OCSP stapling:

用浏览器打开网站,找出3个级别的证书,依次下载保存,

cat 自己站点证书,中间证书,根证书 > ca.pem

nginx添加

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

ssl_trusted_certificate cert/ca.pem;

Public Key Pinning (HPKP):

生成Public Key指纹

查看是不是中间证书

openssl x509 -in intermediate.pem -noout -subject

生成public key

openssl x509 -in intermediate.pem -noout -pubkey | openssl asn1parse -noout -inform pem -out public.key

生成指纹

openssl dgst -sha256 -binary public.key | openssl enc -base64

注意,在申请一个证书,上面步骤走一波,共计生成两个指纹以上,依次填入下面xxx,填入nginx

add_header Public-Key-Pins ‘pin-sha256=”xxx”; pin-sha256=”xxx”; max-age=2592000; includeSubDomains’;

Strict Transport Security (HSTS):

填入nginx

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;

重载nginx

最后验证:globalsign

最后修改:2019 年 02 月 23 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏