Free SSL certificate deployment under Windows (LETSENCRYPT)

Source: Internet
Author: User
Tags free ssl free ssl certificate ssl certificate letsencrypt

With the development of network, network security is becoming more and more important, for the website, from HTTP to HTTPS is also the first thing we should do. To implement HTTPS, first we need to apply for an SSL certificate, this article I mainly introduce the following aspects:

1. Simple Introduction to SSL

2. Free Letencrypt Certificate Deployment

3. Precautions for installation

I. SSL Brief INTRODUCTION

SSL as a network encryption protocol, mainly exists in the system between the application layer and the transport layer of a Secure Sockets Layer (Secure Socket layers), which is located between the TCP/IP protocol and the application layer protocol, for the application of data transmission Encryption protocol. Of course, it is within the record Protocol and handshake protocol two parts, here if interested can go to learn more about, I first briefly introduce the process of things.

Its workflow may be understood as such that the client initiates a network request to the server, initiates a handshake, exchanges the certificate information, and establishes the connection. In a nutshell, it is divided into several sections:

Client: Sends its supported SSL versions and encryption methods to the server.

Server: Select the encryption method and send the certificate and public key to the client

Client: Validates the certificate information and generates a shared secret key through the public key, exchanging

Server: Okay, we can pass encrypted data.

The above is a simple description of the handshake process, each step can continue to decompose, you can find the relevant documents in-depth understanding.

Another protocol that needs to be introduced here is TLS, which is based on the SSL3.0 specification and is more strictly explicit. It also has an extension protocol called SNI (server name indication-), which describes its main role.

In our common host, there may be many sites, we do not know in advance that will use this server all the domain name list, but we can not change the domain name reissue once the certificate, so with SNI, so that we can be able to deploy multiple certificates on a single host, Allows the server to select the correct virtual domain during the handshake phase and send the corresponding certificate. In IIS8.0 and above, we have the following options when we bind a domain name:

Currently there are a lot of free and paid SSL certificate provider can choose us, of course, we can also act as the principal to produce an SSL certificate, but like Google and other browsers for untrusted certification authority on the page will be prompted with security risks, blocking access, which is very bad for the user experience. Depending on the security level, the current SSL certificate is based mainly on the following categories:

EV-the industry's top SSL certificate, the website where EV SSL certificate is deployed, the address bar becomes bold green, and shows the name of the enterprise to which the site belongs

OV-with a wide range of enterprise-proven SSL certificates, after deploying the OV SSL certificate, the address bar will have a security lock identification display

DV-Verify only the domain name and quickly issue the SSL certificate. The security lock ID is also displayed in the Address bar, but the O field is not displayed in the certificate details, the user name is not displayed, only the domain name is displayed

Many of the free certificates issued by the SSL certificate authorities that are currently recognized by mainstream browsers are mostly DV-rated. Let me introduce the most recently-known letencrypt free SSL certificate deployment process under Windows.

Two. Free Letencrypt certificate Deployment

This is a free SSL project launched by foreign countries, and now has been recognized by mainstream browsers such as Google. From a security standpoint, a free certificate installed through Letencrypt has a validity period of three months and requires a re-application, but this also poses a problem for the deployment, so the official offers a variety of automated solutions, here I describe the certificate request and the Automatic Update tool under Windows letsencrypt-win-simple.

First we download the GitHub address (https://github.com/Lone-Coder/letsencrypt-win-simple/releases) and unzip

Because the installation process needs to generate the verification files under the site, please enter the CMD interface in Administrator mode, or right-click the command prompt (Administrator) option from the Start menu.

Go to unzip folder, run Letsencrypt.exe--san command

After execution, all sites under IIS are automatically listed, followed by the following options:

These options correspond to different situations, here because there are several sites under my machine, I want to give them a unified certificate, I choose S, then it will prompt you to install the site number, here I input 3,4

Next, it will create a validation file under each site, and the validation will then generate a corresponding certificate to add to IIS, and if all is well, a scheduled update task will be created in task management.

Currently this software still has some bugs, I personally in the installation also encountered a few abnormal termination errors, repeated operation two times before normal through, if you also encounter problems, you can go directly to IIS under the certificate management, to see if the corresponding certificate has been created, if there can be manually bound.

Three. Precautions

There are a number of restrictions on the use of Letencrypt to prevent misuse of the application, which is the restricted information given by the official website:

If you had a lot of subdomains, you could want to combine them into a single certificate, up to a limit of Names per Ce Rtificate. Combined with the above limit, which means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of a earlier certificate if they contain the exact same set of hostnames, Ignorin G capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ c2/>, example.com ] during the week. If you changed the set of names by adding [ blog.example.com ], you would is able to request additional certificates.

If you need a test, you can do it at the command line: Letsencrypt.exe--test. Enter the test environment.

Free SSL certificate deployment under Windows (LETSENCRYPT)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.