Introduction
Using the HTTP (Hypertext Transfer) protocol to access data on the Internet is not encrypted. In other words, anyone can intercept or monitor the data flow transmitted on the network with the appropriate tools. But sometimes, we need to transmit some secure or private data over the network, such as electronic orders containing credit card and product information. At this time, if you still use the HTTP protocol, you will definitely face great risks! I believe no one can accept their credit card number being used naked on the Internet.
The HTTPS (Hypertext Transfer Security) protocol can undoubtedly effectively solve this problem. The so-called HTTPS is actually a combination of HTTP and SSL/TLS, which is used to provide encrypted communication and authentication of network servers. The main idea of ??HTTPS is to create a secure channel on an unsecured network to prevent hackers from eavesdropping and attacking.
SSL (Secure Socket Layer) can be used to encrypt the data flow between the web server and the client.
SSL uses asymmetric cryptography technology for data encryption. Two secret keys are used in the encryption process: a public key and a corresponding private key. Data encrypted using a public key can only be decrypted using the corresponding private key; data encrypted using a private key can only be decrypted using the corresponding public key. Therefore, if a message or data stream transmitted over the network is encrypted by the server's private key, it can only be decrypted using its corresponding public key, thus ensuring data security between the client and the server.
Digital Certificate (Certificate)
In the transmission process of HTTPS, there is a very key role - digital certificate. So what is a digital certificate? What's the use?
The so-called digital certificate is an identity recognition mechanism for computers. The signature (seal) made by a digital certificate authority (CA) on a signature request file created using a private key indicates the CA structure's recognition of the certificate holder. Digital certificates have the following advantages:
Using digital certificates can improve the user's credibility
The public key in the digital certificate can be paired with the private key of the server to realize data processing. Encryption and decryption during transmission
During the verification of user identity, the user's sensitive personal data will not be transmitted to the certificate holder's network system
X The .509 certificate contains three files: key, csr, and crt.
key is a private key file on the server, used to encrypt data sent to the client and decrypt data received from the client
csr is a certificate signature request file , used to submit to the certificate authority (CA) to sign the certificate
crt is a certificate signed by the certificate authority (CA), or a self-signed certificate by the developer, including the certificate holder's Information, the holder's public key, and the signer's signature and other information
Note: In cryptography, X.509 is a standard that standardizes public key authentication, certificate revocation lists, and authorization certificates , Credential path verification algorithm, etc.
Steps to create a self-signed certificate
Note: The following steps are only for configuring SSL certificates required for internal use or testing.
Step 1: Generate private key
Use openssl tool to generate an RSA private key
1$?openssl?genrsa?-des3?-out?server .key?2048
Description: Generate rsa private key, des3 algorithm, 2048-bit strength, server.key is the name of the secret key file.
Note: To generate a private key, you need to provide a password of at least 4 digits.
Step 2: Generate CSR (Certificate Signing Request)
After generating the private key, you can create the csr file.
There are two options at this point. Ideally, you would send the certificate to a Certificate Authority (CA), which, after verifying the requester's identity, will issue a signed certificate (very expensive). In addition, if it is only for internal or testing needs, you can also use OpenSSL to implement self-signing. The specific operations are as follows:
1$?openssl?req?-new?-key?server.key?-out?server. csr
Note: You need to enter the country, region, city, organization, organizational unit, Common Name and Email in order.
Among them, Common Name, you can write your own name or domain name, if you want to support pany)?[Internet?Widgits?Pty?Ltd]:joyios
Organizational?Unit?Name?(eg,?section)?[ ]:info?technology
Common?Name?(e.g.?server?FQDN?or?YOUR?name)?[]:demo.joyios.com
Email?Address?[ ]:liufan@joyios.com
Step 3: Delete the password in the private key
In the process of creating the private key in step 1, it is necessary to specify a password. And this password will bring a side effect, that is, every time Apache starts the web server, it will be asked to enter the password, which is obviously very inconvenient. To delete the password from the private key, do the following:
1
2
cp?server.key?server.key.org
< p> openssl?rsa?-in?server.key.org?-out?server.keyStep 4: Generate a self-signed certificate
If you don’t want to pay a CA Sign, or just test a concrete implementation of SSL. So, now you can start generating a self-signed certificate.
It should be noted that when using a self-signed temporary certificate, the browser will prompt that the issuing authority of the certificate is unknown.
1$?openssl?x509?-req?-days?365?-in?server.csr?-signkey?server.key?-out?server.crt
Description : The crt contains information about the certificate holder, the holder's public key, and the signer's signature. When the user installs the certificate, it means that he trusts the certificate and owns the public key. The certificate will describe the purpose, such as server authentication, client authentication, or signing other certificates. When the system receives a new certificate, the certificate will indicate who signed it. If the signer can indeed sign other certificates, and the signature on the received certificate matches the signer's public key, the system will automatically trust the new certificate.
Step 5: Install the private key and certificate
Copy the private key and certificate files to the Apache configuration directory. In the Mac 10.10 system, copy them to /etc/ Just go to the apache2/ directory.