HTTPS Security certificate Access connection practice configuration

Source: Internet
Author: User
Tags decrypt openssl version

01: Issues related to cyber security:
①. Network security issues-data confidentiality issues
Transmitted data may be visible to third parties at all times

②. Network security issues-data integrity issues
Transferred data cannot be arbitrarily modified by anyone

③. Network security Issues-authentication issues
In the first communication, it is necessary to confirm the identity of both sides of the communication

02: Issues related to cyber security:
①. Network security issues-resolving data confidentiality issues
A) Use common cryptographic algorithms to address confidentiality
Using the corresponding algorithm, the transmitted data (plaintext data) is encrypted (ciphertext data), and then the corresponding algorithm is used to decrypt the encrypted data into real data.
Advantages: The data secret transmission is realized, which avoids the danger of transmitting data in plaintext.
Disadvantage: The use of encryption algorithm, the text is converted to ciphertext, if the third party obtains the encryption algorithm, can transfer ciphertext again into clear text

    b) The use of symmetric encryption algorithm to solve the confidentiality (important one encryption method) symmetric encryption algorithm is like the general algorithm of the rules of the manual into the safe, only access to the safe and safe keys to obtain the advantages of the algorithm manual: Key encryption algorithm is very fast computing speed; The security problem of the algorithm is that the security of the encryption and decryption process is completely dependent on the key, and the symmetric encryption key is public, and the key management problem cannot be resolved when there are too many communication encryption objects. ②. Network security issues-data integrity problem resolution A) generate signature (data fingerprint information) based on data using single encryption algorithm (full network backup data integrity); Receive data to obtain data information to calculate the signature, verify that it is consistent with the signature sent over if the signature is consistent, indicating the data Integrity is not compromised; If the signature is inconsistent, the data is corrupted and the **************************************************************************** is discarded directly. Exhibition Description: 01: The characteristics of different data (data fingerprint information) is not possible consistent single encryption algorithm features · Data input, signature information output must be the same · Avalanche effect, small change in input, will cause a huge change in output · Fixed-length output, regardless of the source data size, but the results are the same ·        Irreversible, can not be based on the data fingerprint, restore the original data information. Pros: Effective solution to data integrity problems disadvantage: Not considering the man-in-the-middle xxx Impact of data information B) using the symmetric encryption algorithm to encrypt the data by using a single encryption algorithm (cryptographic signature), the signature is also encrypted; the receiver has the same key as the sender to decrypt the encrypted data and the signature and the man-in-the-middle encryption signature is not There is a way for the receiver to decrypt, so the receiver can not get the signature, directly discard the data ***********************************************************************Extension Description: 01: So how effectively the symmetric key can be obtained by the two sides of the communication requires a symmetric key negotiation process, that is, through the key exchange mechanism (Internet key exchange IKE) real             The Protocol of the present key exchange mechanism is called the Diffie-hellman protocol ****************************************************************************

③. Network security Issues-authentication problem resolution
A) Using asymmetric key encryption algorithm (public key encryption algorithm)
The sender establishes the private key and the public key, sends the public key to the receiver, thereby enabling the authentication of the sending data party

       让你的母亲验证你的爸爸身份信息,你的母亲就称为证书颁发机构       公钥信息在网站访问过程中,被称为证书(×××)  网络安全问题结论:实现网络安全性,需要解决问题的顺序为1. 解决身份验证问题2. 解决数据完整性问题3. 解决数据机密性问题    

03: Network Security Certificate Origin:
According to the above conclusions, the first problem of network security is authentication;
The main way to solve the authentication problem is to use the private key and the public key
and the main public key information acquisition becomes particularly important; using third party justice, impartial public key information

目前标准的证书存储格式是x509,还有其他的证书格式,需要包含的内容为:证书==×××?   公钥信息,以及证书过期时间  ?   证书的合法拥有人信息  ?   证书该如何被使用(不用关注)   ?   CA颁发机构信息 ?   CA签名的校验码    

04:openssl Software Detailed description
To obtain version information for the OpenSSL software:
Rpm-qa OpenSSL
OpenSSL version <-viewing OpenSSL release information

Get the OpenSSL profile information:/etc/pki/tls/openssl.cnf <-OpenSSL profile, used primarily for use when configuring as a private CA: Basically, the OpenSSL profile does not need to be operational for too many modifications to the configuration utilization Openss L Software implements HTTPS access process https: First step: Create a private key file (birth certificate)---Operations personnel need to approach one: OpenSSL genrsa 2048 >server.key <-Create private key Information, and specify the length of the private key as 2048, and save the generated or: private key information in a file OpenSSL genrsa-out server.key 2048 &lt                                             ;-Save the private key information directly, the length of the encryption must be placed behind the output file chmod Server.key method two: (Umask 077;openssl genrsa-out server1024.key 1024) <-use parentheses to implement child shell functionality and temporarily modify Umask to create a private key file permission of 600 second step: Generate certificate file information ①. Generate a self-signed certificate note: Self-issued certificates are generally used for testing---operations personnel can operate on their own [[email protected] ~]# OpenSSL req-new-x509-key server.k Ey-out server.crt-days 365req <-is used to request the creation of a certificate file New <-represents the creation of a newly created certificate X509 <-represents the format of the definition certificate for the standard format key <-represents The private key file information that is called out <-represents the output certificate file information days <-represents the validity period of the certificate you were about to is asked to enter information that'll be Incorpo Ratedinto your certificate request. What is about TO Enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [XX]:CN <-define the country that generated the certificate state or province Name (full name) []:BJ <-defines the province in which the certificate is generated locality name (eg, city) [Default city]:bj <-defines the certificate that generated the City organization name (eg, company) [Default Ltd]:oldboy <-defines the organization that generated the certificate organizational Unit name (eg, s ection) []:it <-defines the functional department that generated the certificate

Common name (eg, your name or your server ' s hostname) []:oldboy.com.cn <-define host server name
Note: This output information is very important, before the client obtains the certificate, it uses the host name to establish a connection between the corresponding server, and then obtains the certificate
Email Address []:

②. 向证书颁发机构申请证书            --- ca证书版本机构完成    生成请求证书文件 (户口本)       --- 运维人员完成    openssl req -new -key server.key -out server.csr  注:这个步骤,后面要求设置密码,避免自己公司的信息泄露    获取得到证书文件 (×××)       --- ca颁发机构完成       省略第三步:配置网站服务,加载私钥和证书信息server {    listen        80;    server_name  www.etiantian.org;    rewrite ^(.*)$  https://$host$1 permanent; }server {    listen       443;    server_name  www.etiantian.org;    ssl on;    ssl_certificate /server/key/server.crt;    ssl_certificate_key /server/key/server.key;    root   html/www;    index  index.html index.htm;}第四步:利用浏览器访问测试   ssl模块官方链接:http://nginx.org/en/docs/http/ngx_http_ssl_module.html

HTTPS Security certificate Access connection practice configuration

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.