How to use OpenSSL to generate a self-signed certificate in win to upgrade http to https
foreword
HTTPS is actually HTTP over SSL, that is, HTTP connections are established on top of SSL secure connections.
Creating a self-signed certificate requires openssl to be installed. Refer to the Installing OpenSSL section of this article.
Steps to generate a self-signed certificate using OpenSSL: Refer to the section of this article to generate a self-signed certificate using OpenSSL .
- Create a private key Key (.key file);
- Create a signing request (.csr file);
- The password in the Key;
- Sign the certificate with Key (.key+.csr=>.crt)
The certificate prepared for HTTPS needs to be noted that the CN of the created signature request must be exactly the same as the domain name, otherwise it cannot pass the browser verification.
Article directory
What is the difference between a CA certificate and a self-signed certificate?
CA certificates and self-signed certificates are both digital certificates used for encrypted communications, but there are some important differences between them:
-
CA certificates are issued by a recognized digital certificate authority (CA), while self-signed certificates are created by users themselves. CA is the abbreviation of Certificate Authority, also called "Certificate Authorization Center".
-
CA certificates are more secure because they are trusted and regulated by an authority. The security of self-signed certificates depends on the skill and process of the user.
-
CA certificates can be used on public networks and websites because they are already trusted by many browsers and operating systems. Self-signed certificates should only be used on private networks or for testing purposes.
-
There is a fee for CA certificates, while self-signed certificates are free.
Overall, CA certificates are recommended if you need to run a website or application on a public network. If you only need to encrypt communication or testing on a private network, you can use a self-signed certificate.
Install OpenSSL
Download the OpenSSL installation package
Go to https://slproweb.com/products/Win32OpenSSL.html to download the win OpenSSL installation package
You can choose one of exe and msi. Note that our Light version is a lightweight version, we directly download the full version.
The download is Win64OpenSSL_Light-3_1_1.msi
Install
Most of the installation process can be selected by default.
Note that when choosing to install the OpenSSL DLL in the Windows/System/
next directory or bin
the directory of the installation directory, we choose bin
the directory to avoid the DLL of other software in the System directory from affecting OpenSSL.
Click Next on other pages to complete the installation.
Finally, on this page, you can choose to reward the author. If you don’t want to reward, you can uncheck all of them.
The installation is complete.
set environment variables
We also need to add the path in the system environment variable, mine isC:\Program Files\OpenSSL-Win64\bin
After adding, click the move up button on the right to move up to the top:
Just save the changes.
Verify correct installation
Open cmd and enter the command to view the version:
openssl version
You can see that the installation was successful. If it is not the version information we installed, you may need to restart the computer.
Generate a self-signed certificate using OpenSSL
Go to the SSL folder
Create an SSL folder to store the generated certificate files. Mine isD:\ssl证书
Open cmd, cd to the SSL folder path, enter the command openssl and press Enter.
D:
cd D:\ssl证书
openssl
Generate server private key (.key file)
Enter the following command to generate the key file:
openssl genrsa -des3 -out server.pass.key 2048
Then enter a more than 4-digit password, and then enter the password again. As shown in the picture:
The command is explained as follows:
genra: generate RSA private key
-des3: use des3 algorithm
-out: specify the generated file name
2048: set the private key length to 2048
Remove passphrase from private key
openssl rsa -in server.pass.key -out server.key
rsa: generate RSA private key
-in: input private key file
-out: output private key file
No password: Set a private key file without a password
Then enter the password for server.pass.key. As shown in the picture:
Generate a Certificate Signing Request (.csr file)
Enter the following command to generate a certificate signing request:
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=OrganizeName/OU=UnitName/CN=192.168.0.174"
req: generate a certificate signing request
-new: newly generated
-key: private key file
-out: specify the name of the generated CSR file
-subj: parameters for generating a CSR certificate
The subj parameter description is as follows:
field | full name | example |
---|---|---|
/C= | Country | CN |
/ST= | State or Province | Zhejiang |
/L= | Location or City City | Hangzhou |
/O= | Organization Organization/Enterprise | OrganizeName |
/OU= | Organization Unit Department | UnitName |
/CN= | Common Name domain name or IP | www.yourdomain.com or 192.168.xx |
Generate a self-signed SSL certificate (.crt file)
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
-days: certificate validity period
-req: certificate required
-in: input csr file
-signkey: specify the .key file
-out: output crt file
There are 4 files in total in the folder, server.pass.key, server.key, server.csr, server.crt.
Among them, if you configure nginx, you need two files, server.key and server.crt.
At this point, the certificate generation is complete.
The X.509 certificate contains three files: key, csr, crt
key is the private key file on the server, used to encrypt the data sent to the client, and decrypt the data received from the client
csr is the certificate signature request file , used to submit to the certificate authority (CA) to sign the certificate
crt is a certificate signed by the certificate authority (CA), or a self-signed certificate by the developer, which contains the information of the certificate holder, the holder's public key, and the signer’s signature and other information
Note: In cryptography, X.509 is a standard that regulates public key authentication, certificate revocation list, authorization certificate, certificate path verification algorithm, etc.
Use of self-signed certificates (taking Nginx as an example)
Upload the SSL certificate from the server
The web server needs to server.crt
send it to the browser for verification, and then use it server.key
to decrypt the data sent by the browser. (The remaining two files server.pass.key
and server.csr
are no longer needed).
The server configures port 443 and uses an SSL certificate
Taking Nginx as an example, we %你的Nginx安装目录%/conf/nginx.conf
add the monitoring of port 443 in .
Need to be server{...}
configured in:
server {
#监听443端口
listen 443 ssl;
server_name 127.0.0.1;
#ssl证书的crt文件路径
ssl_certificate D:\\SSLCertificate\\server.crt;
#ssl证书的key文件路径
ssl_certificate_key D:\\SSLCertificate\\server.key;
#反向代理
location / {
root html;
index index.html index.htm;
proxy_pass http://127.0.0.1:7001;
}
}
nginx.conf
After the modification is complete, enter the following command to reload
D:
cd D:\Nginx
nginx -s reload
Client access https
If all goes well, open your browser and you can access the website via HTTPS. A warning will appear on the first visit (because our self-signed certificate is not trusted by the browser) as shown in the figure:
Method 1: Force browsers and operating systems to accept our own certificate authority
One method is: Click [Advanced] -> [Continue to 192.168.xx (unsafe)].
You can force browsers and operating systems to accept our own certificate authority. Therefore, once the CA certificate is installed and added to the trusted list, you will not see the security warning.
Method 2: Install Certificate Authority in your browser/operating system
Alternative: You can also share the CA certificate with your development team to install in their browsers. Import the certificate through the browser and set it as "trusted", so that the computer can safely connect to the web server when visiting the website in the future.
reference article
Configure Nginx with a self-signed SSL certificate