First, the client performs three handshakes with the server. (Because http communicates Based on the TCPIP protocol), then they establish an SSL session and negotiate the encryption algorithm to be used after the negotiation is complete. The server sends its certificate to the client. After the client verifies that there is no problem, a symmetric key is generated and sent to the server. Then, the client sends a request to the server, the server sends the content to the client using the symmetric key encryption sent from the client. In this way, the ssl session is established. First, the client performs three handshakes with the server. (Because http communicates Based on the TCP/IP protocol), then they establish an SSL session and negotiate the encryption algorithm to be used after the negotiation is complete. The server sends its certificate to the client. After the client verifies that there is no problem, a symmetric key is generated and sent to the server. Then, the client sends a request to the server, the server sends the content to the client using the symmetric key encryption sent from the client. In this way, the ssl session is established.
However, how does the client verify whether the server certificate is true? a ca: a third-party Certificate Authority is required to issue a certificate to our server. Therefore, the client can go to the CA to verify the server certificate.
At this time, the CA should have a certificate stored on the client side, and the certificate is self-signed. (The client can go to the CA to verify the server certificate .)
Then, how does the server send a certificate to the CA? First, the server creates a key and delivers the public key to the CA. Then, the CA signs the key and generates the certificate, save a copy and send it back to the server. The server configures and uses the certificate, and then sends the certificate to the client after the call. The client asks the CA for verification.
① Premise:
To enable your web server to support ssl, you must first install the SSL module.
1. For example
test.imdst.com
Create a self-signed certificate
Create the private key of the root certificate
openssl genrsa -out test.imdst.com.key 2048
Use the private key to create a signature request
openssl req -new -subj "/C=US/ST=GuangDong/L=GuangZhou/O=Your Company Name/OU=imdst.com/CN=test.imdst.com" -key test.imdst.com.key -out test.imdst.com.csr
Note:Here/C indicates the Country (Country), which can only be abbreviated to the Country, such as CN and US;/ST indicates the State or province (State/Provice ); /L indicates the city or region (Locality);/O indicates the Organization Name;/OU other display content, usually displayed in the issuer column.
Remove the private key with a password
mv test.imdst.com.key test.imdst.com.origin.key
openssl rsa -in test.imdst.com.origin.key -out test.imdst.com.key
Sign the certificate with Key
openssl x509 -req -days 3650 -in test.imdst.com.csr -signkey test.imdst.com.key -out test.imdst.com.crt
For certificates prepared for HTTPS, note that the created signature request must be in the same CN as the domain name; otherwise, the certificate cannot be verified by the browser.
Test.imdst.com. crt self-signed certificate test.imdst.com. csr certificate request test.imdst.com. key Without Password Key test.imdst.com. origin. key with Password Key
Ii. Configure ssl verification for nginx
- Send test.imdst.com. crt to the browser for verification, and then use test.imdst.com. key to decrypt the data sent by the browser.
- Nginx server {} Configuration
server { listen 443 ssl; server_name test.imdst.com; access_log /data/logs/test.access_log; ssl on; ssl_certificate sslkey/test.imdst.com.crt; ssl_certificate_key sslkey/test.imdst.com.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on;}