Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to use openssl to create a https certificate". In daily operation, I believe many people have doubts about how to use openssl to create a https certificate. The editor consulted all kinds of materials and sorted out a simple and easy-to-use method of operation. I hope it will be helpful to answer the doubt of "how to use openssl to create a https certificate". Next, please follow the editor to study!

Starting from today, the author intends to talk to you about the http2 protocol. If you want to clarify the http2 protocol, you must build a http2 service by hand, and compare the characteristics of http2 and http1.1, so as to understand some new features of http2.

Http2 service is based on TSL/SSL, similar to https, so we first need to figure out how to build a https server. To build a https server, we need a https certificate. Where does the certificate come from? You can buy a domain name from Aliyun and get a free certificate, or you can apply for a fee certificate from a https manufacturer, or you can use openssl as a tool to generate your own certificate.

It is very difficult for programmers to finish the above paragraph. To understand something, you usually have to go back to the source, dig deeper and deeper, then fall into the pit, and then redeem yourself.

Having said so, there is also a pre-knowledge is the principle of https, if you are not very clear or do not understand, please check out these two articles in vernacular https principles and nginx how to configure https certificates.

If you have read the previous two articles, or have a general understanding of https, then we are officially starting today's topic, how to use openssl to generate certificates?

First, the previous picture, this picture is the whole process of generating certificates with openssl, how to look at this picture?

This diagram has three parts A, B and C, which are selected with three color boxes respectively (add chicken legs to the editor). Part An is the process of generating the root certificate of the CA organization, which requires Mr. to become the private key of the CA organization, and then generate the CA organization certificate application file by the private key of the CA organization, and then generate the root certificate by these two files.

Part B is to generate the server private key, and then generate the server certificate application file from the server private key.

Part C is the last part, that is, to generate the server's public key certificate, the server's public key certificate needs to be generated by three parts, the private key of the CA institution in part A, the application certificate file of the CA institution, and the server certificate application file in part B. these three parts generate the server public key certificate together.

According to the figure, it is divided into the following steps:

1. Generate the server private key.

Openssl genrsa-out server.key 1024

2. Generate a certificate request file according to the server private key file, which will contain some information about the applicant, so in the process of executing the following command, you need to enter some user information on the command line, enter it casually, and enter all the way.

Openssl req-new-key server.key-out server.csr

3. Generate the private key of the CA institution. The command is the same as the server private key, except that this is the private key of the CA.

Openssl genrsa-out ca.key 1024

4. Generate the certificate application documents of CA institutions.

Openssl req-new-key ca.key-out ca.csr

5. Generate a self-signed certificate. CA institutions use their own private keys and certificate application files to generate their own signed certificates, commonly known as self-signed certificates, which can be understood as root certificates.

Openssl x509-req-in ca.csr-signkey ca.key-out ca.crt

6. Generate the server certificate according to the self-signed certificate ca.crt of the CA institution, or the root certificate student, the private key ca.key of the CA institution, and the certificate application file server.csr of the server.

Openssl x509-req-CA ca.crt-CAkey ca.key-CAcreateserial-in server.csr-out server.crt

The above process is actually a simulation of the major https certificate manufacturers to generate https certificate process, which involves the root certificate and other concepts, if you do not understand it does not matter, we still have Plan B, I just want the certificate, do not want to do too deep, then please use the following method, simple and fast.

It only takes three steps:

The first step is to generate the server private key:

Openssl genrsa-out server.key 1024

The second step is to generate a certificate request file based on the private key and the information entered:

Openssl req-new-key server.key-out server.csr

Step 3: generate a certificate with the private key in step 1 and the request file in step 2:

Openssl x509-req-in server.csr-out server.crt-signkey server.key-days 3650

So we get the private key server.key and certificate server.crt.

Why is the second approach simpler and fewer steps than the first? Here is a brief introduction. The first way is to simulate the simple process of https manufacturers generating https certificates. Https certificate manufacturers generally have a root certificate. Here we simulate the generation of https vendor root certificates, that is, steps 3, 4 and 5 of the first method.

In practical application, these steps are invisible to the user. Here is a simple simulation. Usually, the certificate application user only needs to give the server public key (note, not the private key) and the server certificate application file to the https certificate vendor. Then the https manufacturer will reply to a server public key certificate by email, and then get the certificate and the server private key generated by yourself to build the https application.

The second method is relatively simple, because we generate the certificate to test locally, we are both the role of the https manufacturer and the role of the user, we can directly use the self-signed certificate as the server certificate, simple and fast, but this is only applicable to testing.

To sum up:

1. This article briefly combs the knowledge path map of http2. In order to understand http2, it is necessary to build http2 services and http2 services, and to understand how to build https services. To understand how to build https services, you need to understand the principle of https and how to obtain certificates. Today we are talking about how to obtain certificates.

2. Today's main knowledge is how to use openssl to generate https certificates. The first method is to simulate a simple process of https manufacturers to generate https certificates, and the second method is a simplified version, which is suitable for local testing.

In the next issue, we will use the generated http to send certificates to build a https service.

Node.js express enables https

Https://www.cnblogs.com/whm-blog/p/9413958.html

Generate self-signed certificate based on OpenSSL

Https://qhh.me/2019/05/18/%E5%9F%BA%E4%BA%8E-OpenSSL-%E7%94%9F%E6%88%90%E8%87%AA%E7%AD%BE%E5%90%8D%E8%AF%81%E4%B9%A6/

Openssl generates a self-signed certificate, simple steps

Https://ningyu1.github.io/site/post/51-ssl-cert/ at this point, the study on "how to use openssl to create https certificates" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.