I have read many self-signed SSL certificates, but I still recommend using aliyun’s free certificate. The self-signed SSL is used because the Intranet requires a certificate.

introduce

The HTTPS service is HTTP that works over SSL/TLS. First of all, let’s make a simple distinction between HTTPS, SSL, TLS and OpenSSL:

  • SSL (Secure Socket Layer) is a security protocol that establishes an SSL security channel between the client and the server.
  • TLS: Transport Layer Security, used to provide confidentiality and data integrity between two applications;
  • The predecessor of TLS is SSL.
  • OpenSSL is an open source implementation of the TLS/SSL protocol that provides development libraries and command-line programs.
  • HTTPS is an encrypted version of HTTP, and the underlying encryption protocol is TLS.

Conclusion: SSL/TLS is the protocol and OpenSSL is the code implementation of the protocol.

509 certificates contain three files: key, CSR, and CRT.

  • The key is a private key file on the server used to encrypt data sent to the client and decrypt data received from the client
  • A CSR is a certificate signing request file that is submitted to a certificate authority (CA) to sign a certificate
  • A CRT is a certificate signed by a Certificate authority (CA), or a developer self-signed certificate that contains information about the certificate holder, the holder’s public key, and the signature of the signer

Note: In cryptography, X.509 is a standard that specifies public key authentication, certificate revocation lists, authorization certificates, credential path verification algorithms, etc.

First you must make sure openSSL is installed on your server

openssl version -a
Copy the code

Generate a certificate

  1. Become your own CA
  2. Then sign the SSL certificate as a CA
  3. Then import the CA certificate (rather than the SSL certificate, which is on your server) into Chrome/Chromium. (Yes, even on Linux.)

Become the CA authority

Generate private key (will let you set password)

openssl genrsa -des3 -out myCA.key 2048
Copy the code

Delete the password for key

openssl rsa -in myCA.key -out myCA.key
Copy the code

Generating a PEM file

openssl req -utf8 -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem
Copy the code

The -utf8 parameter is added because the generated organization and city use Chinese will be garbled

Example Create a CA signed certificate

Generate the private key

openssl genrsa -out server.key 2048
Copy the code

Create a certificate signing request

openssl req -new -key server.key -out server.csr
Copy the code

Create a profile for the extension

>server.ext cat <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = www.baidu.com # Be sure to include the domain name here  because Common Name is not so commonly honoured by itself DNS.2 = www.sougou.com # Optionally, Add additional domains (I've added a subdomain here) IP.1 = 192.168.1.1 # Optionally, add an IP address (if the connection which you have planned requires it) EOFCopy the code

Creating a Signing Certificate

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out server.crt -days 3650 -sha256 -extfile server.ext
Copy the code

3650 indicates the validity period of the certificate

Nginx project configuration file

Find the path to the. Crt. key file

ssl_certificate /Users/wxiangqian/ssl/server.crt;
ssl_certificate_key /Users/wxiangqian/ssl/server.key;
Copy the code

Restart the NGINX

sudo nginx -s reload
Copy the code

Additional Steps (at least for Mac) :

Myca.pem Import by authorization in your Chrome Settings (Settings > Manage Certificates > Permissions > Import) Import the CA certificate by choosing File > Import File, then find it in the list, right-click it, expand > Trust, and select Always

Access item Address

Since it is a self-visa document, it has not passed the CA certification, so it is not safeClick the certificate to view the certificate detailsIf any of the following situations occurs, you need to import the certificateYour connection is not private an attacker may try to steal your information (e.g., password, communication content or credit card information) from X.X.X.X. NET::ERR_CERT_INVALID

Send the url of some of the pages you visit, limited system information, and part of the page content to Google to help us improve the security of Chrome. The privacy policy X.X.X.X typically uses encryption to protect your information. When Google Chrome tried to connect to X.X.X.X this time, the site sent back abnormal error credentials. This could be because an attacker is trying to impersonate X.X.X.X, or the wi-fi login screen has broken the connection. Rest assured that your information is still secure, as Google Chrome stopped the connection before any data exchange had taken place.

You are currently unable to access X.X.X.X because this site has sent scrambled credentials that Google Chrome cannot handle. Network errors and attacks are usually temporary, so the page may return to normal later.

Addressing this problem: Simply type “Thisisunsafe” on the current page, not in the address bar. Just type. The page will automatically refresh.

The resulting files are:

View the content of the Crt certificate www.getssl.cn/decode_crt….

Reference article:

Stackoverflow.com/questions/7…

Blog.csdn.net/u013066244/…

Wxiangqian.blog.csdn.net/article/det…