preamble
background
An SSL certificate is also known as an SSL server certificate. Now that Internet giants such as Google and Baidu are mandating HTTPS for websites, deploying SSL certificates on websites has become a development trend of the Internet.
Two functions of SSL certificate: data encryption and identity authentication
After the server deploys the SSL certificate, it can ensure that the information entered by the user on the browser and the information queried from the server are highly encrypted and transmitted on the transmission link between the computer and the server, which is impossible to be illegally tampered with and stolen . At the same time, it proves to website visitors the real identity of the server, which is verified by a third-party authority.
SSL for websites
provide authentication
When it comes to network security, authentication is essential. To install an SSL certificate, the website must go through an authentication process. After passing the "network ID card" issued to the user by an authoritative third-party certification agency, the physical identity of the entity is bound to the virtual identity of the network, ensuring the real identity of the website owner in the virtual network world. ---- Verify the identity of the website
Prevent Phishing
Phishing sites are fake sites created by people who want to steal user information, and it is difficult for creators to obtain valid SSL certificates. When users don't see a security sign on a website, they're more likely to leave without entering any information . So a valid SSL certificate prevents phishing attacks on your visitors. ---- Same as above to verify the identity of the website
Prevent Traffic Hijacking
In network activities, information may be intercepted and tampered during transmission and then forwarded, resulting in incomplete information. When information tampering or loss occurs or may occur, network service providers should use SSL certificates to digitally sign and complete the information. Permanent protection to protect data from any uninstructed or unexpected modification, insertion, deletion, retransmission, damage, etc. during the process of server storage, transmission and processing.
Provide data encryption
Confidential or sensitive information involved in e-government and e-commerce may be intercepted and leaked during network transmission, and network service providers should encrypt such information. Using an SSL certificate to encrypt the transmission and storage of confidential or sensitive information can show visitors that sensitive information shared on this website, such as credit card numbers, IDs, email addresses and passwords, is safe. Thus, SSL strengthens the trust between customers/visitors of the website.
SSL for website viewers
They are connected to the correct official server of the website they want to visit (not a fake product run by hackers), and no one can intercept the data they send to the website and use it for nefarious purposes.
openssl generates self-signed certificate
The website certificate needs to be endorsed by some large authority to confirm the identity of the website owner. Otherwise, anyone can get a certificate to prove their identity.
Therefore, SSL has the following roles:
- CA : Certification authority. With your own certificate , you can use your own certificate to sign others and collect money. The CAs on this planet are monopolized by several English-speaking people. Here we will virtualize a CA organization, and then use it to sign our own certificate certification.
- (Web site) certificate : The certificate sent to the client, which is mainly a collection of public keys and other information. It is a file containing the public key, certification, signature and other information of your own website.
- (Website) private key : the decryption private key retained by the server (server)
SSL-related file types
| Format | illustrate |
|---|---|
.crt .cer |
Certificate |
.key |
Key/Private Key |
.csr |
Certificate signing request |
*.pem |
Base64 encoded text storage format, you can store the certificate or key alone, or two at the same time; base64 encoding is the inexplicable characters between the two ------- |
*.der |
Binary storage format for certificates (not commonly used) |
Generate CA's certificate
# 生成CA认证机构的证书密钥key
# 需要设置密码,输入两次
openssl> genrsa -des3 -out ca.key 1024
# 去除密钥里的密码(可选)
# 这里需要再输入一次原来设的密码
openssl> rsa -in ca.key -out ca.key
# 用私钥ca.key生成CA认证机构的证书ca.crt
# 其实就是相当于用私钥生成公钥,再把公钥包装成证书
openssl> req -new -x509 -key ca.key -out ca.crt -days 365
# 这个证书ca.crt有的又称为"根证书",因为可以用来认证其他证书The certificate of the website is mainly signed by the certificate of the CA. The reason is very simple. It is to use the public key of the CA to sign the certificate of the website. When actually visiting the website, the user will take the information signed by the CA to the CA for verification. Is this the certificate of other methods, [email protected]
Generate a certificate for the website
# 生成自己网站的密钥server.key
openssl> genrsa -des3 -out server.key 1024
# 生成自己网站证书的请求文件
# 如果找外面的CA机构认证,也是发个请求文件给他们
# 这个私钥就包含在请求文件中了,认证机构要用它来生成网站的公钥,然后包装成一个证书
openssl> req -new -key server.key -out server.csr
Generate the website's own private key and certificate as above
CA certificate encryption or signature website certificate
# 使用虚拟的CA认证机构的证书ca.crt,来对自己网站的证书请求文件server.csr进行处理,生成签名后的证书server.crt
# 注意设置序列号和有效期(一般都设1年)
openssl> x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -days 365Finally
In the end we have the following 3 spoons
- S
erver.key: 网站的私钥 server.crt: 网站的证书ca.crt : ca的证书 用于验证服务端的政府ca.key: ca的私钥
Another file format can be changed according to requirements, which is a string of strings.