SSL/TLS Brown Bag (Ⅲ)

This article will introduce some special processes.Client AuthenticationGenerally client will validate server's certificates(chain). A non-anonymous server can optionally request a certificate from the client. This is mutual authentication.🤔I use Op »

man man 分类:SSL,Security 标签:none

SSL/TLS Brown Bag (Ⅱ)

Currently most of SSL handshakes would use ECDHE as key exchange algorithm. It supported PFS and also is more secure than RSA key exchange algorithm. I will show the handshake process with ECDHE-RSA-AES256-GCM-SHA384 and the version is TLS1.2. Becau »

man man 分类:SSL,Security 标签:none

SSL/TLS Brown Bag (Ⅰ)

TLS is different from SSL on technical part but the two terms are largely used interchangeable in the production. Secure Socket Layer(SSL) came first and was developed by Netscape. IETF standardized SSL and then Transport Layer Security(TLS) came al »

man man 分类:SSL,Security 标签:none


之前用letsencrypt为这个网站生成的证书快到期了,我是给泛域名生成的证书,所以在续签证书的时候需要DNS验证,但是续签是个自动的过程,你不知道需要把TXT记录改成什么。所以自动续签命令一直失败。看了一些教程,需要在续签的时候用有一个脚本来修改DNS记录,所以需要调用域名注册商的一些API。正好godaddy有API,下面分享一下步骤。先决条件一个在Godaddy注册的域名证书是letsencrypt生成的具体操作进入这个页面,为自己的Godaddy账号生成一对API Key,生成pro »

man man 分类:Blog 标签:none


在用户目录下创建一个certs目录并进入,后续证书生成以这个目录为主目录。mkdir certs cd certs mkdir CA mkdir -p CA/{certs,crl,newcerts,private} touch CA/index.txt echo 01 > CA/serial echo 02 > CA/serial rm -rf keys mkdir keys OpenSSL的默认把证书生成在/etc/pki/CA,并且在签名其他证书的时候有一些策略,例如Count »

man man 分类:SSL,Security 标签:none