Scenes
Website and other services for the public service usually through the application of a foreign domain name and provide services through the https protocol, but https is encrypted by the certificate on the communication of information. So this involves a certificate-related content.
About Domain Name
Public domain are to be considered by the record otherwise would be banned illegal swap, and domain name for the record on the premise that there is solid information company name must have been registered.
About certificates
Certificate Deployment
When using https, the configuration of the certificate can be configured in multiple places, such as the back-end using the tomcat service, then it can be deployed on tomcat, tomcat and if the top is by nginx proxy then the general configuration nginx on it .
Reality scene is generally more complex, such as cloud service deployed on the possibility of using a high anti-DDOS + WAF + SLB + Nginx, so these products must deploy certificates to use https protocol, of course, if SLB taking the TCP can not deploy If a static did not go so CND CDN also deployed.
Tips: In fact, in front of the back-end server nginx, waf and other products can be simply understood as a proxy between the client and the proxy is through certification by encryption, proxy then forwards the request to the layers.
Several concepts
(1) Asymmetric encryption: a public key, a private key of public key encryption with the private key can decrypt the file, and vice versa may be; the RSA is a common asymmetric encryption algorithm;
In addition, the private key is usually stored their own, only you know; the public key is public
(2) openssl: an open-source organization, an open source code base and software crypto library tool that captures the key cryptographic algorithms;
(3) CA: Certificate Authority; then get a certificate, you must first go to the next CA validation, to get the certificate if it is a "true" certificate instead of a certificate after tampering. If the certificate is confirmed, then get after the public key from the certificate, you can communicate securely with each other, and asymmetric encryption mechanism based. CA's own distribution and security guarantees, is generally carried out through a number of authoritative channels, such as the operating system will be built some official of CA, the browser also built a number of CA;
Introduction Certificate
Third-party certificate purchased products generally consists of two files: asdf.key asdf.crt, key public and private key file is a key file, crt is a certificate (public key encryption algorithm + corporate entities and other information)
Certificate and private key pairs and other public information can actually be generated by openssl and other tools themselves, but their own internal use only generated outside are not to be trusted.
Generation process:
openssl genpkey -algorithm rsa -out rsa_private.key # generate public and private key
OpenSSL rsa - in rsa_private.key -text # View
OpenSSL rsa -pubout - . in rsa_private Key # extract the public key
to generate the certificate process
openssl req -new -key rsa_private .key -out server.csr # using a private key to generate a CSR, the process need to enter some information that is public
OpenSSL REQ - in server.csr -text -noout #CSR file generation, and look, you can see to input information
OpenSSL X509 -req -days 365 - in server.csr -signkey rsa_private.key -out mycert.crt # generate a certificate: the certificate is valid mycert.crt 365 days
OpenSSL X509 - in mycert.crt -text # View information on the certificate