The latest SSL certificate application and installation configuration 2024 version

The latest SSL certificate application and installation configuration 2024 version

Table of Contents

The latest SSL certificate application and installation configuration 2024 version

1. Apply for Tencent Cloud SSL certificate

2. Verification of the domain name to which the SSL certificate belongs

2.1. Ensure that your web service can normally access the “domain name” and its subdomain “www.domain name”

2.2. Can be accessed at home or abroad

2.3. .txt file access verification

2.4. Verify domain name

3. Download the issued ssl certificate

4. Install the certificate

4.1. Unzip the downloaded certificate to the custom path where the execution file of the web service is located.

4.2. If you need to configure the certificate in code or configure a web service DLL hosting similar to IIS

4.3. Install the certificate at the operating system level

5. Configure certificate

5.1. Configure the operating system CSP to control the ssl/tls protocol version of the SCHANNEL secure channel of the security provider.

5.2. Configure the cipher suite corresponding to the certificate protocol version

5.2.1. Configure cipher suites and their order

5.2.2. Cipher suites responding to “security compliance” and their configuration sequence

5.2.3. Cipher suite configuration case

5.3. Final configuration effect – taking into account complete security compliance and compatibility

---

The annual Double 11 is coming again. At this time, cloud servers, certificates, etc. need to be purchased or renewed upon expiration. No, practice again and do the operation of the SSL certificate so as not to forget it.

1. Apply for Tencent Cloud SSL Certificate

https://console.cloud.tencent.com/ssl

2. Verification of the domain name to which the SSL certificate belongs

Remark:

The difference between RSA encryption algorithm and ECC encryption algorithm

Certificate, key, encryption, what exactly is rsa?

2.1. Ensure that your web service can normally access the “domain name” and its subdomain “www.domain name” ”

You need to verify the domain name and its www. subdomain at the same time: for example, your domain name is xxx.com

Domain name verification:

xxx.com

www.xxx.com

2.2, can be accessed at home or abroad

The cloud server enables overseas access, or:

Configure the cross-domain whitelist directly in your web service and it will take effect:

Currently, the IP address of the cross-domain server used by the CA organization “AsiaInfo” for domain name verification is:

91.199.212.132,
91.199.212.133,
91.199.212.148,
91.199.212.151,
91.199.212.176,
54.189.196.217,

2.3, .txt file access verification

Click “Submit application for domain name verification” and download the file shown below:

Copy the file to the “root” path of your web service corresponding to the file path shown above:

cd wwwroot
mkdir .well-known
cd.well-known
mkdir pki-validation
cd pki-validation
Right now:
wwwroot/.well-known/pki-validation

2.4. Verify domain name

Passed the test. Click “Click here to verify the ‘domain name'” or “Click here to verify the ‘subdomain name'”:

Click “Domain Name Verification” and pass:

3. Download the issued SSL certificate

All types of certificate files are downloaded for subsequent use according to the specific operating system environment, among which the root certificate is required.

4. Install certificate

The following takes the MSWindows platform as an example:

4.1. Unzip the downloaded certificate to a custom path where the executable file of the web service is located

Among them, the “root certificate” is required, as shown in the picture above “domain name_root.crt”;

Secondly, the “CA certificate chain” is necessary, as shown in the picture above “domain name_root.pfx”;

Finally, “your certificate” is necessary, as shown above

Certificate file in the format of “domain name_bundle.crt” or “domain name_bundle.pem”;

“Domain name_bundle.key”; #The key file of your certificate.

4.2. If it is necessary to configure the certificate in code or configure a web service DLL hosting similar to IIS

Make sure that your web service or websocket service or tcp service code can access the files related to the above certificates; you may need to consider UAC privilege escalation and ACL access control list permissions, depending on the specific situation.

Optional instructions: Make sure that your DLL in the module under your IIS service has ACL access control list permissions on the files and folders related to the above certificates.

4.3. Install the certificate at the operating system level

The certificate corresponds to your domain name or IP (certificates that support IP indicate the specific certificate category), and the final IP is attached to the network card of the specific server device. They work normally with the support of the operating system. Therefore, the certificate must be deployed “on the operating system”, which is the prerequisite for correct understanding and use of certificates.

Of course, some self-developed web services, in which code is used to provide access verification services for clients to apply for the “CA authority issued certificate”, are also possible; but in the end, the web service itself is also subject to the dependencies on which its operation depends. Operating system; therefore, it is best to deploy your certificate at the operating system level.

Run cmd: mmc

Use the “certificate” node to load:

First delete the expired certificate. Line 3 is your own certificate “cpuofbs.com”

Among them, the first row of certificates (AAA organization’s Root certificate), and the last row of certificates (your certificate authority, CA organization’s certificate).

The above three types of certificates constitute the “certificate chain” for your certificate application. They must be “deployed” simultaneously and correctly. Use the certificate file you downloaded and decompressed in “4.1.” to overwrite the installation; or delete it first and then reinstall it.

5. Configure certificate

The following takes the MSWindows platform as an example:

5.1. Configure the ssl/tls protocol version of the SCHANNEL secure channel controlled by the operating system CSP of the security provider

Registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

CSP – Control Security Providers control security providers

SCHANNEL–Security CHANNEL safe channel, which essentially corresponds to the interaction with the operating system file schannel.dll

Under the Protocols sub-project, create or edit the version of the certificate cipher suite you wish to configure later:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Among them, the recommended configurations are TLS 1.1 and TLS 1.2. The remaining configurations below TLS 1.1 are not recommended because they are outdated and have too many loopholes that cannot be remedied (for example, SSL 2.0, etc.). Both TLS v1.1 and v1.2 have no known security issues, and only v1.2 provides modern encryption algorithms. TLS v1.2 should be your primary protocol as it is the only version that offers modern authenticated encryption (also known as AEAD). If you don’t support TLS v1.2 today, youlack security.

To view visitor logs:

Enable Schannel event logging in Windows and Windows Server:

https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/iis/health-diagnostic-performance/enable-schannel-event-logging

5.2. Configure the cipher suite corresponding to the certificate protocol version

This step is the most critical. If the configuration is wrong, even the most basic RDP client (belonging to the tcp service), such as Microsoft’s “Remote Desktop Connection”, will fail due to encryption and decryption errors when “connecting”< strong>Handshakefailed.

Run cmd: gpedit.msc

Open “Local Computer Policy-Computer Configuration-Administrative Templates-Network-SSL Configuration Settings” and configure:

5.2.1, Configure cipher suites and their order

Concept:

◆Cipher suite is a set of encryption algorithms used for secure connections in Transport Layer Security (TLS). The TLS cipher suite consists of three components: Authentication, Encryption and Message Authentication Code (MAC), which provide security and reliability to protect transmissions The data in it is protected from third-party theft. During the TLS handshake, the client and server negotiate a cipher suite that can be used (the client and server determine which cipher suite to use based on the list of cipher suites they support) so that communication between the client and server can use This cipher suite performs encryption.

◆Different operating system versions have different support for TLS versions and cipher suites.

For example: windows server 2012 R2, the configuration is as follows:

Under Windows Server 2012 R2, the cipher suites supporting TLS 1.2 and TLS 1.1 and their order are:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_S HA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256_P384,TLS_RSA_WITH_AES_128_GCM_SHA256

Windows Server 2012 R2 itself does not support TLS 1.3, even if you configure “TLS 1.3” secure channel, even if your web service supports TLS 1.3 to encrypt and decrypt transmission, it will be “invalid”, and even cause user access to “fail” because of your configuration, because they have priority Sequentials.

Concept:

◆Priority order

Depending on the “secure channel” you configured in “5.1,” in the order of TLS first, then SSL, first higher version then lower version, the browser client will use the highest level TLS 1.3 it supports to shake hands with your server; you If the TLS 1.3 protocol is configured and allowed in the SCHANNEL “Secure Channel” of the server, the server will further check the “cipher suites and their sequences” you configured, and accordingly, reply to the client, I support the TLS 1.3 protocol here, and use your The “cipher suites” expected to be used, we will use them for transmission encryption and decryption in both directions; otherwise:

Either “the TLS 1.3 protocol is enabled in the SCHANNEL secure channel, but the corresponding cipher suite cannot be found in the configuration”, causing access failure, or “if there is a cipher suite that supports TLS 1.3, but it is configured incorrectly”, the access fails.

◆Certificate algorithm selection

RSA or ECC – depends on the “algorithm selection” you make when applying for a certificate, which algorithm is used for encryption and decryption in later communications. The encryption and decryption algorithms are different, and the cipher suites will be different. Cipher suites selected by different algorithms use different encryption algorithms. You originally had an RSA type certificate, but you configured a cipher suite that prioritizes ECC, which will cause access failure.

5.2.2. Cipher suites responding to “security compliance” and their configuration sequence

Concept:

◆Security Compliance

◆Apple ATS compliance:

Note

It is necessary to configure an encryption package that complies with the PFS specification. The currently recommended configuration is: ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4

TLS1.2 needs to be enabled in the server TLS protocol. Currently recommended configuration: TLSv1 TLSv1.1 TLSv1.2

First of all, it must comply with the rfc6962 specification:

Apple ATS (Accessory Test System) is a testing system launched by Apple for testing MFi certified accessories and accessories. This test system was independently developed by Apple and is used to test various accessories and accessories that are compatible with Apple devices, such as headphones, chargers, data cables, etc. The ATS system uses a series of testing procedures and testing equipment to ensure the quality and compatibility of accessories and accessories meet Apple standards and specifications. Through the testing of the ATS system, manufacturers can ensure that their products meet Apple’s requirements and obtain MFi/CarPlay certification. The ATS system can perform a variety of tests, including connectivity testing, power consumption testing, compatibility testing, security testing, etc. During the test process, the ATS system will automatically run the test program, conduct various tests, and record and analyze the test data in order to evaluate and analyze the test results. The ATS system can help manufacturers improve the quality and performance of their products and ensure compatibility with Apple devices. At the same time, the ATS system is also Apple’s guarantee for third-party certified products such as MFi/CarPlay, ensuring that they comply with Apple’s standards and specifications and providing consumers with high-quality peripheral accessories and accessories.
In addition to the functions introduced above, the ATS system also has the following characteristics: Diverse test items: The ATS system can perform a variety of tests, including connectivity tests, power consumption tests, compatibility tests, safety tests, etc., to ensure that accessories and accessories The quality and compatibility meet Apple’s standards and specifications. Automated testing: The ATS system can automatically run test programs, conduct various tests, and record and analyze test data to evaluate and analyze test results. This automated testing method can improve the efficiency and accuracy of testing. Scalability: The ATS system supports a variety of different test fixtures and test modules to meet different types of accessories and accessory testing needs. At the same time, the ATS system also supports customized test procedures to meet the manufacturer’s specific testing requirements. Easy to use: The ATS system has a friendly user interface and operation process, which can facilitate manufacturers to conduct test operations and analyze and evaluate test data.

PFS rules refer to the rules of “Path Finding System”, that is, the rules of the path finding system. In the field of computer science, the PFS rule is an algorithmic rule used to solve path search problems. It is widely used in artificial intelligence, network routing, graphics processing and other fields. In the field of cryptography, forward secrecy FS (sometimes also called “perfect forward secrecy” PFS – perfect forward secrecy) is a protocol function that enables secure conversations that do not rely on the server’s private key and requires a key Only the data protected by it can be accessed. The elements used to generate the key are changed one at a time, and no other keys can be generated. If one key is cracked, it does not affect the security of other keys. For cipher suites without forward secrecy, someone who can recover the server’s private key can decrypt all earlier recorded encrypted conversations (that is, the ciphertext can be recorded in bulk and then decrypted, such as yours If the certificate is not properly destroyed after expiration, its private key can be used to decrypt non-PFS ciphertext). You require support for the ECDHE suite to achieve forward secrecy through modern web browsers. To support a wider range of customers, you also use the DHE suite as an ECDHE backup. Avoid RSA key exchange unless absolutely necessary, otherwise it affects efficiency.

Obsolete cryptographic primitives must be avoided: ADH (anonymous Diffie-Hellman suite, does not provide authentication); NULL (cipher suite does not provide encryption); aNULL (exported cipher suite is not secure when negotiated in the connection) , but can also be used against servers that prefer more powerful suites (FREAK attacks); RC4 (is insecure); MD5 (suites with weak ciphers (usually 40 and 56 bits) use encryption that can be easily broken)); 3DES (slow and weak)

◆PCI DSS compliance:
The full name is Payment Card Industry Data Security Standard, Payment Card Industry Data Security Standard, which is formulated by the PCI Security Standards Committee and strives to adopt consistent data security measures internationally.
Disable early SSL*/TLS1.0 by June 30, 2018 at the latest, and implement a more secure encryption protocol (TLS v1.1 or higher, TLS v1.2 is strongly recommended) to Meets the requirements of PCI data security standards to protect payment data.

◆Configuration method reference (pay attention to your certificate algorithm selection):

◆Standard TLS suite name forward encryption configuration based on RSA and ECDSA keys, as a starting point:

(This is a general list, not all systems (especially older ones) support all suites, it is recommended to test TLS configurations in a staging environment.)

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

◆Openssl environment forward encryption: The above example configuration uses standard TLS suite names. Some platforms use nonstandard names; see your operating system platform documentation for details. For example, the following suite names will be used with OpenSSL:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256

5.2.3, Cipher Suite Configuration Case

For example, on my Windows Server 2012 R2 server, the configured cipher suites are:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_S HA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256_P384,TLS_RSA_WITH_AES_128_GCM_SHA256

5.3. The final configuration effect – taking into account complete security compliance and taking into account compatibility

The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 42208 people are learning the system