HTTPS service self-built certificate generation

Others 2022-05-26 17:11:15 views: 0

If you want to know the principle of SSL/TLS, please visit the overview of the operation mechanism of the SSL/TLS protocol and the detailed explanation of the principle of SSL/TLS

 

If you don't know much about certificates, you can read this article about digital certificates and CA's literacy introduction .

 

1. Install and upgrade openssl

First, check the openssl version of the current device. If the version is above openssl1.0.1g, please skip it.
openssl version -a
#OpenSSL 1.0.1f 6 Jan 2014

If it is 1.0.1-1.0.1fthe version you are in, then upgrade to the 1.0.1gversion above as soon as possible! Because there are vulnerabilities in these versions, please refer to the analysis of the OpenSSL "Heartbleed" vulnerability for details

From the above information, we can see that our system version is 1.0.1f, and openssl needs to be upgraded.

 

2. Create a certificate signed with the private key and configure it to the Apache server

First, generate a private key, create a request certificate, sign the certificate with the private key

Generate private key 

openssl genrsa -des3 -out private.key 2048
-des3 means encryption is added, followed by 2048 is the number of digits of the generated key. 1024 is not very secure. For details, please refer to the era of HTTPS for the entire Internet site.

 

Generate certificate request 

openssl req -new -key private.key -out server.csr

This step needs to fill in some information, among which Common Name (e.g. server FQDN or YOUR name) []this needs to fill in your domain name or server address.

Generate the server's private key, remove the key password 

openssl rsa -in private.key -out server.key

Use the private key to sign the certificate request, and generate a certificate signed to the server in the PEM format of x509 

openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 3650

-outform pem specifies the format of certificate generation, the default is pem, so this command can also be written as

sudo openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650

 

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=327006836&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com