cli create ssl certkey

cli create ssl certkey

###############################

# 创建CA密钥
create ssl rsakey bwsrv-root.key 2048 -exponent F4 -keyform PEM

# 创建CA证书请求文件
create ssl certReq bwsrv-root.req -keyFile bwsrv-root.key -keyform PEM -countryName CN -stateName ShenZhen -organizationName "Default Company Ltd" -organizationUnitName "Default Section" -localityName ShenZhen -commonName default -emailAddress root@default.com

# 生成CA证书
create ssl cert bwsrv-root.cert bwsrv-root.req ROOT_CERT -keyFile bwsrv-root.key -keyform PEM -days 3650 -certForm PEM -CAcertForm PEM -CAkeyForm PEM

# 手动创建CA证书Serial文件
shell echo '01' > /flash/nsconfig/ssl/bwsrv-root.srl 
shell ls -alh /flash/nsconfig/ssl/bwsrv-root.srl

# 添加CA证书
add ssl certKey bwsrv-root-certificate -cert bwsrv-root.cert -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO

###############################

# 创建Server密钥
create ssl rsakey bwsrv-server.key 2048 -exponent F4 -keyform PEM

# 创建Server证书请求文件
create ssl certReq bwsrv-server.req -keyFile bwsrv-server.key -keyform PEM -countryName CN -stateName ShenZhen -organizationName "Default Company Ltd" -organizationUnitName "Default Section" -localityName ShenZhen -commonName default -emailAddress server@default.com

# 生成Server证书
create ssl cert bwsrv-server.cert bwsrv-server.req SRVR_CERT -keyform PEM -days 365 -certForm PEM -CAcert bwsrv-root.cert -CAcertForm PEM -CAkey bwsrv-root.key -CAkeyForm PEM -CAserial bwsrv-root.srl

# 添加Server证书
add ssl certKey bwsrv-server-certificate -cert bwsrv-server.cert -key bwsrv-server.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO

# 设置证书链
link ssl certKey bwsrv-server-certificate bwsrv-root-certificate

###############################

# 绑定服务器证书
bind ssl vserver lb_vsrv_https_web -certkeyName bwsrv-server-certificate

# 绑定CA根证书
bind ssl vserver lb_vsrv_https_web -certkeyName bwsrv-root-certificate -CA -ocspCheck Optional

# 设置虚拟服务器SSL参数 ( -clientAuth -sessReuse -SNIEnable -ssl3 -tls1 -tls11 -tls12 )
set ssl vserver lb_vsrv_https_web -ssl3 DISABLED -tls1 ENABLED -tls11 ENABLED -tls12 ENABLED

###############################

> shell openssl pkcs12 -export -in "/nsconfig/ssl/vrhxenapp-root.cert" -inkey "/nsconfig/ssl/vrhxenapp-root.key" -out "/nsconfig/ssl/vrhxenapp-root.pfx"
Enter Export Password:
Verifying - Enter Export Password:
 Done
>                                                                                                        
> shell ls -alh /flash/nsconfig/ssl/vrhxenapp-root.pfx
-rw-r--r--  1 root  wheel   2.8k Mar 10 19:06 /flash/nsconfig/ssl/vrhxenapp-root.pfx
 Done
> 
> shell openssl pkcs12 -export -chain -CAfile "/nsconfig/ssl/vrhxenapp-root.cert" -in "/nsconfig/ssl/vrhxenapp-server.cert" -inkey "/nsconfig/ssl/vrhxenapp-server.key" -out "/nsconfig/ssl/vrhxenapp-server.pfx"
Enter Export Password:
Verifying - Enter Export Password:
 Done
> 
> shell ls -alh /flash/nsconfig/ssl/vrhxenapp-server.pfx
-rw-r--r--  1 root  wheel   4.1k Mar 10 19:07 /flash/nsconfig/ssl/vrhxenapp-server.pfx
 Done
> 

> shell openssl pkcs12 -clcerts -nokeys  -in "/nsconfig/ssl/vrhxenapp-server.pfx" -out "/nsconfig/ssl/vrhxenapp-server.cert"

> shell openssl pkcs12 -nocerts -nodes  -in "/nsconfig/ssl/vrhxenapp-server.pfx" -out "/nsconfig/ssl/vrhxenapp-server.key"

> shell openssl rsa -in "/nsconfig/ssl/vrhxenapp-server.key" -out "/nsconfig/ssl/vrhxenapp-server-ins.key"

> shell openssl pkcs12 -clcerts -nokeys  -in "/nsconfig/ssl/vrhxenapp-root.pfx" -out "/nsconfig/ssl/vrhxenapp-root.cert"

> shell openssl pkcs12 -nocerts -nodes  -in "/nsconfig/ssl/vrhxenapp-root.pfx" -out "/nsconfig/ssl/vrhxenapp-root.key"

> shell openssl rsa -in "/nsconfig/ssl/vrhxenapp-root.key" -out "/nsconfig/ssl/vrhxenapp-root-ins.key"

# 默认启用SSL会话拦截
set ssl profile ns_default_ssl_profile_frontend -sslInterception ENABLED

# 拒绝不安全的SSL重新协商
set ssl parameter -denySSLReneg NONSECURE

# 启用默认的SSL配置文件
set ssl parameter -defaultProfile ENABLED -ssliErrorCache ENABLED

# 设置日志记录时区为本地时间
set audit syslogParams timeZone LOCAL_TIME

# 记录SSL会话拦截
set audit syslogParams -sslInterception ENABLED

# 添加SSL加密算法组
add ssl cipher ssllabs-smw-q2-2018
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES128-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES256-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-256-CBC-SHA

# 添加自定义的SSL前端配置文件，前端支持HSTS
add ssl profile custom_hsts_ssl_profile_frontend -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -HSTS ENABLED -maxage 157680000
bind ssl profile custom_hsts_ssl_profile_frontend -eccCurveName P_256
bind ssl profile custom_hsts_ssl_profile_frontend -eccCurveName P_384
bind ssl profile custom_hsts_ssl_profile_frontend -eccCurveName P_224
bind ssl profile custom_hsts_ssl_profile_frontend -eccCurveName P_521
bind ssl profile custom_hsts_ssl_profile_frontend -cipherName ssllabs-smw-q2-2018 -cipherPriority 1

# 添加自定义的SSL前端配置文件，前端支持SSL重定向
add ssl profile custom_hsts_offload_ssl_profile_frontend -sessReuse ENABLED -sessTimeout 120 -sslRedirect ENABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -HSTS ENABLED -maxage 157680000
bind ssl profile custom_hsts_offload_ssl_profile_frontend -eccCurveName P_256
bind ssl profile custom_hsts_offload_ssl_profile_frontend -eccCurveName P_384
bind ssl profile custom_hsts_offload_ssl_profile_frontend -eccCurveName P_224
bind ssl profile custom_hsts_offload_ssl_profile_frontend -eccCurveName P_521
bind ssl profile custom_hsts_offload_ssl_profile_frontend -cipherName ssllabs-smw-q2-2018 -cipherPriority 1

============ End