1导出证书
首先以管理员身份打开PowerShell复制下面代码进去,然后回车。
Function Export-AppServiceCertificate { ########################################################### Param( [Parameter(Mandatory=$true,Position=1,HelpMessage="ARM Login Url")] [string]$loginId, [Parameter(Mandatory=$true,HelpMessage="Subscription Id")] [string]$subscriptionId, [Parameter(Mandatory=$true,HelpMessage="Resource Group Name")] [string]$resourceGroupName, [Parameter(Mandatory=$true,HelpMessage="Name of the App Service Certificate Resource")] [string]$name ) ########################################################### Login-AzureRmAccount Set-AzureRmContext -SubscriptionId $subscriptionId ## Get the KeyVault Resource Url and KeyVault Secret Name were the certificate is stored $ascResource= Get-AzureRmResource -ResourceId "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.CertificateRegistration/certificateOrders/$name" $certProps = Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty $certificateName = $certProps[0].Name $keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId $keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName ## Split the resource URL of KeyVault and get KeyVaultName and KeyVaultResourceGroupName $keyVaultIdParts = $keyVaultId.Split("/") $keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1] $keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5] ## --- !! NOTE !! ---- ## Only users who can set the access policy and has the the right RBAC permissions can set the access policy on KeyVault, if the command fails contact the owner of the KeyVault Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $loginId -PermissionsToSecrets get Write-Host "Get Secret Access to account $loginId has been granted from the KeyVault, please check and remove the policy after exporting the certificate" ## Getting the secret from the KeyVault $secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName $pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_}) $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath [io.file]::WriteAllBytes(".\appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword)) ## --- !! NOTE !! ---- ## Remove the Access Policy required for exporting the certificate once you have exported the certificate to prevent giving the account prolonged access to the KeyVault ## The account will be completely removed from KeyVault access policy and will prevent to account from accessing any keys/secrets/certificates on the KeyVault, ## Run the following command if you are sure that the account is not used for any other access on the KeyVault or login to the portal and change the access policy accordingly. # Remove-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $loginId # Write-Host "Access to account $loginId has been removed from the KeyVault" # Print the password for the exported certificate Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx" Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required." Write-Host "PFX password: $pfxPassword" }
然后再执行
Export-AppServiceCertificate -loginId [email protected] -subscriptionId yoursubid -resourceGroupName resourceGroupNameOfYourAppServiceCertificate -name appServiceCertificateName
nginx中使用pfx格式的ssl证书
原文及更多文章请见个人博客:http://heartlifes.com
首先,nginx在编译安装时得安装ssl模块
上传ssl证书到服务器/usr/local/nginx/ssl/xxx.pfx
生成证书crt可key
openssl pkcs12 -in /usr/local/nginx/ssl/xxx.pfx -clcerts -nokeys -out /usr/local/nginx/ssl/xxx.crt openssl pkcs12 -in /usr/local/nginx/ssl/xxx.pfx -nocerts -nodes -out /usr/local/nginx/ssl/xxx.rsa
验证证书正确性
openssl s_server -www -accept 443 -cert /usr/local/nginx/ssl/xxx.crt -key /usr/local/nginx/ssl/xxx.rsa
配置nginx
server { listen 443; server_name localhost; ssl on; ssl_certificate /usr/local/nginx/ssl/xxx.crt; ssl_certificate_key /usr/local/nginx/ssl/xxx.rsa; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location ~ /api/(.*) { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Ssl on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://serverAPI; } }