Linux Server Certificate Installation guidelines

The following is an example of a 3-type server Certificate installation method:

1. Apache 2.x certificate Deployment 1.1 get Certificate

Get the certificate file 1_ROOT_BUNDLE.CRT,2_WWW.DOMAIN.COM_CERT.CRT and the private key file 3_www.domain.com.key in the Apache folder,
The 1_root_bundle.crt file includes a certificate code "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----",
The 2_www.domain.com_cert.crt file includes a certificate code "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----",
The 3_www.domain.com.key file includes a private key code "-----BEGIN RSA private key-----" and "-----END RSA private Key-----".

1.2 Certificate Installation

Edit the Apache root directory under the conf/httpd.conf file,
Find #LoadModule ssl_module modules/mod_ssl.so and #Include conf/extra/httpd-ssl.conf , remove the previous # number comment;
Edit the Apache root directory under the conf/extra/httpd-ssl.conf file and modify the following:

<VirtualHost www.domain.com:443> DocumentRoot "/var/www/html" ServerName www.domain.com SSLEngine on SSLCertificateFile /usr/local/apache/conf/2_www.domain.com_cert.crt SSLCertificateKeyFile /usr/local/apache/conf/3_www.domain.com.key SSLCertificateChainFile /usr/local/apache/conf/1_root_bundle.crt </VirtualHost> 

Once the configuration is complete, restarting Apache can be used https://www.domain.com to access it.

2. Nginx Certificate Deployment 2.1 Get Certificate

The Nginx folder obtains the SSL certificate file 1_WWW.DOMAIN.COM_BUNDLE.CRT and the private key file 2_www.domain.com.key,
The 1_www.domain.com_bundle.crt file includes the two-segment certificate Code "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----",
The 2_www.domain.com.key file includes a private key code "-----BEGIN RSA private key-----" and "-----END RSA private Key-----".

2.2 Certificate Installation

Save the certificate file 1_www.domain.com_bundle.crt, private key file 2_www.domain.com.key of the domain name www.domain.com to the same directory, such as the/usr/local/nginx/conf directory.
Update the Nginx root directory under the conf/nginx.conf file as follows:

server {Listen443;server_name www.domain.com;#填写绑定证书的域名ssl on; ssl_certificate 1_www.domain.com_bundle.crt; ssl_certificate_key 2_www.domain.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 tlsv1.1 TLSv1. 2;  #按照这个协议配置 ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:high:! anull:! md5:! rc4:! DHE;  #按照这个套件配置 ssl_prefer_server_ciphers on; location/{root html;  #站点目录 index index.html index.htm;}}  

After the configuration is complete, first use bin/nginx –t to test the configuration is wrong, correct, restart Nginx. Can be made https://www.domain.com to access it.

2.3 http Auto-jump HTTPS (optional) using full-station encryption

For users who do not know that the site can be HTTPS access, let the server automatically redirect HTTP requests to HTTPS.
On the server side of the configuration, you can add JS script on the page, you can also write redirection in the back-end program, of course, you can also be in the Web server to achieve jump. Nginx is supported rewrite (as long as the compile time without removing the pcre)
Added in HTTP serverrewrite ^(.*) https://$host$1 permanent;
This makes it possible to implement 80 incoming requests and redirect to HTTPS.

3. IIS Certificate Deployment 3.1 obtaining a certificate

Obtain the SSL certificate file www.domain.com.pfx in the IIS folder.

3.2 Certificate Installation

1. Open IIS Service Manager, click on the computer name, double click on ' Server Certificate '

2. Double click to open the server certificate, click on the right of the import

3, select the certificate file, if you enter the application certificate to fill in the private key password needs to enter a password, click OK. Reference private key Password guidelines

4, click the site name under the site, click on the right of the binding

5. After opening the website binding interface, click Add

6, add Site Binding content: Select the type of HTTPS, port 443 and specify the corresponding SSL certificate, click OK

7, after the completion of the Add, the site binding interface will see the content just added

4. TOMCAT Certificate Deployment 4.1 Obtaining a Certificate

If a certificate is required to fill in the private key password, the download can obtain the Tomcat folder, which has a keystore www.domain.com.jks;
If you do not complete the private key password and do not provide a download for the Tomcat certificate file, you need to manually convert the format generation.

JKS format certificate can be generated through the Nginx folder inside the certificate file and the private key file
Conversion Tool: Https://www.trustasia.com/tools/cert-converter.htm
When using the tool, be careful to fill in the KeyStore password, which you need to fill in the configuration file when installing the certificate.

4.2 Certificate Installation

Configure the SSL connector, store the files in the www.domain.com.jks conf directory, and then configure the files in the same directory server.xml :

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="conf\www.domain.com.jks" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> 

4.3 Security configuration for HTTP auto-jump HTTPS

to Web. XML under the Conf directory. In the </welcome-file-list> back, </web-app> that is, the penultimate paragraph, plus such a

  <web-resource-collection > <web-resource-name >ssl</web-resource-name> <url-pattern>/*< Span class= "Hljs-tag" ></url-pattern> </ web-resource-collection> < user-data-constraint> <transport-guarantee>confidential </transport-guarantee> </user-data-constraint>          

This step is to allow non-SSL connector to jump to SSL connector. So you also need to go to Server.xml for configuration:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> 

Redirectport changed to SSL connector port 443, after reboot will take effect.

Linux Server Certificate Installation guidelines