ssl-tls

📁 chaterm/terminal-skills 📅 Jan 24, 2026

总安装量

周安装量

#31298

全站排名

安装命令

npx skills add https://github.com/chaterm/terminal-skills --skill ssl-tls

Agent 安装分布

claude-code 4

opencode 3

windsurf 2

codex 2

github-copilot 2

antigravity 2

Skill 文档

SSL/TLS è¯ä¹¦

æ¦è¿°

è¯ä¹¦ç³è¯·ãéç½®ãèªå¨ç»ææè½ã

OpenSSL åºç¡

çæç§é¥

# RSA ç§é¥
openssl genrsa -out private.key 2048
openssl genrsa -out private.key 4096

# å¸¦å¯ç ä¿æ¤
openssl genrsa -aes256 -out private.key 2048

# ECDSA ç§é¥
openssl ecparam -genkey -name prime256v1 -out private.key

çæ CSR

# äº¤äºå¼
openssl req -new -key private.key -out request.csr

# éäº¤äºå¼
openssl req -new -key private.key -out request.csr \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=example.com"

# å¸¦ SAN
openssl req -new -key private.key -out request.csr \
    -config <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
CN = example.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
EOF
)

èªç¾åè¯ä¹¦

# ä¸æ¥çæ
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout private.key -out certificate.crt \
    -subj "/CN=example.com"

# ä»å·²æç§é¥
openssl req -x509 -key private.key -days 365 -out certificate.crt

æ¥çè¯ä¹¦

# æ¥çè¯ä¹¦ä¿¡æ¯
openssl x509 -in certificate.crt -text -noout

# æ¥ç CSR
openssl req -in request.csr -text -noout

# æ¥çç§é¥
openssl rsa -in private.key -text -noout

# éªè¯è¯ä¹¦é¾
openssl verify -CAfile ca.crt certificate.crt

# æ£æ¥è¿ç¨è¯ä¹¦
openssl s_client -connect example.com:443 -servername example.com

æ ¼å¼è½¬æ¢

# PEM è½¬ DER
openssl x509 -in cert.pem -outform DER -out cert.der

# DER è½¬ PEM
openssl x509 -in cert.der -inform DER -out cert.pem

# PEM è½¬ PKCS12
openssl pkcs12 -export -out cert.p12 -inkey private.key -in cert.pem

# PKCS12 è½¬ PEM
openssl pkcs12 -in cert.p12 -out cert.pem -nodes

Let’s Encrypt

Certbot å®è£

# Debian/Ubuntu
apt install certbot python3-certbot-nginx

# CentOS/RHEL
yum install certbot python3-certbot-nginx

ç³è¯·è¯ä¹¦

# Nginx æä»¶
certbot --nginx -d example.com -d www.example.com

# Apache æä»¶
certbot --apache -d example.com

# Standalone
certbot certonly --standalone -d example.com

# Webroot
certbot certonly --webroot -w /var/www/html -d example.com

# DNS éªè¯ï¼ééç¬¦ï¼
certbot certonly --manual --preferred-challenges dns -d "*.example.com"

ç®¡çè¯ä¹¦

# æ¥çè¯ä¹¦
certbot certificates

# ç»ææµè¯
certbot renew --dry-run

# æå¨ç»æ
certbot renew

# å é¤è¯ä¹¦
certbot delete --cert-name example.com

èªå¨ç»æ

# Cron
0 0 * * * certbot renew --quiet

# Systemd timer
systemctl enable certbot.timer
systemctl start certbot.timer

Nginx éç½®

åºç¡ HTTPS

server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
}

HTTP éå®å

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

å®å¨å åº

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;

add_header Strict-Transport-Security "max-age=63072000" always;

å¸¸è§åºæ¯

åºæ¯ 1ï¼åå»º CA

# çæ CA ç§é¥
openssl genrsa -out ca.key 4096

# çæ CA è¯ä¹¦
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -out ca.crt -subj "/CN=My CA"

# ç¾åè¯ä¹¦
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 365 -sha256

åºæ¯ 2ï¼æ£æ¥è¯ä¹¦è¿æ

#!/bin/bash
DOMAIN=$1
DAYS=30

EXPIRY=$(echo | openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} 2>/dev/null | \
    openssl x509 -noout -enddate | cut -d= -f2)

EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DIFF=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))

if [ $DIFF -lt $DAYS ]; then
    echo "WARNING: ${DOMAIN} è¯ä¹¦å°å¨ ${DIFF} å¤©åè¿æ"
fi

åºæ¯ 3ï¼æ¹éç»æ

#!/bin/bash
certbot renew --deploy-hook "systemctl reload nginx"

æéææ¥

é®é¢	ææ¥æ¹æ³
è¯ä¹¦ä¸ä¿¡ä»»	æ£æ¥è¯ä¹¦é¾ãCA
ååä¸å¹é	æ£æ¥ CNãSAN
è¯ä¹¦è¿æ	æ£æ¥æææãç»æ
æ¡æå¤±è´¥	æ£æ¥åè®®ãå¯ç å¥ä»¶

# æµè¯ SSL
openssl s_client -connect example.com:443

# æ£æ¥è¯ä¹¦é¾
openssl s_client -connect example.com:443 -showcerts

# SSL Labs æµè¯
curl https://api.ssllabs.com/api/v3/analyze?host=example.com

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

ssl-tls

Agent 安装分布

Skill 文档

SSL/TLS è¯ä¹¦

æ¦è¿°

OpenSSL åºç¡

çæç§é¥

çæ CSR

èªç­¾åè¯ä¹¦

æ¥çè¯ä¹¦

æ ¼å¼è½¬æ¢

Let’s Encrypt

Certbot å®è£

ç³è¯·è¯ä¹¦

ç®¡çè¯ä¹¦

èªå¨ç»­æ

Nginx é ç½®

åºç¡ HTTPS

HTTP éå®å

å®å ¨å åº

å¸¸è§åºæ¯

åºæ¯ 1ï¼åå»º CA

åºæ¯ 2ï¼æ£æ¥è¯ä¹¦è¿æ

åºæ¯ 3ï¼æ¹éç»­æ

æ éææ¥