域名/证书/https #57
Description
域名
域名比较好理解,说白了就是一个ip的指代,用域名有啥好处呢。首先可以隐藏真实的IP地址,其次,可以通过配置访问指向域名,底层做负载均衡. 域名和https一点关系都没有
https/证书
https指代的是http + ssl,传统的http传输信息的时候使用的是明文模式,谁都可以截获和篡改。ssl是一种加密协议,不仅可以给http用,还可以给ftp,smpt等应用层协议使用[1]。https中的传输使用的是非对称的对称加密.https改变了通信方式,它由以前的http—–>tcp,改为http——>SSL—–>tcp
对称加密
加密和解密的钥匙一样,例如发送3,使用2进行加密,变成5,服务器端使用2解密回3。这两把钥匙就是一样的。加密算法运行的速度快,但是钥匙在网络间传输的安全性无法解决。
非对称加密 (RSA最为著名)
非对称加密指加密和解密的钥匙不一样,但是需要的计算时间更久.
证书
即使已经有了这些加密算法,怎么保证你访问的网站就是那个网站呢。依靠域名?这是不行的,因为又DNS劫持等等一堆的手段。需要依靠的证书。
https建立的过程
[2]
使用ssl for free 申请证书并导入iis中使用
First create the cert, I created it at https://www.sslforfree.com/. You need to verify you own the server, I chose manual. You do this by uploading some files to the server. Trick is if it’s windows you need to add a “.” with text/plain as the mime type so the server will serve it.
Once you have the cert it gives you three files, two crt and a private key. These are no good in windows, windows doesn’t understand separate private keys so you need to combine them (as far as I can tell)
To do this I used open SSL for windows (download)
once installed open the exe C:\Program Files (x86)\GnuWin32\bin\openssl.exe
Then run the following command:
openssl pkcs12 -export -out C:\temp\sslforfree\cert.pfx -inkey C:\temp\sslforfree\private.key -in C:\temp\sslforfree\certificate.crt -certfile C:\temp\sslforfree\ca_bundle.crt
It will ask you to enter a password, I had to type this I could not paste.
Once you have done that you have a pfx you can use in windows.
Then on the server in IIS just import the file (see screenshot)
Then set the certificate in the bindings.
IIS中启用https
引用
1:http://www.techug.com/post/https-ssl-tls.html
2:https://blog.csdn.net/wangjun5159/article/details/51510594