護數字證書來建立一套信任網絡,同一信任網絡中的使用者通過申請到的數字證書來完成身份認證和安全處理
進入到CA目錄
drwxr-xr-x. 2 root root 4096 Aug 4 2017 certs
drwxr-xr-x. 2 root root 4096 Aug 4 2017 crl
drwxr-xr-x. 2 root root 4096 Aug 4 2017 newcerts
drwx------. 2 root root 4096 Aug 4 2017 private 看到了四個檔案夾,分别是用于存放證書證書、私鑰、公鑰的
ca-trust
This directory /etc/pki/ca-trust is used by a system of consolidated
CA certificates.
用tree指令檢視文檔目錄結構
.
|-- ca-legacy.conf
|-- extracted
| |-- java
| | |-- cacerts
| | `-- README
| |-- openssl
| | |-- ca-bundle.trust.crt
| | `-- README
| |-- pem
| | |-- email-ca-bundle.pem
| | |-- objsign-ca-bundle.pem
| | |-- README
| | `-- tls-ca-bundle.pem
| `-- README
|-- README
`-- source
|-- anchors
|-- blacklist
|-- ca-bundle.legacy.crt -> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
`-- README 在Java目錄中的Readme檔案中寫着:
This directory /etc/pki/ca-trust/extracted/java/ contains
CA certificate bundle files which are automatically created
based on the information found in the
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
directories.
也就是說,這些證書的生成是基于/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/這兩個目錄的,在openssl中的readme檔案中有相似的描述 在extracted中的readme中寫着
This directory /etc/pki/ca-trust/extracted/ contains
CA certificate bundle files which are automatically created.
//這個目錄包含有ca證書的可執行檔案,且是系統自動生成的。
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
then you can use these files in your application to load a list of global
root CA certificates.
Please never manually edit the files stored in this directory,
because your changes will be lost and the files automatically overwritten,
each time the update-ca-trust command gets executed.
//不要動這裡面的檔案(不要修改),否則會出事兒
Please refer to the update-ca-trust(8) manual page for additional information. 進入到source目錄,檢視readme:
This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in
/usr/share/pki/ca-trust-source/.
//這個沒有了包含ca證書和信任設定在pem檔案裡。這裡的設定有比較高的優先級。
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Copy it to the
/etc/pki/ca-trust/source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.
============================================================================= nssdb
是一種nosql,基于記憶體的非關系型資料庫
pkcs11.txt
//pkcs11.txt 針對密碼裝置的接口指令标準,檢視裡面的結果如下:
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) nss-legacy
裡面隻有一個config配置檔案,裡面的内容如下:
# To re-enable legacy algorithms, edit this file
# Note that the last empty line in this file must be preserved
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" rmp-gpg
GPG在Linux上的應用主要是實作官方釋出的包的簽名機制
tls
顧名思義:TLS就是安全傳輸層協定
說明這個檔案夾下面的東西就是跟https通路相關的東西。
lrwxrwxrwx 1 root root 49 Jan 19 20:16 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
drwxr-xr-x. 2 root root 4096 May 10 07:59 certs
drwxr-xr-x. 2 root root 4096 May 10 00:14 misc
-rw-r--r-- 1 root root 10923 May 17 2017 openssl.cnf
drwxr-xr-x. 2 root root 4096 May 10 00:55 private 其中certs是證書目錄,private目錄是放私鑰的。misc是存放證書相關指令集的庫檔案,裡面的内容如下:
-rwxr-xr-x 1 root root 5178 Aug 4 2017 CA
-rwxr-xr-x 1 root root 119 Aug 4 2017 c_hash
-rwxr-xr-x 1 root root 152 Aug 4 2017 c_info
-rwxr-xr-x 1 root root 112 Aug 4 2017 c_issuer
-rwxr-xr-x 1 root root 110 Aug 4 2017 c_name 都是shell腳本檔案。
2、将從騰訊雲中申請的域名證書的.crt檔案放置到certs目錄下,将.key檔案放置到private目錄下就可以了。
然後進入到nginx的配置檔案所在目錄,系統預設是在/etc/nginx下面,然後進入到conf.d目錄下,建立一個新的網站配置檔案,最好以域名命名,避免配置多了之後名字沖突。
這樣就配好了。
多個子域名之間互相調用會存在跨域問題,當由網頁通路api時,需在http塊中添加如下:
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers "ApiAuth,Origin, X-Requested-With, Content-Type, Accept";
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; ![Java小案例——随機數猜測随機數猜測[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)