1. Introduction

Now do not add HTTPS domain name is not professional, especially in the use of JWT authentication interface must add HTTPS for your interface to add a layer of security barrier. Today we’ll talk about the key SSL certificates, also known as CA certificates, used to configure HTTPS.

2. What is an SSL certificate?

The Secure Socket Layer (SSL) certificate encrypts and hides the transmitted data by establishing an SSL channel between the browser and the WEB server to ensure data integrity and not change during transmission. It has become one of the mainstream standards for Secure Internet transmission. Since SSL technology is built into all major browser and WEB server programs, we only need to install trusted certificates.

3. Why do I need to obtain a certificate from a CA?

A self-issued certificate is not officially registered with a well-known certification authority, so it cannot be guaranteed authenticity, you think if you visit a phishing site, and the site’s certificate is their own certificate, what is the point? However, a self-issued certificate can also ensure the security of data transmission, but mainstream browsers do not trust you, so use a certificate issued by an authoritative CA certificate authority.

4. Why are certificates so expensive?

CA organization certificate in the past are charged, and sit the starting price, less is a thousand and two thousand, more tens of thousands, and still annual fee. It actually costs almost nothing to sign a certificate, just run the program, but why is a virtual certificate so expensive?

According to Brother Pang, a CA organization must pass WebTrust annual audit every year, and pay money to browser manufacturers, and pay huge premiums to insurance companies. In addition, the issuing process of more advanced certificates is very rigorous, requiring a lot of manual audit work. It will take several years for a new CA company to be universally trusted and to gain widespread access to the root certificate chain. To get involved, you have to pay other reputable CA companies for secondary certificates to speed up the process.

5. Free certificates are also available

The high price put off many small and medium-sized websites, so an organization called Let’s Encrypt took advantage of the situation. It is a free, open, automated certificate authority (CA) that aims to provide anyone with a domain name with a certificate for free access to credit. Wildcard certificates are already supported, but only for 90 days.

Let’s Encrypt is like Gmail, making E-mail free and accessible to the public. At present, most of the low level CA certificates are free, and you can apply for them through several major cloud vendors in China. Without Let’s Encrypt I’m afraid we would still have to be cut by the CA.

6. Type of the CA certificate

CA certificates can be distinguished by authentication mode and domain name adaptation quantity.

Verify the way

  • DV domain name authentication SSL certificate, most of the free, only need to verify the ownership of the corresponding domain name, suitable for small static websites, blogs. It’ll take a few minutes to sign off
  • OV Enterprise authentication SSL certificate, which needs to verify domain name ownership and enterprise identity information to prove that the applicant is a legitimate real entity, is generally issued in 1 to 5 working days.
  • EV extended authentication SSL certificate, in addition to the need to verify domain name ownership and enterprise identity information, also need to submit extended authentication, such as: Dun & Bradstreet, usually CA will call back, generally in 2 to 7 working days to issue the certificate. The price is generally about 1000 yuan to 10000 yuan, suitable for online trading websites, enterprise websites.

Domain name adaptation

  • A single domain name certificate, for example, issued to **www.felord.cn**, can only be used for this domain name, but cannot be used for its subordinate domain names, such as assets.felord.cn.
  • A wildcard certificate can protect only one domain name and all the lower-level domain names of the domain name without limiting the number of domain names.
  • Multiple domain name certificate, this is the most, can protect multiple domain names at the same time, do not limit the type of domain name, interested in taobao can go to see the certificate.

7. To summarize

With today’s introduction to SSL certificates, you already know how to apply for a certificate that is right for you. Add a certificate for your site. In addition, it is not recommended to configure the certificate in a container such as Tomcat, which is not convenient for development and is not conducive to hiding the real server. It is recommended to use the Nginx proxy and configure the certificate to Nginx. Well today’s popular science here, a lot of attention: code farmers xiao Fat brother to get more knowledge of dry goods.

Follow our public id: Felordcn for more information

Personal blog: https://felord.cn