Using OpenSSL to generate SHA-256 self-signed certificates that are available for IIS

Source: Internet
Author: User
Tags join openssl requires sha256 algorithm
using OpenSSL to generate SHA-256 self-signed certificates that are available for IIS

Well, 2017 iOS will start to force ATS, so all the sites, APIs, Web pages, resource paths and so on need to use TLS1.2 above standards.
Self-signed certificates have not been able to meet the requirements. Therefore, in the formal environment to apply for the purchase of OA certificate. So you don't have to spend money on a test environment to buy a certificate, so you can deploy a self-signed certificate in a test environment.
This paper mainly divides into the following points: 1, turn on TLS1.2 2, generate a self-signed certificate for the wildcard domain name (*.abc.com) 3, add the self-signed certificate to the Windows Client (test) Trust certificate 4 , add a self-signed certificate to the iphone client (test) Trust certificate 5, self-signed certificate added to android,android very casual, don't repeat it.

Environment: 1, Windows Server 2, IIS7.5

Statement: The following are the configuration of the test server case, the official server to purchase a generic certificate, as well as the opening of TLS1.2 need to carefully restart the server, good registry backup 1, open TLS1.2

TLS1.2 applies to IIS, requires the use of Windows Server 2008 and IIS7.5, and in 2008, SSL3.0 is turned on by default,
SSL3.0 is not secure with respect to TLS1.0, which is now explicitly SSL3.0 encrypted.
Originally, open TLS1.2 is very troublesome, need to modify the registry, etc., we can look at:
Https://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
But for everyone to find a more convenient way, download the following software, modified, restart the server can be, modify the following diagram:

https://www.nartac.com/Products/IISCrypto/
Specific opening method, the article is written in. If you need to verify, open, configure the self-signed certificate, use Firefox opened to view the certificate details, you can also download TestSSLServer2.exe to test.
The following figure:
2. Generate a self-signed certificate using OpenSSL

TLS1.2 requires that the SHA-256 algorithm be used for encryption, and the key length requires at least 1024 bits. OpenSSL uses SHA-1 to encrypt by default, so you need to pay attention to the selection of parameters when generating.
First download OpenSSL:
https://www.openssl.org/blog/blog/2016/10/12/f2f-rt-github/
Unzip and place under the any directory under the server, such as the D drive.
Right-use Administrator – Open Openssl.exe
For detailed commands, refer to: Https://impl.gfipm.net/wiki/Generating_Certificates_with_OpenSSL

2.1 Generate key and CRT:
$ openssl> req-x509-sha256-nodes-days 365-newkey rsa:2048-keyout self.key-out self.crt-subj/cn=*.abc.com
If the unable to load config info from/usr/local/ssl/openssl.cnf error appears;
Add-config openssl.cnf,openssl.cnf to the command after the Openssl.exe in the same directory, if not online search.
Parameter explanation:
-SHA256: Using the SHA256 algorithm
rsa:2048:2048 bit key
-days 365: Certificate valid for 365 days
-subj/cn=*.abc.com: Using the abc.com domain name as a user, this function I also groped for a long time to achieve. Generic domain certificates are only bound to a domain name (level two domain name is also a separate one), using a wildcard method, this certificate can encrypt a.abc.com,b.abc.com and other sub-domains
Self.key: Key file, name yourself
Certificate files used by Self.crt:iphone, MACS, etc.

The generated files are in the same directory as the Openssl.exe.

2.2 Build the certificate file used by Windows PFX
$openssl >pkcs12-export-out Self.pfx-inkey self.key-in self.crt
After execution, you will be prompted to enter the certificate password, your own test, enter a simple point on the line.

2.3 Deployment of IIS
Locate the server certificate for IIS, click Enter, and on the right, select Import

Password Enter the password you defined in the previous step, and after the import is successful, you can configure the HTTPS secure website.

Okay, try to access the client with a browser.

The Firefox browser uses its own certificate, so you cannot add trust.
IE and chrome are certificates for shared systems, and can be added as follows. 3. Add a self-signed certificate to the Windows Client (test) Trust certificate

Send the PFX certificate to the client computer that needs to be tested. On the client PC Select Open Certificate, select "Local Computer", Next, enter your own set password, next, choose the path yourself, do not default, select "Trusted root certificate", OK, import complete.



Use IE and Chrome browser to open the URL to see a small green lock. Use Firefox, and then add the exception to view the certificate information can see the encrypted information, is TLS1.2.


4. Add the self-signed certificate to the trust Certificate of the iphone client (test)

Using Safari to access the domain name bound by the self-signed certificate, will appear to continue the prompt, do not point, I have not tried, it is said that after the point is not added to the trust certificate.
Use a message to send a CRT certificate as an attachment to an iphone message, open the CRT with iphone mail, and prompt for "whether to join a trusted certificate" and, of course, join. Then use Safari to open it, just to encrypt the site.
Enable the ATS in the app, debug API URLs, modify afnetworking to HTTPS access mode, and you can access it normally. There is no code to modify the app. It's not recommended to include a certificate in the app, and if you use that way, it's too cumbersome to change the certificate or recompile the app. 5, self-signed certificate added to android,android very casual, do not repeat

Android is not currently limited, as if HTTP and HTTPS are common in the application, only need to modify the access mode. If you want to add a self-signed certificate to trust, in the settings, about the phone, certificate management added, different models of different steps, you can explore.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.