If you want to know the principle of SSL/TLS, please visit the overview of the operation mechanism of the SSL/TLS protocol and the detailed explanation of the principle of SSL/TLS
If you don't know much about certificates, you can read this article about digital certificates and CA's literacy introduction .
1. Install and upgrade openssl
First, check the openssl version of the current device. If the version is above openssl1.0.1g, please skip it.
openssl version -a #OpenSSL 1.0.1f 6 Jan 2014
If it is 1.0.1-1.0.1f
the version you are in, then upgrade to the 1.0.1g
version above as soon as possible! Because there are vulnerabilities in these versions, please refer to the analysis of the OpenSSL "Heartbleed" vulnerability for details
From the above information, we can see that our system version is 1.0.1f, and openssl needs to be upgraded.
2. Create a certificate signed with the private key and configure it to the Apache server
First, generate a private key, create a request certificate, sign the certificate with the private key
Generate private key
openssl genrsa -des3 -out private.key 2048-des3 means encryption is added, followed by 2048 is the number of digits of the generated key. 1024 is not very secure. For details, please refer to the era of HTTPS for the entire Internet site.
Generate certificate request
openssl req -new -key private.key -out server.csr
This step needs to fill in some information, among which Common Name (e.g. server FQDN or YOUR name) []
this needs to fill in your domain name or server address.
Generate the server's private key, remove the key password
openssl rsa -in private.key -out server.key
Use the private key to sign the certificate request, and generate a certificate signed to the server in the PEM format of x509
openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 3650
-outform pem specifies the format of certificate generation, the default is pem, so this command can also be written as
sudo openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650