To configure an SSL certificate signature for Nginx

To ensure secure connections from Web browsers to servers, HTTPS is almost the only choice. HTTPS is actually HTTP over SSL, that is, making the HTTP connection established on the SSL secure connection.

SSL uses certificates to create secure connections. There are two verification modes:

Only the client verifies the server certificate, and the client does not provide the certificate;

The client and server verify each other's certificate.

Obviously, the second method is more secure, which is generally used by online banking. However, the first method is only available for common Web websites.

How does the client verify the server certificate? The server's own certificate must be signed by an "authoritative" certificate, and this "authoritative" certificate may be signed by a more authoritative certificate, the top-level authoritative certificate is called the root certificate. The root certificate is directly embedded in the browser, so that the browser can use its own root certificate to verify whether the certificate of a server is valid.

To provide a valid certificate, the server certificate must be signed by a certificate authority such as VeriSign so that the browser can pass the verification. Otherwise, the browser will give a warning that the certificate is invalid.

The fee for applying for a certificate signature is dozens ~ a year ~ A few hundred knives, so for management purposes, you can create a self-signed certificate to ensure the administrator can securely connect to the server through a browser.

The following describes how to create a self-signed SSL certificate.

To create a self-signed certificate, you must install openssl by following these steps:

Create Key;

Create a signature request;

Remove the Key password;

Sign the certificate with the Key.

For Certificates prepared for HTTPS, note that the created signature request must be in the same CN as the domain name; otherwise, the certificate cannot be verified by a browser.

The above commands are cumbersome, so I have made a shell script to handle the certificate at one time. Download the script from here:

Https://github.com/michaelliao/itranswarp.js/blob/master/conf/ssl/gencert.sh

Run the script. If your domain name is www.111cn.net, follow the prompts to enter:

$. /Gencert. sh Enter your domain [www.example.com]: www.111cn.net Create server key... generating RSA private key, 1024 bit long modulus ................. ++ ..... ++ e is 65537 (0x10001) Enter pass phrase for www.111cn.net. key: Enter the password Verifying-Enter pass phrase for www.111cn.net. key: enter the password Create server certificate signing request... enter pass phrase for www.111cn.net. key: enter the password to Remove password... enter pass phrase for www.111cn.net. origin. key: enter the password writing RSA keySign SSL certificate... signature oksubject =/C = US/ST = Mars/L = iTranswarp/O = iTranswarp/OU = iTranswarp/CN = www.111cn.net Getting Private keyTODO: Copy www.111cn.net. crt to/etc/nginx/ssl/www.111cn.net. crtCopy www.111cn.net. key to/etc/nginx/ssl/www.111cn.net. keyAdd configuration in nginx: server {... ssl on; ssl_certificate/etc/nginx/ssl/www.111cn.net. crt; ssl_certificate_key/etc/nginx/ssl/www.111cn.net. key ;}

The red part is the input. Note that the four passwords are the same.

Four files will be created in the current directory:

Www.111cn.net. crt: self-signed certificate
Www.111cn.net. csr: CERTIFICATE REQUEST
Www.111cn.net. key: Key without a password
Www.111cn.net. origin. key: Key with a password

The Web server needs to send www.111cn.net. crt to the browser for verification, and then use www.111cn.net. key to decrypt the data sent by the browser. The remaining two files do not need to be uploaded to the Web server.

Take Nginx as an example. You need to configure it in server:

Server {... ssl on; ssl_certificate/etc/nginx/ssl/www.111cn.net. crt; ssl_certificate_key/etc/nginx/ssl/www.111cn.net. key ;}

If everything goes well, open your browser and you can access your website through HTTPS. The first access will receive a warning (because our self-signed certificate is not trusted by the browser), import the certificate to the system through the browser (Windows uses IE to import, Mac uses Safari to import) and set it to "trusted". After the computer accesses the website, it can safely connect to the Web server:

 

How can I configure a certificate on the application server? For example, Tomcat and gunicorn. The correct method is not to configure it so that Nginx can process HTTPS and then connect to the backend application server through the proxy over HTTP, which is equivalent to using Nginx as the security proxy from HTTPS to HTTP, in this way, the HTTP/HTTPS processing capability of Nginx is used, and the shortcomings of the application server that are not good at HTTPS are avoided.