Notes on HTTPS acceleration configuration
Last updated: 2020-03-19 17:57:03PDF
If you want to configure an existing certificate for your domain name, please understand the following first. If you configure a certificate from the management of Tencent Cloud and SSL Certificates Service, you can skip this step.
The certificates provided by CA institutions generally include the following, among which CDN uses Nginx :
Enter the Nginx folder, open the ".crt" (certificate) file and the ".key" (private key) file using a text editor, and you can see the certificate and private key contents in PEM format.
The certificate extension is generally ".pem", ".crt" or ".cer". Open the certificate file in a text editor and you can see the certificate contents in a format similar to the following figure.
Certificate PEM format: begins with "- BEGIN CERTIFICATE-" and ends with "- END CERTIFICATE-". The middle content is 64 characters per line, and the last line can be less than 64 characters long:
If the certificate is issued by an intermediate CA institution, the certificate file you get contains multiple certificates, and you need to artificially upload the server certificate with the intermediate certificate. The stitching rule is: the server certificate is the first, the intermediate certificate is the second, and there is no blank line in the middle. In general, the organization will have a corresponding description when issuing the certificate, please refer to the rule description.
- There can be no blank lines between certificates
- Each certificate is in PEM format
The format of the certificate chain issued by the intermediate institution is as follows:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
The private key extension is generally ".pem" or ".key". Open the private key file in a text editor and you can see the contents of the private key in a format similar to the following figure.
Private key PEM format: begins with "- BEGIN RSA PRIVATE KEY-" and ends with "- END RSA PRIVATE KEY-". The middle content is 64 characters per line, and the last line can be less than 64 characters long.
If you get a private key that starts with "- BEGIN PRIVATE KEY-" and ends with "- END PRIVATE KEY-", it is recommended that you convert it through the openssl tool, as follows:
openssl rsa -in old_server_key.pem -out new_server_key.pem
Currently, CDN only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format. It is recommended to convert them through openssl tool. Here are several popular ways to convert certificate format to PEM format.
Convert DER to PEM
The DER format generally appears on the Java platform.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Private key conversion:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
Convert P7B to PEM
The P7B format generally appears in Windows Server and tomcat.
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
Open outcertificat.cer with a text editor to view the certificate contents in PEM format.
Private key conversion: the private key is generally available in the IIS server, Export.
Convert PFX to PEM
The PFX format generally appears in Windows Server.
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
Private key conversion:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Certificate chain completion
During configuration with your own certificate, there may be The certificate chain cannot be made up. The situation.
You can complete the certificate chain by pasting the contents of the CA certificate (in PEM format) at the end of the domain name certificate (PEM format). You can also submit Ticket to contact us.
Tencent Cloud provides certificate hosting products, that is, SSL Certificate Existing certificates can be uploaded to SSL Certificates Service management platform for unified hosting and deployed to other Tencent Cloud services, and certificates can also be purchased and applied.
Tencent Cloud SSL Certificates Service provides 20 copies of DV SSL Certificates Service issued by TrustaAsia for each user free of charge.