Nginx configuration HTTPS self-signed certificate

Source: Internet
Author: User
Tags cas new csr openssl rsa openssl x509 domain name validation purchase domain name

Tools:OpenSSL SSL's open source implementation, almost all the market on the encryption Libcrypto: Universal encryption Library, any software to implement the Encryption function link call this library Libssl:tls/ssl Crypto library OpenSSL: Command line tool multi-purpose tool Implement private certification Authority subcommands: GENRSA [-out filename] [-passout arg] [numbits]generate an RSA private key generates an RSA private key (the public key is extracted from the private key, and the private key has a public Key) OpenSSL rsa-in Ca.key-pubout extract private keythe basic process for creating a certificate is this:
  • generate your own service-side private key Server Key
  • enter basic information and generate a CSR with a private key signature Certificate Signing Request
  • Submit a CSR to a certificate authority CA (free or commercial certificate) to sign the CRT, or make a CA signature on its own to generate the CRT (self-signed certificate)
To generate the RSA Server private key:OpenSSL genrsa-out server.key 4096the output of the Server.key file is the server private key, 4096 is the key length, the requirement is not high 2048 can also. To generate a CSR:Execute the command OpenSSL req-new-nodes-sha256-newkey rsa:2048-keyout myprivate.key-out MYDOMAIN.CSR generate the CSR file. which
  • -NEW specifies that a new CSR is generated.
  • -NODES specifies that the private key file is not encrypted.
  • -SHA256 specifies the digest algorithm.
  • -keyout generates a private key file.
  • -newkey rsa:2048 Specifies the private key type and length.
because the SHA1 is already unsafe, so here is the sha256, possibly too old client (such as Win98? ) will not be supported. YOURSITE.CSR is the generated csr,yoursite suggest using your site name identification will be more convenient to identify. then follow the prompts to enter:
  • Countries
  • Province
  • City
  • Company
  • Department
  • The common name (that is, the website domain name, this must be accurate, some commercial certificates are supported here with the WWW domain name after the issuance of support without WWW domain name)
  • Email
  • Password (optional, set to restart webserver after the password)
self-signed certificate practices1. As a couple of keys, the public key is made into a certificate Ca.keyopenssl genrsa-out ca.key 2048 generates a 2048-bit private keywe can output its public key to see the OpenSSL rsa-in ca.key-pubout2. Generate certificate CRT server.crtopenssl Req-new-x509-key ca.key-out server.crt-days 365 countries Country Name:cn province Stat or province Na Me Shanghai City Locality Name Shanghai Company Organization Name:hupu Department organizational unit TechHost name Common name www.zmz8.comemail Address [email protected]We can view the contents of the certificate OpenSSL x509-text-in server.crt3. Configure the Nginx certificate path/USR/LOCAL/NGINX/PRIVATE_CA/SERVER.CRT private key path/usr/local/nginx/private_ca/ca.keynginx add configuration server { Listen 443; server_name www.zmz8.com; SSL on; Ssl_certificate. /PRIVATE_CA/SERVER.CRT; Ssl_certificate_key. /private_ca/ca.key; Ssl_session_timeout 5m; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;} Finally, if you can, you can configure a server to sign OpenSSL req-new-out Server.csr-key server.key-config/etc/pki/tls/openssl.cnfCommercial Certificate Generationfirst find a commercial certificate Authority (CA) or its agents next certificate order. the second is to select the certificate type. Certificate TypeThere are many types of commercial certificates, there are many CAs to choose from, different CAs, different types of prices are not the same. The common CAs are:
  • VeriSign (Symantec)
  • GeoTrust (RAPIDSSL)
  • Comodo
  • ......
the above is sorted by price from high to low. In addition, of course, there are many, specific can open your system certificate list to see. in particular, the infamous cnnic and Wosign (wosign, including the free Startssl), have proven unsafe, recommend that they be removed from the system, and do not request certificates that use them.
    • DV (Domain name validation)
    • ov (Organization validation)
    • ev (Extended Validation)
The verification level is ordered from low to high, and so is the price. The DV certificate only validates the domain name, and when the end visitor sees the certificate it will not contain organizational information in the CSR, only the domain name information, that is, you are in the CSR input you are Google, to the client is also not visible. The OV certificate needs to verify the organization in addition to verifying the domain name, i.e. you need to provide evidence that the company or organization you entered in the CSR is really you, so that you can see your organization's information in the client certificate. EV certificates are required to be higher, usually for financial institutions and the like. In addition, there is a difference between certificates:
    • single domain certificate
    • multi-domain certificate
the same is the price from high to low sort. Single domain certificate is only used for a domain name certificate, some commercial certificates can provide two domain names: with www and without www. Multi-domain certificate is a certificate can be used for more than one domain name, the default support three domain names, of course, increase the domain name need to add money, but more than a separate purchase domain name certificate is cheaper. For a company with multiple domain names, and multiple domain names deployed on a single server, using a certificate can be easier and cheaper. a universal Domain name certificate is a certificate that can be used for any number of subdomains under a domain name. Application ProcessThe general application process (DV type only) is as follows:
  • Select a CA or reseller
  • Select certificate Type
  • Select the validity period (in years, the longer the general time, the cheaper the price)
  • Payment by order
  • After the deal, start verifying the domain name by the mail or document of the service provider (below is a process, different service providers may not be the same)
  • Upload CSR (or generated by vendor-provided tools, but not recommended)
  • Select authentication Method (EMAIL, file, DNS, etc.)
  • Operate as appropriate
  • Wait for verification
  • Obtain a certificate (email or download from the service provider)
the methods of verification are as follows:
    • email: Certificate Authority sends a verification message (optional) to a domain name registered mailbox or a domain name's webmaster, etc.
    • file: Decentralize the authentication file on the specified path of the domain name for the certificate authority to access
    • dns: Create the specified DNS TXT record for certification authority validation
certificates can be obtained after validation. The contents of the certificate generally include: The CRT of the domain name, the CRT chain of the certificate authority (there may be multiple), the root certificate CRT (CA's certificate), and if the CSR is generated by the vendor's tools, there should also be CSR and key.

Nginx configuration HTTPS self-signed certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.