Reprinted from: http://www.cnblogs.com/lihuang/articles/4205540.html
introduction
Access to data on the Internet using the HTTP (Hypertext Transfer) protocol is not encrypted . That is, anyone can intercept or monitor the data stream transmitted over the network with the appropriate tools. But sometimes, we need to transmit some security or private data on the network, such as electronic orders including credit card and commodity information. At this time, if you still use the HTTP protocol, you are bound to face a very big risk! Believe that no one can accept their credit card number streaking on the Internet.
HTTPS (Hypertext Transfer Security) protocol can undoubtedly effectively solve this problem. The so-called HTTPS is actually a combination of HTTP and SSL/TLS to provide encrypted communication and authentication of network servers. The main idea of HTTPS is to create a secure channel on an insecure network to prevent eavesdropping and attacks by hackers.
SSL (Secure Sockets Layer) can be used to encrypt the data flow between the web server and the client.
SSL utilizes asymmetric cryptography for data encryption. Two secret keys are used in the encryption process: a public key and a corresponding private key. Data encrypted with the public key can only be decrypted with the corresponding private key; and data encrypted with the private key can only be decrypted with the corresponding public key. Therefore, if the message or data stream transmitted on the network is encrypted by the private key of the server, it can only be decrypted using the corresponding public key, thereby ensuring the data security between the client and the server.
Digital certificate (Certificate)
In the transmission process of HTTPS, there is a very key role - digital certificate. What is a digital certificate? What's the use?
The so-called digital certificate is an identification mechanism for computers. A signature (seal) made by a digital certificate authority (CA) on a signature request file created with a private key, indicating the CA structure's approval of the certificate holder. Digital certificates have the following advantages:
- The use of digital certificates can improve the credibility of users
- The public key in the digital certificate can be paired with the private key of the server to implement encryption and decryption during data transmission
- During the authentication of the user's identity, the user's sensitive personal data will not be transmitted to the certificate holder's network system
An X.509 certificate contains three files: key, csr, crt.
- key is the private key file on the server, used to encrypt data sent to the client and decrypt data received from the client
- csr is a certificate signing request file, which is used to submit to a certificate authority (CA) to sign a certificate
- crt is a certificate signed by a certificate authority (CA), or a self-signed certificate by the developer, containing information about the certificate holder, the holder's public key, and the signer's signature and other information
Note: In cryptography, X.509 is a standard that regulates public key authentication, certificate revocation lists, authorization credentials, credential path verification algorithms, etc.
Steps to create a self-signed certificate
Note: The following steps are for configuring SSL certificates required for internal use or testing only.
Step 1: Generate private key
Use the openssl tool to generate an RSA private key
|
1
|
$ openssl genrsa -des3 -out server.key 2048
|
Description: Generate rsa private key, des3 algorithm, 2048-bit strength, server.key is the key file name.
Note: To generate a private key, a password of at least 4 digits is required.
Step 2: Generate CSR (Certificate Signing Request)
After generating the private key, you can create the csr file.
There are two options at this point. Ideally, the certificate can be sent to a certificate authority (CA), and after the CA verifies the identity of the requester, a signed certificate is issued (which is expensive). In addition, if it is only for internal or testing needs, you can also use OpenSSL to implement self-signature, the specific operations are as follows:
|
1
|
$ openssl req -new -key server.key -out server.csr
|
Description: You need to enter the country, region, city, organization, organizational unit, Common Name and Email in sequence. Among them, Common Name, you can write your own name or domain name. If you want to support https, the Common Name should be consistent with the domain name, otherwise it will cause a browser warning.
|
1
2
3
4
5
6
7
|
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:joyios
Organizational Unit Name (eg, section) []:info technology
Common Name (e.g. server FQDN or YOUR name) []:demo.joyios.com
Email Address []:liufan@joyios.com
|
Step 3: Remove the passphrase from the private key
In the process of creating the private key in step 1, it is necessary to specify a password. And this password will bring a side effect, that is, every time Apache starts the web server, it will ask for the password, which is obviously very inconvenient. To remove the passphrase in the private key, do the following:
|
1
2
|
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
|
Step 4: Generate Self-Signed Certificate
If you don't want to pay for a CA to sign, or just test the concrete implementation of SSL. So, you can now proceed to generate a self-signed certificate.
需要注意的是,在使用自签名的临时证书时,浏览器会提示证书的颁发机构是未知的。
|
1
|
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
|
说明:crt上有证书持有人的信息,持有人的公钥,以及签署者的签名等信息。当用户安装了证书之后,便意味着信任了这份证书,同时拥有了其中的公钥。证书上会说明用途,例如服务器认证,客户端认证,或者签署其他证书。当系统收到一份新的证书的时候,证书会说明,是由谁签署的。如果这个签署者确实可以签署其他证书,并且收到证书上的签名和签署者的公钥可以对上的时候,系统就自动信任新的证书。
第5步:安装私钥和证书
将私钥和证书文件复制到Apache的配置目录下即可,在Mac 10.10系统中,复制到/etc/apache2/目录中即可。