如何让网站HTTPS评级为A或者A+

环境说明：CentOS Linux release 7.5.1804 (Core)、nginx/1.10.0

需求：公司网站在myssl的评级只得到了B的评分，需要提升至A+

具体操作如下：

一、nginx配置文件如下

server {
listen 443;
keepalive_timeout 70;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/full_chain_rsa.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/private.key;
ssl_session_timeout 1m;

ssl_stapling on;
ssl_stapling_verify on; # Requires nginx => 1.3.7
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
add_header Strict-Transport-Security "max-age=80720000; preload";

server_name test.hb2018.com;
root /var/www/web/hb2018.ssl;
location / {
}
}

二、切换到nginx指定的SSL证书目录/usr/local/nginx/conf/ssl/，把相关证书文件上传并生成

       把ca_bundle.crt、certificate.crt、private.key这3个文件放在ssl目录下

       在ssl此目录下执行命令openssl dhparam -out dhparam.pem 2048

       命令执行完就会生成一个dhparam.pem文件，此时证书目录下会有ca_bundle.crt、certificate.crt、private.key、dhparam.pem这4个文件

三、进入myssl网站，点击工具箱，再点击证书链下载

 

在服务器上执行上图中的curl就可以下载证书链，文件名是full_chain_rsa.crt

此时ssl目录下就有5个文件：ca_bundle.crt、certificate.crt、private.key、dhparam.pem、full_chain_rsa.crt

再次在myssl评级，网站评级已经由B变成A+了