Notes on HTTPS acceleration configuration

Last updated: 2020-03-19 17:57:03

PDF

If you want to configure an existing certificate for your domain name, please understand the following first. If you configure a certificate from the management of Tencent Cloud and SSL Certificates Service, you can skip this step.

Upload certificate

The certificates provided by CA institutions generally include the following, among which CDN uses Nginx :

Enter the Nginx folder, open the ".crt" (certificate) file and the ".key" (private key) file using a text editor, and you can see the certificate and private key contents in PEM format.

Certificate

The certificate extension is generally ".pem", ".crt" or ".cer". Open the certificate file in a text editor and you can see the certificate contents in a format similar to the following figure.
Certificate PEM format: begins with "- BEGIN CERTIFICATE-" and ends with "- END CERTIFICATE-". The middle content is 64 characters per line, and the last line can be less than 64 characters long:
Img
If the certificate is issued by an intermediate CA institution, the certificate file you get contains multiple certificates, and you need to artificially upload the server certificate with the intermediate certificate. The stitching rule is: the server certificate is the first, the intermediate certificate is the second, and there is no blank line in the middle. In general, the organization will have a corresponding description when issuing the certificate, please refer to the rule description.

  • There can be no blank lines between certificates
  • Each certificate is in PEM format

The format of the certificate chain issued by the intermediate institution is as follows:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Private Key

The private key extension is generally ".pem" or ".key". Open the private key file in a text editor and you can see the contents of the private key in a format similar to the following figure.
Private key PEM format: begins with "- BEGIN RSA PRIVATE KEY-" and ends with "- END RSA PRIVATE KEY-". The middle content is 64 characters per line, and the last line can be less than 64 characters long.
Img
If you get a private key that starts with "- BEGIN PRIVATE KEY-" and ends with "- END PRIVATE KEY-", it is recommended that you convert it through the openssl tool, as follows:

openssl rsa -in old_server_key.pem -out new_server_key.pem

Format conversion

Currently, CDN only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format. It is recommended to convert them through openssl tool. Here are several popular ways to convert certificate format to PEM format.

Convert DER to PEM

The DER format generally appears on the Java platform.
Certificate conversion:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Private key conversion:

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

Convert P7B to PEM

The P7B format generally appears in Windows Server and tomcat.
Certificate conversion:

openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

Open outcertificat.cer with a text editor to view the certificate contents in PEM format.
Private key conversion: the private key is generally available in the IIS server, Export.

Convert PFX to PEM

The PFX format generally appears in Windows Server.
Certificate conversion:

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Private key conversion:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Certificate chain completion

During configuration with your own certificate, there may be The certificate chain cannot be made up. The situation.
You can complete the certificate chain by pasting the contents of the CA certificate (in PEM format) at the end of the domain name certificate (PEM format). You can also submit Ticket to contact us.

Escrow certificate

Tencent Cloud provides certificate hosting products, that is, SSL Certificate Existing certificates can be uploaded to SSL Certificates Service management platform for unified hosting and deployed to other Tencent Cloud services, and certificates can also be purchased and applied.

Tencent Cloud SSL Certificates Service provides 20 copies of DV SSL Certificates Service issued by TrustaAsia for each user free of charge.