Shulou(Shulou.com)06/01 Report--

01. About FreeSSL.cn

FreeSSL.cn is a website that provides free HTTPS certificate application, HTTPS certificate management and HTTPS certificate expiration reminder service, which aims to promote the popularization and application of HTTPS certificate and simplify the certificate application process.

Of course, what I value is not free, but that FreeSSL is very user-friendly. I am a programmer with very weak computer knowledge (shame), but through FreeSSL, I can actually complete the HTTPS configuration of Tomcat on my own!

Many years ago, the company to do Huaxia Bank interface, need HTTPS access, about spent 3000 yuan to buy the certificate, the final certificate there are problems, HTTPS is not done. Anyway, it's a trick!

Cdn.xitu.io/2019/5/9/16a9b200d2d271cf?w=711&h=504&f=png&s=29239 ">

FreeSSL.cn is very different, the application is very convenient, there are many advantages, it is worth recommending. After all, e-mail and phone calls are no longer needed (maybe the times have improved).

100% permanent free; thanks to the free SSL certificate provided by Let's Encrypt and TrustAsia.

Before the expiration of the HTTPS certificate, FreeSSL.cn will promptly remind you to change the certificate, free of charge.

The private key is not propagated in the network to ensure the security of the HTTPS certificate.

02. Apply for a certificate using FreeSSL

First, fill in the domain name and click "create a free SSL certificate"

Step 2, fill in the mailbox and click "create"

1) the certificate type defaults to RSA

What's the difference between RSA and ECC? You can learn about it through the following paragraphs.

HTTPS provides three major functions of content encryption, identity authentication and data integrity through the TLS layer and certificate mechanism, which can effectively prevent data from being monitored or tampered with, as well as against MITM (man in the middle). In the process of encryption, TLS needs to use two algorithms: asymmetric key exchange and symmetric content encryption.

The encryption intensity of symmetric content is very high, and the speed of encryption and decryption is very fast, but the key can not be safely generated and kept. In TLS protocol, application data are transmitted after symmetrical encryption, and the symmetric keys used in transmission are exchanged through asymmetric keys in the handshake phase. The common AES-GCM and ChaCha20-Poly1305 are symmetric encryption algorithms.

Asymmetric key exchange can generate symmetric encryption keys known only to both sides of the communication in an insecure data channel. At present, the most commonly used key exchange algorithms are RSA and ECDHE:RSA, which have a long history and good support, but do not support PFS (Perfect Forward Secrecy), while ECDHE is a DH (Diffie-Hellman) algorithm using ECC (elliptic curve), which has high computing speed and supports PFS.

2) the verification type defaults to DNS

What's the difference between DNS and file validation? Let's get to know it again.

First of all, we need to understand that CA (Certificate Authority, certification authority) needs to verify that we own the domain name in order to issue us a certificate.

File verification (HTTP): CA will verify that we have ownership of the domain name by accessing a specific URL address. Therefore, we need to download the given authentication file and upload it to your server.

DNS verification: CA will determine our ownership of the domain name by querying the TXT record of DNS. We only need to add the generated TXT record name and record value to the domain name on the domain name management platform, and wait about 1 minute to verify the success.

Therefore, if it is convenient for the server, you can choose file verification; if it is convenient for the server to operate the domain name, you can choose DNS authentication. If both are convenient, please feel free to choose.

3) CSR generation defaults to offline generation

What's the difference between offline generation, browser generation and I have CSR? Come on, let's get to know more.

Offline generation recommendation!!: private keys are stored locally with encryption for more security; automatic public key synthesis supports common certificate format conversion for convenient deployment; one-click deployment of some WebServer is supported, which is very convenient.

When generating offline, you need to install KeyManager first, which can provide secure and convenient SSL certificate application and management. Download address is as follows:

Https://keymanager.org/

For Windows, select "run as administrator" when installing.

Browser generation: when the browser supports Web Cryptography, the browser is used to generate CSR files based on the user's information.

Web Cryptography, network cryptography, JavaScript API for performing basic encryption operations in Web applications. Many browsers do not support it.

I have CSR: you can paste your own CSR and create it.

The third step is to select offline generation and open KeyManager

After filling in the password, click "start", wait a moment, and the following interface appears.

The fourth step, return to the browser, click "next", and the following interface appears.

Step 5, download the file and upload it to the directory specified by the server.

Step 6, click "verify". After passing, the following interface appears.

Step 7, click "Save to KeyManager" and you can see that the certificate status has become issued.

03. Configure a certificate in jks format for Tomcat

First, export the certificate. If the server chooses Tomcat, you need to export a certificate in Java keystone (spelled jks) format.

Note: the password of the private key is used when configuring Tomcat.

Step 2, upload the certificate to the server.

The third step is to configure server.xml for Tomcat.

Where keystorePass is the encrypted password of the private key when the certificate is exported.

The fourth step is to restart Tomcat and type https://qingmiaokeji.cn/ in the browser's address bar to test.

Notice that there is a green security lock in front of the browser address bar, which indicates that the HTTPS configuration is successful! Okay, give yourself a round of applause!

04. Finally

Did you buy a five-minute hourglass? If the HTTPS is not configured successfully in more than five minutes, come and hit me!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.