Self-made HTTPS certificate and used in spring boot and nginx (GO)

In the vernacular HTTPS article, introduced the HTTPS existence the purpose and the work principle, but mostly is inclined to the original reason introduction, this article describes how to step by step to make a browser authentication through the HTTPS certificate, and explain in the spring boot environment and NGINX environment server-side configuration.

If you have not read the vernacular HTTPS, I strongly advise you to read it first. According to the introduction of the vernacular HTTPS, the HTTPS protocol involves three main bodies: client, server, and CA. As shown in the following:

In the vernacular HTTPS article, I introduced a service to request the process of using HTTPS. The process described in this article, for the self-made HTTPS certificate, more test-oriented scenarios, of course, some sites, such as 12306, will also be self-made root certificates require users to install. Since it is to DIY, of course, we have to work on the three main bodies respectively.

Certification Authority

• CA Agency Private key

openssl genrsa -out ca.key 2048

• CA Certificate

openssl req -x509 -new -key ca.key -out ca.crt

Note the need to enter information for some CA agencies during the build process

Service side

• Generate a server-side private key

openssl genrsa -out server.key 2048

• To generate a server-side certificate request file

openssl req -new -key server.key -out server.csr

Note that you need to enter some server-side information during the build process

• To generate a service-side certificate by using a CA certificate

openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

With regard to SHA256, the default is SHA1, which is considered unsafe in the new version of Chrome because of outdated encryption algorithms.

• The data on the packaged server is in PKCS12 format (not necessary, just a different format for storing the certificate generated in the previous step)

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12

During the build process, you need to create an access password, please log it down.

• Generate a KeyStore (. jks file for the service side, not necessarily, Java programs typically use the certificate in that format)

keytool -importkeystore -srckeystore server.pkcs12 -destkeystore server.jks -srcstoretype pkcs12

During the build process, you need to create an access password, please log it down.

• Put the CA certificate in KeyStore (not necessary)

keytool -importcert -keystore server.jks -file ca.crt

Client

• Import the root certificate ca.crt to the browser trusted Root Certification Authorities list

Regardless of the browser, in short you need to find the following page, click Import, the above generated CA authority CA.CRT Import into the list of trusted root certification authorities.

Note that the list of trusted root Certification Authorities is operating system level, regardless of which browser enters the configuration, only need to configure once, and then use other browsers, no need to repeat configuration.

Spring Boot

Spring boot provides a unified abstraction for the Web container, whether you are using Tomcat as a jetty or other Web container, if you want to use HTTPS in spring boot, you only need to add the following code to your configuration class, Register a Embeddedservletcontainercustomizer Bean.

The Server.jks file generated above needs to be used.

@ConfigurationPublicClasswebconfig { @Bean public embeddedservletcontainercustomizer containercustomizer() { return New Embeddedservletcontainercustomizer () { @Override public void Customize( Configurableembeddedservletcontainer container) {SSL SSL = new SSL (); Ssl.setkeystore ("Server.jks"); Ssl.setkeystorepassword ("passwd"); Container.setssl (SSL); Container.setport (8443);}; }}

Nginx

If you want to use HTTPS in Nginx, you need to use the server.crt,server.key generated above.

server {    listen      127.0.0.1:443 ssl;        ssl on; ssl_certificate Server.crt; ssl_certificate_key Server.key; #省略无关配置... }

Summarize

1. The CRT, JKS, and PKCS12 are all different formats for saving certificates, and different server Software may use certificate files in different formats.
2. OpenSSL, Keytool are all tool software that can be used to generate an HTTPS certificate, where the OpenSSL feature is more complex and keytool installed with the JDK installation.
3. The format of the certificate is diverse, there are many software tools to generate certificates, different server programs are configured differently, there are many ways to achieve the goal. Therefore, it is important to understand the principle, rather than follow the tutorial step by step command.
4. As with the vernacular HTTPS, this article still does not introduce the server how to verify the client, but if you understand the principle, I think you can already achieve the

Http://www.cnblogs.com/xinzhao/p/4950689.html

Self-made HTTPS certificate and used in spring boot and nginx (GO)