文章内容
2025/8/24 23:40:00,作 者: 黄兵
COMODO 证书续订相关操作
最近购买的 COMODO 证书到期了,给我发送了一封邮件:
Dear Lin,
We would like to remind you that your SSL certificate for EssentialSSL DV Certificate, Order #919325, with the domain name pdf-lib.org, is set to expire on September 24, 2025.
Auto-Configuration and Pending Domain Validation
As per your previous selection for auto-configuration, your order has been automatically set up using the details and CSR submitted during your last configuration. Currently, your order is pending for Domain Validation.
Action Required: Complete Domain Control Validation
To avoid any delays in issuing your certificate, we request that you complete the domain validation process before certificate expire. Once your certificate is issued, you can proceed with installing the renewed certificate on your server.
If you have any questions or need assistance, feel free to contact us via Live Chat.
Thank you for your attention to this matter.
我登陆续订页面,使用 DNS 验证了之后,下载续订的证书,总共有 4 个文件,分别是:
SectigoPublicServerAuthenticationCADVR36.crt
SectigoPublicServerAuthenticationRootR46_USERTrust.crt
USERTrustRSACertificationAuthority.crt
www_pdf-lib_org.crt
这上面的证书分为两类:
服务器证书(我的域名证书):
www_pdf-lib_org.crt-
中间证书链(CA 颁发链):
SectigoPublicServerAuthenticationCADVR36.crt
USERTrustRSACertificationAuthority.crt
SectigoPublicServerAuthenticationRootR46_USERTrust.crt
Nginx 需要一个 完整证书链文件 (full chain),通常就是把域名证书 + 中间证书拼接在一起。
步骤
-
进入存放证书的目录(假设在
/etc/ssl/private/www.pdf-lib.org/)。 -
合并证书链
按顺序拼接证书文件(从你的网站证书开始,依次是中间 CA → 根 CA)。例如:
cat www_pdf-lib_org.crt SectigoPublicServerAuthenticationCADVR36.crt USERTrustRSACertificationAuthority.crt SectigoPublicServerAuthenticationRootR46_USERTrust.crt > full_chain_rsa.crt
⚠️ 注意:根证书(Root CA)有时不需要拼接,因为客户端浏览器一般自带,但 Comodo/ Sectigo 提供的捆绑包里通常也带着,可以留着没关系。
保持私钥不变
由于我原来已经配置了私钥,所以这里不用更改:
ssl_certificate_key /etc/ssl/private/www.pdf-lib.org/2_www.pdf-lib.org.key;
之后我们只需要将我们的新合并好的 full_chain_rsa.crt 覆盖旧文件即可。
这样就完成了证书的续订操作,是不是十分的简单。
其它相关推荐:
评论列表