Self-issued SSL certificates that are not trusted by the browser

Source: Internet
Author: User
Tags openssl rsa openssl x509 nginx server

SSH login to the server, terminal enter the following command, using OpenSSL to generate RSA keys and certificates.

# Generate an RSA key $ OpenSSL genrsa-des3-out 33iq.key 1024 # Copy a key file that does not need to enter a password $ openssl rsa-in 33iq.key-out 33iq_nopass.key # Generate a certificate request $ OpenSSL req-new-key 33iq.key-out 33IQ.CSR # Self-signed certificate $ openssl x509-req-days 365-in 33iq.csr-signkey 33iq.ke Y-out 33IQ.CRT

The 3rd command is to generate a certificate request, you will be prompted to enter the province, city, domain name information, and importantly, email must be your domain suffix. This will have a CSR file, which is the CSR file when it is submitted to the SSL provider. Of course, I did not apply to the certificate provider here, but I issued my own certificate at step 4th.

Edit the configuration file nginx.conf, add the HTTPS protocol to the site

server {    server_name your_domainname_here;    Listen 443;    SSL on;    SSL_CERTIFICATE/USR/LOCAL/NGINX/CONF/33IQ.CRT;    Ssl_certificate_key/usr/local/nginx/conf/33iq_nopass.key;    # if Ssl_certificate_key uses 33iq.key, each time you start the Nginx server, you will be required to enter the key password. }

After restarting Nginx, you can access the website via HTTPS.

HTTPS encryption processing only for registration and login
Since HTTPS can guarantee security, why do most websites around the world still use HTTP? Using the HTTPS protocol is a significant load overhead for the server. In terms of performance, we are unable to securely encrypt every access request for each user (except, of course, the great god of Google). As an ordinary website, we are only looking for the security of trading, password landing and other operations. By configuring the Nginx server, you can use rewrite to do this.

Under HTTPS server, add the following configuration:

if  ( $uri !~*  "/logging.php$" {rewrite ^/ (. *) $ http:< Span style= "color: #000000; Font-weight:bold; " >// $host /           

Under HTTP server, add the following configuration:

($uri ~"/logging.php$"){rewrite ^/(.  *) $ https://$host/$redirect;}

This way, users will only be accessed via HTTPS if they access the logging.php.

Update: There are some development frameworks that determine whether the current access request is using HTTPS depending on whether the PHP variable is on $_server[' https '). To do this, we need to add a sentence to the Nginx configuration file to set this variable. If you encounter HTTPS link redirection will automatically jump to the HTTP problem can refer to the classmate.

server {    ...    Listen 443;    Location \.php$ {        ...        Include Fastcgi_params;        Fastcgi_param HTTPS on; # Add this sentence    }} server {    ...    Listen;    Location \.php$ {        ...        Include Fastcgi_params;    }}

Self-issued SSL certificates that are not trusted by the browser

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.