Shulou(Shulou.com)06/01 Report--

SSL Certificates are generated to complete HTTPS verification

SSL Certificates are a direct path for HTTP upgrade to HTTPS secure connections, and SSL Certificates can be obtained by applying to a Digital Certificate Authority (CA). However, the production of SSL Certificates is not done in one go. It also requires certain procedures, but it is not complicated. SSL Certificates can be produced quickly and quickly as long as the application information is approved. Learn how to generate SSL Certificates.

Types of SSL Certificates include:

CA certificate, also known as root certificate or intermediate certificate. This certificate is optional if it is a one-way https authentication. Without CA certificates installed, browsers are insecure by default.

2. Server certificate, required option. Through key, certificate request file csr, and then through CA certificate signature, generate server certificate.

3. Client certificate, optional. Two-way https authentication if client certificate is present.

All of the above certificates can be generated by themselves.

file suffix

Linux systems do not judge file types by suffixes, but in order to better judge the purpose of files, various suffixes are added. The following are the customary suffixes.

*.key: key file, usually the private key in SSL;

*.csr: Certificate request file, which contains public key and other information, and can generate certificates after signing;

*.crt, *.cert: Certificate file containing public key, signature and other information required for authentication, such as host name (IP).

*.pem: It usually contains information about the private key and certificate.

Generation of Server Certificate

a) Generate server private key

openssl genrsa -des3 -out server.key 1024

Enter the encryption password, generate the key with the 128-bit rsa algorithm, and get the server.key file.

b) Generate Server Certificate Request (CSR)

openssl req -new -key server.key -out server.csr

CSR (Certificate Signing Request) is a certificate signing request. Before applying for a certificate, CSR must be generated on the server and submitted to CA Certification Center before CA can issue SSL server certificate. CSR can also be thought of as a certificate generated on the server.

One thing to note in generating this file is that Common Name is entered as the hostname (or server IP).

c) Generate your own server certificate

If you do not use CA certificate signature, it is generated as follows:

openssl req -x509 -days 1024 -key server.key -in server.csr > server.crt

Generate certificate with server key and certificate requestserver.crt, -days parameter indicates certificate validity period in days. Commercially, server certificates are issued by a third-party certification authority.

If CA certificate signing is used, generate the server certificate using the tool CA.sh provided by openssl:

mv server.csr newreq.pem

./ CA.sh -sign

mv newcert.pem server.crt

After signing the certificate, you can view the contents of the server certificate by issuing the following command:

openssl x509 -noout -text -in server.crt

Server certificates can be verified by issuing the following command:

openssl verify -CAfile ca.crt server.crt

Generation of customer certificates

Customer certificates are optional. If there is a customer certificate, it is two-way authentication HTTPS, otherwise it is one-way authentication HTTPS.

a) Generate customer private key

openssl genrsa -des3 -out client.key 1024

b) Generate customer certificate signature request

openssl req -new -key client.key -out client.csr

c) Generate customer certificate (signed with CA certificate)

openssl ca -in client.csr -out client.crt

d) Convert the certificate to a format recognized by the browser

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

certificate list

If two-way authentication is used, there are three private keys and three certificates. ca.key, ca.crt, server.key, server.crt, client.key, client.crt, and client.pfx for browsers.

If one-way authentication with CA certificate is used, the certificate and private key are ca.key, ca.crt, server.key, server.crt.

If one-way authentication without a CA certificate is used, the certificate and private key are server.key, server.crt.

Finally in fedora as client, wget 1.14 via command

wget -ca-certificate=server.crt https://+ip+file Successfully obtained file, certificate verification passed.

Global Trusted CA Authority

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.