Shulou(Shulou.com)06/02 Report--

With the development of the network, network security is becoming more and more important. for websites, upgrading from Http to https is also the first thing we have to do. To implement https, we first need to apply for a SSL certificate. In this article, I will mainly introduce the following aspects:

1. A brief introduction to SSL

two。 Free Letencrypt certificate deployment

3. Installation considerations

I. A brief introduction to SSL

As a network encryption protocol, ssl is mainly a secure socket layer (Secure Socket Layer) between the application layer and the transport layer in the system, that is, it is located between the TCP/IP protocol and various application layer protocols to provide encryption for application data transmission. Of course, it is divided into two parts: the recording protocol and the handshake protocol. If you are interested, you can learn about it in detail. I will briefly introduce the process first.

Its workflow can be understood as this: the client initiates a network request to the server, initiates a handshake, exchanges certificate information, and establishes a connection. To put it simply, it is divided into the following parts:

Client: send its supported ssl version and encryption method to the server.

Server: select encryption method and send certificate and public key to client

Client: verify certificate information and generate a shared secret key through the public key, exchange

Server: OK, we can pass the encrypted data.

The above is a simple description of the handshake process, each step can continue to decompose, you can find the relevant documents in-depth understanding.

Another protocol that needs to be introduced here, TLS, is based on the SSL3.0 specification and is more stringent and explicit. It also has an extension protocol called SNI (Server Name Indication- server name indication), and its main role is described here.

In our commonly used hosts, there may be many sites, and we cannot know in advance the list of all the domain names that will be used by this server at one time, but we cannot reissue certificates each time we modify the domain names, so with SNI, we can deploy multiple certificates on one host, so that the server can select the correct virtual domain during the handshake phase and send the corresponding certificate. In IIS8.0 and above, we will have the following options when binding a domain name:

At present, there are many free and paid ssl certificate providers for us to choose from, of course, we can also act as issuers to make ssl certificates, but browsers such as Google will prompt untrusted certificate authorities on the page that there are security risks and block access, which is very bad for the user experience. According to the security level, the current ssl certificates are mainly based on the following categories:

EV-Industry top SSL certificate, website with EV SSL certificate deployed, the address bar turns eye-catching green and displays the name of the company to which the site belongs

OV-the widely used enterprise authentication SSL certificate. After the OV SSL certificate is deployed, the security lock logo will be displayed in the address bar.

DV-only domain names are verified and SSL certificates are quickly issued. The security lock identification will also be displayed in the address bar, but there is no O field in the certificate details, no user name, only the domain name.

At present, many free certificates issued by SSL certification authorities recognized by mainstream browsers are mainly DV grades. Now I will introduce the deployment process of the recently well-known Letencrypt free ssl certificate under windows.

two。 Free Letencrypt certificate deployment

This is a free ssl project initiated by foreign countries and has now been recognized by mainstream browsers such as Google. From a security point of view, the free certificate installed through Letencrypt is only valid for three months, and you need to reapply when it expires, but this also causes some trouble to the deployment, so the government also provides a variety of automated solutions. Here I introduce the certificate application and automatic update tool letsencrypt-win-simple under windows.

First, we download the GitHub address (https://github.com/Lone-Coder/letsencrypt-win-simple/releases) and decompress it.

Because the installation process needs to generate verification files under the site, please enter the cmd interface in administrator mode, or right-click the start menu and click the command prompt (administrator) option

Enter the unzipped folder and run the letsencrypt.exe-- san command

After execution, all websites under IIS will be listed automatically, followed by the following options:

These options correspond to different situations. Here, because there are several sites under my machine, I want to issue a certificate to them. I choose S, and then it will prompt you to enter the serial number of the site to be installed. Here I enter 3Jill 4.

Next, it will create a verification file under each site, and after the verification is passed, the corresponding certificate will be generated and added to the IIS. If everything is normal, a scheduled update task will be created in the task management.

Currently, there are still some bug in this software. I personally encountered several abnormal termination errors in the installation. Repeat the operation twice before passing normally. If you also encounter problems, you can directly go to IIS for certificate management to check whether the corresponding certificate has been created. If it exists, you can bind it manually.

three。 Matters needing attention

There is a limit on the number of times you use Letencrypt to prevent abuse of the application. Here is the restriction information given on the official website:

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

If you need to test, you can execute it on the command line: letsencrypt.exe-- test. Enter the test environment.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.