Shulou(Shulou.com)06/01 Report--

This article to share with you is about how to get HTTPS configuration, Xiaobian think quite practical, so share to everyone to learn, I hope you can read this article after some gains, not much to say, follow Xiaobian to see it.

01. About FreeSSL.cn

FreeSSL.cn is a website that provides HTTPS certificate application, HTTPS certificate management and HTTPS certificate expiration reminder services for free. It aims to promote the popularization and application of HTTPS certificates and simplify the certificate application process.

Of course, what I value is not free, but FreeSSL is very user-friendly to use. I am a programmer with very poor computer knowledge (shame on me), but with FreeSSL I was able to configure HTTPS for Tomcat on my own!

Many years ago, the company wanted to do the interface docking of Huaxia Bank, which required HTTPS access. It cost about 3000 yuan to buy a certificate. Finally, there were problems with the certificate, and HTTPS was not solved. In short, it was a pit!

FreeSSL.cn has a lot of differences, application is very convenient, many advantages, worth recommending a wave. After all, there is no need for email, telephone or other kinds of contact (perhaps the times have improved).

100% free forever; thanks to Free SSL Certificates from Let's Encrypt and TrustAsia.

FreeSSL.cn will promptly remind you to replace your HTTPS certificate before it expires, a free service.

The private key does not propagate across the network, ensuring the security of HTTPS certificates.

02, Apply for certificate using FreeSSL

Step 1: Fill in the domain name and click "Create Free SSL Certificates"

Step 2: Fill in your email and click Create.

1) The certificate type defaults to RSA

What is the difference between RSA and ECC? You can find out through the following paragraphs.

HTTPS provides three functions of content encryption, identity authentication and data integrity through TLS layer and certificate mechanism, which can effectively prevent data from being intercepted or tampered with, and can also resist MITM (man-in-the-middle) attacks. TLS requires asymmetric key exchange and symmetric content encryption algorithms in the implementation of encryption.

Symmetric content encryption strength is very high, encryption and decryption speed is also very fast, but it is impossible to generate and store keys securely. In TLS protocol, application data is transmitted after symmetric encryption, and the symmetric key used in transmission is obtained through asymmetric key exchange during handshake phase. Common AES-GCM, ChaCha20-Poly1305, are symmetric encryption algorithms.

Asymmetric key exchange can generate symmetric encryption keys known only to both parties in an insecure data channel. RSA has a long history and good support, but it does not support PFS (Perfect Forward Secrecy); ECDHE is a DH (Diffie-Hellman) algorithm using ECC (Elliptic Curve), which is fast in calculation and supports PFS.

2) Authentication type defaults to DNS

What is the difference between DNS and file validation? Let's get to know each other again.

First of all, we need to understand that the CA (Certificate Authority) needs to verify that we own the domain name before issuing us a certificate.

File authentication (HTTP): CA will verify that we own the domain name by accessing a specific URL address. Therefore, we need to download the given verification file and upload it to your server.

DNS verification: CA will determine our ownership of the domain name by querying DNS's TXT record. We only need to add the generated TXT record name and record value to the domain name in the domain name management platform, and wait for about 1 minute to verify success.

Therefore, if it is convenient for the server operation, you can choose file verification; if it is convenient for the server operation of the domain name, you can choose DNS verification. If both are convenient, please feel free to choose.

3) CSR generation defaults to offline generation

What's the difference between offline generation, browser generation and I have CSR? Come on, let's continue to understand.

Offline recommendations!!!: Private keys are stored locally with encryption, which is more secure; public keys are automatically synthesized, supporting common certificate format conversion, which is convenient for deployment; one-click deployment of some WebServers is supported, which is very convenient.

When offline generation, you need to install KeyManager first, which can provide safe and convenient application and management of SSL Certificates. The download address is as follows: https://keymanager.org/

For Windows, select "Run as Administrator" when installing.

Browser generation: If the browser supports Web Cryptography, CSR files are generated based on user information using the browser.

Web Cryptography, a JavaScript API for performing basic cryptographic operations in Web applications. Many browsers do not support it.

I have CSR: I can paste my own CSR and create it.

Step 3: Select Offline Generation and open KeyManager.

After filling in the password, click "Start". Wait a moment and the following interface will appear.

Step 4: Go back to your browser and click "Next" to display the following interface.

Step 5: Download the file and upload it to the server's designated directory.

Step 6, click "Verify", after passing, the following interface appears.

Step 7, click Save to KeyManager, you can see that the certificate status has changed to Issued.

03. Configure jks format certificates for Tomcat

The first step is to export the certificate. If the server selects Tomcat, you need to export certificates in Java keystone (spelled jks) format.

Note: The password for the private key is used when configuring Tomcat.

Step 2: Upload the certificate to the server.

Third, configure server.xml for Tomcat.

where keystorePass is the encrypted password of the private key when exporting the certificate.

Step 4: Restart Tomcat and test it by typing https://itwanger.cn/in the browser address bar.

Notice that there is a green security lock in front of the browser address bar, which means that HTTPS configuration is successful!

The above is how to get HTTPS configuration, Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.