Generate HTTPS certificate nginx configuration under Linux (OpenSSL CRT PEM key CSR X.509)

Time:2021-8-17

SSL

SSL-The secure sockets layer should be called “TLS” now, but due to habit problems, we still call it “SSL” more often. The HTTP protocol does not encrypt content by default, so it is likely to be monitored by others during content dissemination. For situations with high security requirements, it must be encrypted. HTTPS is the HTTP protocol with encryption, and HTTPS encryption is based on SSL, It implements a lower level encryption, that is, what your server program is doing before encryption and after encryption. Don’t move. This encryption is transparent to users and developers

OpenSSL-In short, OpenSSL is an implementation of SSL, and SSL is just a specification. In theory, SSL is a secure specification, and the current technical level is difficult to crack, but the implementation of SSL may have some vulnerabilities, such as the famous “bleeding heart”. OpenSSL also provides a lot of powerful tool software, which is so powerful that 90% of us can’t use it

Certificate standard

X.509-This is a certificate standard, which mainly defines what should be included in the certificate. For details, please refer to rfc5280. SSL uses this certificate standard

Coding format

The same X.509 certificate may have different encoding formats. At present, there are the following two encoding formats

PEM-Privacy enhanced mail, open to see the text format, starting with “—– begin…” and ending with “—– end…”, with Base64 encoding

View the information of PEM format certificate: OpenSSL x509 – in certificate.pem – text – noout

Apache and * Nix servers prefer this encoding format

DER-Distinguished Encoding Rules. Open it to see that it is in binary format and unreadable

View the information of Der format certificate: OpenSSL x509 – in certificate.der-inform der -text -noout

Java and windows servers prefer this encoding format

Associated file extension

This is misleading. Although we already know that there are PEM and Der encoding formats, the file extensions are not necessarily called “PEM” or “Der”. Common extensions include the following in addition to PEM and der. In addition to the encoding formats, their contents are also different, but most of them can convert the encoding formats to each other

CRT-CRT should be the three letters of certificate. In fact, it still means certificate. It is common in * Nix system. It may be PEM code or der code. Most of them should be PEM code. I believe you already know how to distinguish

CER-Certificate or certificate is common in Windows system. Similarly, it may be PEM code or der code. Most of them should be der code

KEY-It is usually used to store a public key or private key, not an X.509 certificate. The code is the same, which may be PEM or der

How to view keys: OpenSSL RSA – in mykey.key – text – noout

If it is in der format, it should be the same: OpenSSL RSA – in mykey.key – text – noout-inform der

CSR-Certificate signing request is not a certificate, but an application to obtain a signing certificate from an authoritative certification authority. Its core content is a public key (of course, some other information is attached). When generating this application, a private key will also be generated, The private key should be kept by yourself. Friends who have done IOS app should know how to apply to apple for developer certificate

View method: OpenSSL req – noout – text – in my.csr (if it is in der format, add – Information der as usual, which is not written here)

Conversion of certificate code

PEM to Der openssl x509 -in cert.crt -outform der -out cert.der

Der to PEM openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

(Note: the above example is to convert the certificate file. If you want to convert the key file, it is similar, but change x509 to RSA. If you want to convert CSR, change x509 to req)

Unfinished to be continued
For more information, please visit the source link below