The latest SSL certificate application and installation configuration 2024 version
Table of Contents
The latest SSL certificate application and installation configuration 2024 version
1. Apply for Tencent Cloud SSL certificate
2. Verification of the domain name to which the SSL certificate belongs
2.1. Ensure that your web service can normally access the “domain name” and its subdomain “www.domain name”
2.2. Can be accessed at home or abroad
2.3. .txt file access verification
2.4. Verify domain name
3. Download the issued ssl certificate
4. Install the certificate
4.1. Unzip the downloaded certificate to the custom path where the execution file of the web service is located.
4.2. If you need to configure the certificate in code or configure a web service DLL hosting similar to IIS
4.3. Install the certificate at the operating system level
5. Configure certificate
5.1. Configure the operating system CSP to control the ssl/tls protocol version of the SCHANNEL secure channel of the security provider.
5.2. Configure the cipher suite corresponding to the certificate protocol version
5.2.1. Configure cipher suites and their order
5.2.2. Cipher suites responding to “security compliance” and their configuration sequence
5.2.3. Cipher suite configuration case
5.3. Final configuration effect – taking into account complete security compliance and compatibility
The annual Double 11 is coming again. At this time, cloud servers, certificates, etc. need to be purchased or renewed upon expiration. No, practice again and do the operation of the SSL certificate so as not to forget it.
1. Apply for Tencent Cloud SSL Certificate
https://console.cloud.tencent.com/ssl
2. Verification of the domain name to which the SSL certificate belongs
Remark:
The difference between RSA encryption algorithm and ECC encryption algorithm
Certificate, key, encryption, what exactly is rsa?
2.1. Ensure that your web service can normally access the “domain name” and its subdomain “www.domain name” ”
You need to verify the domain name and its www. subdomain at the same time: for example, your domain name is xxx.com
Domain name verification:
xxx.com
www.xxx.com
2.2, can be accessed at home or abroad
The cloud server enables overseas access, or:
Configure the cross-domain whitelist directly in your web service and it will take effect:
Currently, the IP address of the cross-domain server used by the CA organization “AsiaInfo” for domain name verification is:
91.199.212.132, 91.199.212.133, 91.199.212.148, 91.199.212.151, 91.199.212.176, 54.189.196.217,
2.3, .txt file access verification
Click “Submit application for domain name verification” and download the file shown below:
Copy the file to the “root” path of your web service corresponding to the file path shown above:
cd wwwroot mkdir .well-known cd.well-known mkdir pki-validation cd pki-validation Right now: wwwroot/.well-known/pki-validation
2.4. Verify domain name
Passed the test. Click “Click here to verify the ‘domain name'” or “Click here to verify the ‘subdomain name'”:
Click “Domain Name Verification” and pass:
3. Download the issued SSL certificate
All types of certificate files are downloaded for subsequent use according to the specific operating system environment, among which the root certificate is required.
4. Install certificate
The following takes the MSWindows platform as an example:
4.1. Unzip the downloaded certificate to a custom path where the executable file of the web service is located
Among them, the “root certificate” is required, as shown in the picture above “domain name_root.crt”;
Secondly, the “CA certificate chain” is necessary, as shown in the picture above “domain name_root.pfx”;
Finally, “your certificate” is necessary, as shown above
Certificate file in the format of “domain name_bundle.crt” or “domain name_bundle.pem”;
“Domain name_bundle.key”; #The key file of your certificate.
4.2. If it is necessary to configure the certificate in code or configure a web service DLL hosting similar to IIS
Make sure that your web service or websocket service or tcp service code can access the files related to the above certificates; you may need to consider UAC privilege escalation and ACL access control list permissions, depending on the specific situation.
Optional instructions: Make sure that your DLL in the module under your IIS service has ACL access control list permissions on the files and folders related to the above certificates.
4.3. Install the certificate at the operating system level
The certificate corresponds to your domain name or IP (certificates that support IP indicate the specific certificate category), and the final IP is attached to the network card of the specific server device. They work normally with the support of the operating system. Therefore, the certificate must be deployed “on the operating system”, which is the prerequisite for correct understanding and use of certificates.
Of course, some self-developed web services, in which code is used to provide access verification services for clients to apply for the “CA authority issued certificate”, are also possible; but in the end, the web service itself is also subject to the dependencies on which its operation depends. Operating system; therefore, it is best to deploy your certificate at the operating system level.
Run cmd: mmc
Use the “certificate” node to load:
First delete the expired certificate. Line 3 is your own certificate “cpuofbs.com”
Among them, the first row of certificates (AAA organization’s Root certificate), and the last row of certificates (your certificate authority, CA organization’s certificate).
The above three types of certificates constitute the “certificate chain” for your certificate application. They must be “deployed” simultaneously and correctly. Use the certificate file you downloaded and decompressed in “4.1.” to overwrite the installation; or delete it first and then reinstall it.
5. Configure certificate
The following takes the MSWindows platform as an example:
5.1. Configure the ssl/tls protocol version of the SCHANNEL secure channel controlled by the operating system CSP of the security provider
Registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
CSP – Control Security Providers control security providers
SCHANNEL–Security CHANNEL safe channel, which essentially corresponds to the interaction with the operating system file schannel.dll
Under the Protocols sub-project, create or edit the version of the certificate cipher suite you wish to configure later:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Among them, the recommended configurations are TLS 1.1 and TLS 1.2. The remaining configurations below TLS 1.1 are not recommended because they are outdated and have too many loopholes that cannot be remedied (for example, SSL 2.0, etc.). Both TLS v1.1 and v1.2 have no known security issues, and only v1.2 provides modern encryption algorithms. TLS v1.2 should be your primary protocol as it is the only version that offers modern authenticated encryption (also known as AEAD). If you don’t support TLS v1.2 today, youlack security.
To view visitor logs:
Enable Schannel event logging in Windows and Windows Server:
https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/iis/health-diagnostic-performance/enable-schannel-event-logging
5.2. Configure the cipher suite corresponding to the certificate protocol version
This step is the most critical. If the configuration is wrong, even the most basic RDP client (belonging to the tcp service), such as Microsoft’s “Remote Desktop Connection”, will fail due to encryption and decryption errors when “connecting”< strong>Handshakefailed.
Run cmd: gpedit.msc
Open “Local Computer Policy-Computer Configuration-Administrative Templates-Network-SSL Configuration Settings” and configure:
5.2.1, Configure cipher suites and their order
Concept:
◆Cipher suite is a set of encryption algorithms used for secure connections in Transport Layer Security (TLS). The TLS cipher suite consists of three components: Authentication, Encryption and Message Authentication Code (MAC), which provide security and reliability to protect transmissions The data in it is protected from third-party theft. During the TLS handshake, the client and server negotiate a cipher suite that can be used (the client and server determine which cipher suite to use based on the list of cipher suites they support) so that communication between the client and server can use This cipher suite performs encryption.
◆Different operating system versions have different support for TLS versions and cipher suites.
For example: windows server 2012 R2, the configuration is as follows:
Under Windows Server 2012 R2, the cipher suites supporting TLS 1.2 and TLS 1.1 and their order are: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_S HA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256_P384,TLS_RSA_WITH_AES_128_GCM_SHA256
Windows Server 2012 R2 itself does not support TLS 1.3, even if you configure “TLS 1.3” secure channel, even if your web service supports TLS 1.3 to encrypt and decrypt transmission, it will be “invalid”, and even cause user access to “fail” because of your configuration, because they have priority Sequentials.
Concept:
◆Priority order
Depending on the “secure channel” you configured in “5.1,” in the order of TLS first, then SSL, first higher version then lower version, the browser client will use the highest level TLS 1.3 it supports to shake hands with your server; you If the TLS 1.3 protocol is configured and allowed in the SCHANNEL “Secure Channel” of the server, the server will further check the “cipher suites and their sequences” you configured, and accordingly, reply to the client, I support the TLS 1.3 protocol here, and use your The “cipher suites” expected to be used, we will use them for transmission encryption and decryption in both directions; otherwise:
Either “the TLS 1.3 protocol is enabled in the SCHANNEL secure channel, but the corresponding cipher suite cannot be found in the configuration”, causing access failure, or “if there is a cipher suite that supports TLS 1.3, but it is configured incorrectly”, the access fails.
◆Certificate algorithm selection
RSA or ECC – depends on the “algorithm selection” you make when applying for a certificate, which algorithm is used for encryption and decryption in later communications. The encryption and decryption algorithms are different, and the cipher suites will be different. Cipher suites selected by different algorithms use different encryption algorithms. You originally had an RSA type certificate, but you configured a cipher suite that prioritizes ECC, which will cause access failure.
5.2.2. Cipher suites responding to “security compliance” and their configuration sequence
Concept:
◆Security Compliance
◆Apple ATS compliance:
Note
It is necessary to configure an encryption package that complies with the PFS specification. The currently recommended configuration is:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4
TLS1.2 needs to be enabled in the server TLS protocol. Currently recommended configuration:
TLSv1 TLSv1.1 TLSv1.2
First of all, it must comply with the rfc6962 specification:
Apple ATS (Accessory Test System) is a testing system launched by Apple for testing MFi certified accessories and accessories. This test system was independently developed by Apple and is used to test various accessories and accessories that are compatible with Apple devices, such as headphones, chargers, data cables, etc. The ATS system uses a series of testing procedures and testing equipment to ensure the quality and compatibility of accessories and accessories meet Apple standards and specifications. Through the testing of the ATS system, manufacturers can ensure that their products meet Apple’s requirements and obtain MFi/CarPlay certification. The ATS system can perform a variety of tests, including connectivity testing, power consumption testing, compatibility testing, security testing, etc. During the test process, the ATS system will automatically run the test program, conduct various tests, and record and analyze the test data in order to evaluate and analyze the test results. The ATS system can help manufacturers improve the quality and performance of their products and ensure compatibility with Apple devices. At the same time, the ATS system is also Apple’s guarantee for third-party certified products such as MFi/CarPlay, ensuring that they comply with Apple’s standards and specifications and providing consumers with high-quality peripheral accessories and accessories.
In addition to the functions introduced above, the ATS system also has the following characteristics: Diverse test items: The ATS system can perform a variety of tests, including connectivity tests, power consumption tests, compatibility tests, safety tests, etc., to ensure that accessories and accessories The quality and compatibility meet Apple’s standards and specifications. Automated testing: The ATS system can automatically run test programs, conduct various tests, and record and analyze test data to evaluate and analyze test results. This automated testing method can improve the efficiency and accuracy of testing. Scalability: The ATS system supports a variety of different test fixtures and test modules to meet different types of accessories and accessory testing needs. At the same time, the ATS system also supports customized test procedures to meet the manufacturer’s specific testing requirements. Easy to use: The ATS system has a friendly user interface and operation process, which can facilitate manufacturers to conduct test operations and analyze and evaluate test data.
PFS rules refer to the rules of “Path Finding System”, that is, the rules of the path finding system. In the field of computer science, the PFS rule is an algorithmic rule used to solve path search problems. It is widely used in artificial intelligence, network routing, graphics processing and other fields. In the field of cryptography, forward secrecy FS (sometimes also called “perfect forward secrecy” PFS – perfect forward secrecy) is a protocol function that enables secure conversations that do not rely on the server’s private key and requires a key Only the data protected by it can be accessed. The elements used to generate the key are changed one at a time, and no other keys can be generated. If one key is cracked, it does not affect the security of other keys. For cipher suites without forward secrecy, someone who can recover the server’s private key can decrypt all earlier recorded encrypted conversations (that is, the ciphertext can be recorded in bulk and then decrypted, such as yours If the certificate is not properly destroyed after expiration, its private key can be used to decrypt non-PFS ciphertext). You require support for the ECDHE suite to achieve forward secrecy through modern web browsers. To support a wider range of customers, you also use the DHE suite as an ECDHE backup. Avoid RSA key exchange unless absolutely necessary, otherwise it affects efficiency.
Obsolete cryptographic primitives must be avoided: ADH (anonymous Diffie-Hellman suite, does not provide authentication); NULL (cipher suite does not provide encryption); aNULL (exported cipher suite is not secure when negotiated in the connection) , but can also be used against servers that prefer more powerful suites (FREAK attacks); RC4 (is insecure); MD5 (suites with weak ciphers (usually 40 and 56 bits) use encryption that can be easily broken)); 3DES (slow and weak)
◆PCI DSS compliance:
The full name is Payment Card Industry Data Security Standard, Payment Card Industry Data Security Standard, which is formulated by the PCI Security Standards Committee and strives to adopt consistent data security measures internationally.
Disable early SSL*/TLS1.0 by June 30, 2018 at the latest, and implement a more secure encryption protocol (TLS v1.1 or higher, TLS v1.2 is strongly recommended) to Meets the requirements of PCI data security standards to protect payment data.
◆Configuration method reference (pay attention to your certificate algorithm selection):
◆Standard TLS suite name forward encryption configuration based on RSA and ECDSA keys, as a starting point:
(This is a general list, not all systems (especially older ones) support all suites, it is recommended to test TLS configurations in a staging environment.)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
◆Openssl environment forward encryption: The above example configuration uses standard TLS suite names. Some platforms use nonstandard names; see your operating system platform documentation for details. For example, the following suite names will be used with OpenSSL:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256
5.2.3, Cipher Suite Configuration Case
For example, on my Windows Server 2012 R2 server, the configured cipher suites are:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_S HA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256_P384,TLS_RSA_WITH_AES_128_GCM_SHA256
5.3. The final configuration effect – taking into account complete security compliance and taking into account compatibility
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 42208 people are learning the system