[Turn] how to create a self-signed SSL certificate (X509)

Others 2019-06-27 02:31:25 views: null

 

From the original: http: //www.joyios.com/ p = 47?

introduction

Using HTTP (Hyper Text Transfer) protocol to access data on the Internet is not encrypted. In other words, anyone can intercept or monitor the data stream for transmission over the network through appropriate tools. But sometimes, we need some security or privacy of the transmission of data over a network, such as: credit cards contain electronic orders and product information. This time, if still using the HTTP protocol, is bound to face a very big risk! I believe no one can accept their credit card numbers over the Internet streaking.

HTTPS (Hypertext Transfer Security) protocol certainly can effectively solve this problem. The so-called HTTPS, in fact, a combination of HTTP and SSL / TLS, and to provide encrypted communications and the identity of the server's network identification. HTTPS The main idea is to create a secure channel over an insecure network to prevent hackers from eavesdropping and attack.

SSL (Secure Sockets Layer) can be used to stream data between the Web server and the client is encrypted.

SSL technologies using asymmetric cryptography for data encryption. Encryption process using two keys: a public key and a corresponding private key. Data encrypted using the public key can only be decrypted with the corresponding private key; the data encrypted using a private key, can only be decrypted with the corresponding public key. Thus, if a message transmitted over a network or data stream is encrypted private server can only use the public key to decrypt corresponding thereto, thereby ensuring the security of data between the client and the server.

Digital certificate (Certificate)

The HTTPS during transmission, there is a very crucial role - digital certificates, then what is a digital certificate? What role do?

The so-called digital certificate, an identification mechanism for computers. Digital certificates issued by the agency (CA) for signature created using the private key file requested to do signature (stamp), CA structure represents recognition of the certificate holder. Digital certificates have the following advantages:

  1. The use of digital certificates can enhance the user's confidence
  2. Digital certificate public key, can be paired with the private key of the server, the data transmission encryption and decryption process
  3. During recognize user identity card, the user's sensitive personal data will not be transferred to the certificate holder's network system

X.509 certificate consists of three files: key, csr, crt.

  • key files on the server private key used to encrypt data sent to the client, and decrypts the end receives data from the client
  • csr is a certificate signing request file for submission to a certificate authority (CA) to sign the certificate
  • crt certificate by the certificate signing authority (CA), or a self-signed certificate developer, contains the certificate holder's information, the holder of the public key, and the signer's signature and other information

Note: In cryptography, X.509 is a standard specification of the public keys, certificate revocation lists, authorization certificate, certificate path validation algorithm.

To create a self-signed certificate

Note: The steps for SSL certificates only internal configuration required for testing or use.

Step 1: generating a private key

Use openssl tool to generate an RSA private key

 

1

$ openssl genrsa -des3 -out server.key 2048

Description: Generate rsa private key, des3 algorithm, 2048 strength, server.key is secret key filename.

Note: generating a private key, you need to provide a password of at least four.

Step 2: generating a CSR (Certificate Signing Request)

After generating a private key, you can create csr files.

At this point you have two choices. After Ideally, the certificate can be sent to a certificate authority (CA), CA verified the identity of the requester, it will issue a signed certificate (very expensive). Further, if only the inside or the test requirements, may be implemented using a self-signed OpenSSL, as follows:

 

1

$ openssl req -new -key server.key -out server.csr

Description: Enter need to turn the country, region, city, organization, organizational unit, Common Name and Email. Where Common Name, or you can write your own domain name, if you want to support https, Common Name should be consistent with the domain name, otherwise it will cause the browser warning.

 

1

2

3

4

5

6

7

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:joyios

Organizational Unit Name (eg, section) []:info technology

Common Name (e.g. server FQDN or YOUR name) []:demo.joyios.com

Email Address []:[email protected]

 

Step 3: Remove the private key password

During the first step to create a private key, because the need to specify a password. And this code will bring a side effect, that is, each time you start the Apache Web server, will be asked to enter a password, which is obviously very inconvenient. To delete the private key in the password, as follows:

 

1

2

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

 

Step 4: Generate a self-signed certificate

If you do not want to spend money to help CA signature, or just test specific implementation of SSL. Well, now you can begin to generate a self-signed certificate of.

Note that, in the use of temporary self-signed certificates, the browser will prompt the certificate authority is unknown.

 

1

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Description: There certificate holder information, the holder of the public key, and the signing of the information's signature on the crt. When the user installed the certificate, it means trusting this certificate, which also has a public key. It will explain the use of the certificate, such as server authentication, client authentication, or to sign other certificates. When the system receives a new certificate when the certificate will explain, who is signed. If the signer indeed signed by other certificates, and receive a public key signature and signer of the certificate can on time, the system will automatically trust the new certificate.

Step 5: Install the private key and certificate

Copy the private key and certificate files to the Apache configuration directory, and Mac 10.10 system, copied to / etc / apache2 / directory can be.

 

Guess you like

Origin blog.csdn.net/nicholas_duan/article/details/92571314
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com