Turn: zhuanlan.zhihu.com/p/152016799

When I was out on the Dragon Boat Festival, my boss called me and said that the HTTPS of the company website had expired and I could not access it (see the picture below). He asked me to upgrade it immediately. Unfortunately, I didn’t have my computer with me at that time, so I couldn’t do anything.

! [](https://picb.zhimg.com/80/v2-a421dca72db93c41c04ca7746c34aa78_720w.jpg)

I can’t do it. It’s urgent. I can only do it when I have a computer. Click Advanced, you can see the following information:

Z.xxx. cn usually uses encryption technology to protect your information. When Google Chrome tried to connect to z.xxx. cn this time, the site returned an abnormal error credential. This could be because an attacker is trying to impersonate z.xxx. cn, or the Wi-Fi login screen has broken the connection. Rest assured, your information is still safe, as Google Chrome stopped connecting before any data was exchanged. You are currently unable to access z.xxx. cn because this site uses HSTS. Network errors and attacks are usually temporary, so this page may return to normal later.

I use a FreeSSL certificate for the simple reason that my employer doesn’t want to pay for it, which is only free for one year per application.

FreeSSL is a website that provides free HTTPS certificate application, HTTPS certificate management, and HTTPS certificate expiration notification services. It aims to promote the popularization and application of HTTPS certificates and simplify the process of certificate application.

! [](https://pic4.zhimg.com/80/v2-d40754edc62913444987951cdc3ecf0c_720w.jpg)

Since I have already registered, I can see the expiration information in the certificate list in the console.

! [](https://pic4.zhimg.com/80/v2-0be740e1a5bbf2df61b2ace9420bcde8_720w.jpg)

Unfortunately, there is no option to reapply directly. You can only re-enter the domain name on the home page and click “Create a free SSL certificate”.

! [](https://pic2.zhimg.com/80/v2-01f0a6774efb79172b13592d66574a05_720w.jpg)

Brand certificate choose “TRUSTAsia”, you can use it for free for one year, when it expires, you can apply for it again. It’s a little more trouble, but it’ll save the boss some money. Look at me.

After finishing, it will jump to the following page, pay attention to fill in the email.

! [](https://pic4.zhimg.com/80/v2-29525bdbe4edac41000c51819443651d_720w.jpg)

For those of you who are not familiar with the choices, let me explain them in a unified way:

1) Certificate type

I chose RSA, what is ECC, what is the difference between the two?

HTTPS provides content encryption, identity authentication, and data integrity through the TLS layer and certificate mechanism. It effectively prevents data from being monitored or tampered with and defends against MITM (Middleman) attacks. During TLS encryption, asymmetric key exchange and symmetric content encryption algorithms are needed.

Symmetric content encryption strength is very high, encryption and decryption speed is also very fast, but can not safely generate and keep the key. In TLS, application data is transmitted after symmetric encryption. Symmetric keys used in transmission are exchanged through asymmetric keys during handshake. Common AES-GCM and Chacha20-Poly1305 are symmetric encryption algorithms.

Asymmetric key exchange can generate symmetric encryption keys known only to both parties in an insecure data channel. The most commonly used key exchange algorithms are RSA and ECDHE. RSA has a long history and is widely supported, but Perfect Forward Secrecy (PFS) is not supported. ECDHE uses the ECC (Elliptic Curve) diffie-Hellman (DH) algorithm, which is fast in calculation and supports PFS.

Did it just wake you up?

2) Verification type

I chose file authentication, what is DNS authentication, what is the difference between the two?

First, we need to understand that the CA (Certificate Authority) needs to verify that we own the domain name in order to issue a Certificate to us.

File authentication (HTTP) : THE CA will verify that we have ownership of the domain name by accessing a specific URL address. Therefore, we need to download the given validation file and upload it to your server.

DNS authentication: CA will determine our ownership of the domain name by querying the DNS TXT record. We only need to add the generated TXT record name and record value to the domain name on the domain name management platform, and wait about 1 minute for the verification.

So, if it’s convenient for the server, you can choose file validation. If it is convenient to operate the domain name server, you can select DNS authentication. If both are convenient, please feel free to choose.

3) CSR generation

I chose offline generation, which FreeSSL now recommends, so what’s the difference between the three options?

Offline generation: The private key is stored in local encryption, which is more secure. Automatic public key synthesis, support common certificate format conversion, convenient deployment; Supports one-click deployment of some Webservers, which is very convenient.

Before offline generation, install KeyManager to apply for and manage SSL certificates in a secure and convenient manner. Download address:

keymanager.org/

Browser generation: In cases where the browser supports Web Cryptography, the BROWSER is used to generate a CSR file based on the user’s information.

Web Cryptography is a JavaScript API for performing basic encryption operations in Web applications. Many browsers don’t support it

I have A CSR: You can paste your OWN CSR and create it.

Once you understand the difference, select “Click Create” and a dialog box will pop up asking you to install KeyManager if it is not installed.

! [](https://pic2.zhimg.com/80/v2-2dbc78bd1380952fd226b8ca2a27ead7_720w.jpg)

Click Install KeyManager to download it.

! [](https://pic3.zhimg.com/80/v2-d1824a3465254e7f987e0a6371fbca27_720w.jpg)

Double-click to run the installation and open KeyManager after success.

! [](https://pic3.zhimg.com/80/v2-a04b27720f325e56f03f1e4d3854e0a4_720w.jpg)

After filling in the password, click “Start”, wait for a moment, the following interface appears.

! [](https://pic1.zhimg.com/80/v2-ba92590cb61e1ec6b3051a11b51b90fa_720w.jpg)

Go back to the FreeSSL home page and click the link “Try starting KeyManager again” in the red box below.

! [](https://picb.zhimg.com/80/v2-45efc769c6e54d0d5fb77e51fe45d803_720w.jpg)

Notice the changes in the KeyManager interface. The following information appears.

! [](https://pic3.zhimg.com/80/v2-f79db0aedd2d4ccc213b3f6b819c4b5f_720w.jpg)

You can go back to your browser and click the “Continue” button:

! [](https://pic3.zhimg.com/80/v2-bb44183a87818b27e398dc46cc65bf5b_720w.jpg)

The message for file verification pops up:

! [](https://pic3.zhimg.com/80/v2-5fffd8c401e1012dbde3a9721f9bf2f4_720w.jpg)

Click “Download file” in the lower right corner.

! [](https://pic2.zhimg.com/80/v2-55e616ac53518e2ef19a9668cba655cd_720w.jpg)

Ok, now link to the server, upload the downloaded file to the path indicated in “file path”, make sure the path matches, otherwise the verification can not be completed.

! [](https://picb.zhimg.com/80/v2-866b5e71e63fb9953d300b909a1cd5f4_720w.jpg)

After the file has been successfully uploaded, you can click “Verify”. After a few moments, the following message will appear:

! [](https://pic4.zhimg.com/80/v2-43762b98645625bd8e0281c390b3a154_720w.jpg)

Click “Save to KeyManager” to see that the validity period of the certificate has been extended.

! [](https://pic3.zhimg.com/80/v2-9924321ecce52f0443505e8e694fdc70_720w.jpg)

Select Export Certificate:

! [](https://picb.zhimg.com/80/v2-185756df7d9892c2329f4f58715400aa_720w.jpg)

My server software uses Tomcat, so the format chosen for export is JKS. Remember your private key encryption password for later use.

! [](https://pic1.zhimg.com/80/v2-e6b664516cec58d6fddecc847d60393f_720w.jpg)

Click the “Export” button when you’re done.

! [](https://pic3.zhimg.com/80/v2-e6162765927b52d802b1db6d7ff7bba3_720w.jpg)

Upload the generated certificate to the server.

! [](https://pic2.zhimg.com/80/v2-6027c953d603b7309f2cb0def50259e6_720w.png)

Next, open the Tomcat server. XML file and configure the Connector link.

<Connector port="81" protocol="HTTP/1.1" maxThreads="250" maxHttpHeaderSize="8192" acceptCount="100" connectionTimeout="60000" keepAliveTimeout="200000" redirectPort="8443" useBodyEncodingForURI="true" URIEncoding="UTF-8"  compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,application/xml,application/json,text/javascript,application/javascript,text/cs s,text/plain,text/json,image/png,image/gif"/> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/backup/xxx.cn.jks" keystorePass="Chenmo" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" URIEncoding="UTF-8" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,application/xml,application/json,text/javascript,application/javascript,text/cs s,text/plain,text/json,image/png,image/gif" />Copy the code

KeystorePass is the encryption password of the private key used to export the certificate.

After restarting Tomcat, I re-visited the website and found that it was back to normal.

! [](https://picb.zhimg.com/80/v2-1b3db7a01acc357a4a767935722cfcaa_720w.jpg)

Well, HTTPS is back, let the boss know, the website will not be available for a few days, sell a lot of wine, lose a lot of money ah, hey, hey.

Did you learn, class? It’s easy to upgrade a website from HTTP to HTTPS. With this guide, you can do it in five minutes. It’s free!

I am silent King 2, an interesting programmer. If you find this article helpful, please search “Silent King ii” on wechat and read it for the first time.

Interview on GitHub