The universal domain name SSL certificate constructs the whole strategy

Source: Internet
Author: User
Tags key log openssl domain domain name access ssl certificate wildcard ssl

Worry-Free online project management (www.5upm.com) is an online project management service provided by the Zen Development team, which provides the functionality of the professional version of Zen software, with the built-in subversion and Git source hosting services, This kind of entrepreneurial team or cross-regional team can be off-site office, to achieve the coordinated management across the region.

In the actual operation of worry-free online process, security is a problem that many customers are more concerned about. There are many ways we can solve this problem, such as operating system level, application level, and so on. Recently worry-free online project management and the on-line HTTPS access function, further enhance the security of worry free online.

The following is the author to configure the process of online HTTPS access, I would like to refer to you.

Introduction of HTTPS protocol

We usually visit the Web site by default is the HTTP protocol, but the HTTP protocol is not encrypted, all the content is in the form of clear text in the network transmission, security is no harm to guarantee. The HTTPS protocol is a good solution to this problem.

According to Wikipedia (Http://zh.wikipedia.org/wiki/HTTPS), the main idea of HTTPS is to create a secure channel on an insecure network, and when using the appropriate encryption package and server certificate can be authenticated and trusted, Provide reasonable protection against eavesdropping and intermediary attacks.

The trust inheritance for HTTPS is based on a certificate authority preinstalled in the browser (such as VeriSign, Microsoft, and so on) (meaning "I trust the certification authority to tell me I should trust"). Therefore, a HTTPS connection to a Web site can be trusted if and only if:

Users believe that their browsers are properly https and that the correct certification authority is installed;

The user believes that the certification authority trusts only legitimate Web sites;

    • The visited web site provides a valid certificate, meaning that it is issued by a trusted certification authority (most browsers warn of invalid certificates);
    • The certificate correctly validates the visited web site (for example, when visiting Https://example received the "Example Inc." And not the certificates of other organizations);
    • or the relevant nodes on the Internet are trustworthy, or the user believes that the encryption layer (TLS or SSL) of this protocol cannot be compromised by the listener.

So the key to deploying HTTPS protocol access is certificates. Below is a look at the classification of HTTPS certificates.

Second, HTTPS (SSL) certificate classification

2.1 Points from a certification authority

From the certificate issued by the organization, can be divided into a self-issued and professional CA certification authority issued two kinds. If only internal use of the company, you can use a self-issued way to generate SSL certificates, the advantage is completely free, deployment is also convenient and quick. But the disadvantage is that the browser defaults to this self issued certificate is not trusted, will pop-up warning page, prompting the user to confirm. For example, ie below the tip of this page:

This is a very bad way to provide services to customers. So you still want to buy a certificate issued by a professional CA institution.

2.2 From the certificate certification level to score

From the level of certificate certification, SSL certificates can be divided into DV, ov and EV three kinds:

    • DV is the abbreviation of domain Validation, meaning is to verify the ownership of the website domain name. The CA certification authority sends the corresponding message to the domain name Holder's mailbox to confirm the ownership relationship between the certificate and the domain name. Its characteristics are simple and quick, cheap, the disadvantage is unable to guarantee the identity of the site operators, so generally used only to provide data encryption functions.
    • OV is the abbreviation of organization Validation, this certificate will be issued when the identity of all units of the site certification implementation verification, so the general E-commerce site often do ov certification. Of course, the price will be more expensive and the certificate issuance cycle will be longer.
    • EV is the abbreviation of Extended Validation and the strictest authentication, when users visit the EV-certified Web site, the browser is displayed as green, and of course the price is quite expensive. :)

2.3 From the certificate applicable to the number of domain names to divide

An SSL certificate has its corresponding domain name, from its applicable number of domain names can be divided into single domain, multiple domain names and generic domain name certificate. As the name suggests, a single domain name certificate can only be applied to a domain name, multiple domain name certificates may be applicable to multiple domain names. The generic domain name certificate, also known as a wildcard (wildcard) certificate, can be matched to the *.domain.name of this form.

We worry about online to provide customers with access paths are subdomin.5upm.com form, such as you apply for an ABC level two domain name, then visit the worry-free online project Management Services Web site is http://abc.5upm.com. Our solution is to provide a secure HTTPS access service for each client's level two domain, so the generic domain name SSL certificate is our choice.

Here is the purchase of an SSL certificate. SSL certificate Different Manufacturers prices are different, we searched the Internet, found a cheapssls.com site, it specializes in the various manufacturers of SSL certificates, the price is more affordable, we are in the CheapSSLs.com website above the purchase of certificates, The entire process of activating a certificate.

Third, purchase certificate

3.1 Registered users

The first step is to register users on the cheapssls.com website. To access cheapssls.com, select the "Sign in" link in the upper right corner of the page, and follow the prompts to register an account, and the process is no longer repeat.

3.2 Select manufacturer

After registering the account number, you can choose the certificate and the manufacturer that you want to buy. We want to buy a generic domain name certificate, so select wildcard SSL certificates, as shown in the following figure:

We have selected the certificate provided by RapidSSL:

3.3 Place the Order

Once you have identified the certificate type and the manufacturer, you are ready to place your order:

The more years generally purchased, the lower the discount. The author buys this kind of price is 98.99$, calculate up still relatively affordable.

3.4 Pay

Because foreign websites all use the dollar to settle, the domestic user buys, may pay by the credit card or PayPal. Credit cards need to be Mastcard or visa-marked, which support foreign currency settlement.

The author chooses to use PayPal to pay:

Then according to the tips of the page to PayPal to pay the site can be. After the payment is successful, the next step is to activate the certificate.

Iv. Activation of certificates

4.1 Generating CSR files

Before activating a certificate, you need to generate a CSR file on the server where the certificate was installed, and Linux can OpenSSL to create the following files, the basic steps and commands are as follows:

4.1.1 generates Server.key files.

The OpenSSL command is invoked first to generate the Server.key file.

z@colinux:/tmp$ OpenSSL genrsa-des3-out Server.key 2048

Generating RSA private key, 2048 bit long modulus

.................................................................................+++

.. +++

E is 65537 (0x10001)

Enter Pass phrase for Server.key:

Verifying-enter Pass phrase for Server.key:

One should note that the encryption strength to use 2048, at the same time the command will let you enter a protection key file password.

4.1.2 generates SERVER.CSR files according to Server.key files

Once you have the Server.key file, you can generate the SERVER.CSR file.

z@colinux:/tmp$ OpenSSL Req-new-key server.key-out SERVER.CSR

Enter Pass phrase for Server.key:

are about to is asked to enter information that would be incorporated

into your certificate request.

What you are about to enter the What is called a distinguished Name or a DN.

There are quite a few fields but you can leave some

For some fields there would be a default value,

If you enter '. ', the field would be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or province Name (full name) [Some-state]:shandong

Locality Name (eg, city) []:qingdao

Organization Name (eg, company) [Internet widgits Pty Ltd]:qingdaoeasysoft

Organizational unit Name (eg, section) []:D EV

Common name (eg, YOUR name) []:*. 5upm.com

Email Address []:chunsheng@cnezsoft.com

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

Here's what you need to notice in this order:

    • Country Name, fill in cn, representing China.
    • State or province Name, fill in the province of Hanyu Pinyin.
    • Locality Name, fill in the city of Hanyu Pinyin can be.
    • Organization Name, fill in the company's Hanyu Pinyin can be.
    • Organizational unit Name, fill in the department's Hanyu Pinyin.
    • Common name, this is the most critical, need to fill in the SSL certificate of the corresponding domain name, the pan domain name must be written in the form of *.doomain.com.
    • Email address, fill in the contact email.

With the above command, we can generate the SERVER.CSR file, the next step is to use this file to request the activation certificate.

4.2 Application Activation

Or go back to the CHEAPSSL Web site, log on to the system, and then access my SSL, select the purchased certificate, and activate:

An application form will appear:

In this page will let you choose the type of server, we choose Apache + OpenSSL. Then, in the text box below, copy the contents of the Server.key that you just generated, and then click Next to verify the owner of the domain name:

There can be several types, one is through the domain name you apply for the mailbox, such as the author used 5upm.com, then need a @5upm.net mailbox, there is a way is through the domain name owner's mailbox to verify.

Select the authentication method, the system will prompt has been activated successfully, the following is required to log in just fill in the mailbox, confirm this application.

This is the content of the message received, click on the link inside to confirm:

Select "I Approve":

Then you will receive an email containing the formal SSL certificate and the intermediate CA file.

This is an SSL certificate.

This is the intermediate CA file.

Here's how to configure Apache to use the certificate.

V. Configuration certificate

Before configuring the Apache certificate, you need to open the SSL module and configure Apache to listen for port 443, and there is a lot of information on the web for reference. Save the SSL file and the CA file that you just received by mail as SERVER.CRT and SERVER.PEM. This, together with the key and CSR files We generated earlier, we have a total of four files, Server.key, SERVER.CSR, SERVER.CRT, SERVER.PEM, which store the four files under a directory, such as/etc/apaches/ssl/ Below, then configure the Apache virtual machines:

<virtualhost *:443>

Sslengine on

Sslcertificatefile/etc/apache2/ssl/server.crt

Sslcertificatekeyfile/etc/apache2/ssl/server.key

Sslcertificatechainfile/etc/apache2/ssl/server.pem

Serveralias *.5upm.com

Serveralias *.5upm.cn

Documentroot/var/www

<directory/>

Options FollowSymLinks

AllowOverride All

</Directory>

</VirtualHost>

After the configuration is complete, restart Apache and, if it goes well, you can access it via HTTPS. Below is our worry-free online access, the address bar has become a yellow encryption bar (different browsers display different).



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.