tls证书和ssl证书_如何在几分钟内免费使用ssl tls证书保护您的网站

tls证书和ssl证书

什么是SSL或TLS？ (What’s SSL or TLS?)

Transport Layer Security (TLS) is a cryptographic protocol which provides authentication and data encryption between machines over a network. In simple terms, it is when you access the Internet and your browser shows a lock symbol, plus it says https rather than http. SSL (Secure Socket Layer) was originally developed by Netscape. Version 1.0 was never released to the public. Version 2.0 went public in 1995, which was soon replaced by SSL 3.0 when vulnerabilities were found. TLS came to the scene in 1999 as a replacement of SSL 3.0.

传输层安全性(TLS)是一种加密协议，可通过网络在机器之间提供身份验证和数据加密。 简而言之，就是您访问Internet时浏览器显示一个锁符号，并显示https而不是http。 SSL(安全套接字层)最初是由Netscape开发的。 1.0版从未公开发布。 2.0版于1995年公开发行，发现漏洞后很快被SSL 3.0取代。 TLS于1999年问世，它取代了SSL 3.0。

为什么要在我的网站上使用TLS？ (Why use TLS on my website?)

This is not just so that traffic between your client and the server is encrypted, it is also to boost your website’s ranking in Google Search Engine.

这不仅可以加密客户端和服务器之间的流量，还可以提高您的网站在Google搜索引擎中的排名 。

为什么有时称为SSL证书，有时又称为SSL / TLS证书？ (Why is it sometimes called SSL certificate and sometimes referred as SSL/TLS certificate?)

The certificates are not dependent on protocols. While many vendors tend to use the wording “SSL/TLS Certificate”, it may be more appropriate to call them “certificates for use with SSL or TLS”, since the protocols are determined by your server configuration, not the certificates themselves. Some vendors simply call them SSL certificates because that’s the term people are more familiar with.

证书不依赖于协议。 尽管许多供应商倾向于使用“ SSL / TLS证书”一词，但将其称为“用于SSL或TLS的证书”可能更合适，因为协议是由服务器配置而不是证书本身决定的。 一些供应商将其称为SSL证书，因为这是人们更加熟悉的术语。

如何免费？ (How can it be free?)

Internet Security Research Group (ISRG) was formed in 2013 with the mission “to reduce financial, technological, and educational barriers to secure communication over the Internet.” In an effort to increase the use of SSL/ TLS on the web, ISRG’s created its first project Let’s Encrypt. Normally, it would cost you some money per year to get a certificate authority (CA) to issue certificate to you. Let’s Encrypt it’s free and it renews automatically through software running on your web server.

互联网安全研究小组(ISRG)成立于2013年，其使命是“减少财务，技术和教育障碍，以确保互联网通信的安全。” 为了增加Web上SSL / TLS的使用，ISRG创建了第一个项目Let's Encrypt 。 通常，每年需要花费一些钱才能获得证书颁发机构(CA)向您颁发证书。 让我们对其进行加密是免费的，它会通过网络服务器上运行的软件自动续订。

听起来不错，免费，并且会在到期前自动续订，那么，现在有什么用呢？ (Sounds great, free and automatic renew before expiry, so now what’s the catch?)

The free certificates are just as secure as the paid-for ones. Let’s Encrypt is backed by many people from big organizations such as Cisco, ACLU, Facebook, Univ. of Michigan, OVH, RedHat, Internet Society and Mozilla.

免费证书与付费证书一样安全。 “让我们加密”得到了思科，ACLU，Facebook和Univ等大型组织的许多人的支持。 密歇根州，OVH，RedHat，互联网协会和Mozilla的代表。

These are the main points to watch out for regarding to Let’s Encrypt certificates:

这些是有关“让我们加密”证书的要注意的要点：

1. They only support domain validation (DV). Organization Validation (OV) and Extended Validation (EV) are not supported. DV certificates are issued in a matter of minutes, without any particular checks. OV certificates are only issued after document checks, verifying the company trying to get them. These commercial certificates offer a higher level of customer trust and recognition. I will explain Extended Validation in another section below.
   它们仅支持域验证(DV)。 不支持组织验证(OV)和扩展验证(EV)。 DV证书仅需几分钟即可签发，无需任何特殊检查。 OV证书仅在文档检查后才签发，以验证公司是否试图获取它们。 这些商业证书可提供更高水平的客户信任和认可。 我将在下面的另一部分中解释扩展验证。
2. They only last 90 days. Paid SSL Certificates are valid for up to five years. The renewal is automatically done through Let’s Encrypt software, but it is still a good idea to check manually that it has gone through properly.
   他们只持续90天。 付费SSL证书的有效期最长为五年。 续订是通过Let's Encrypt软件自动完成的，但是手动检查更新是否正确仍然是一个好主意。

3. Commercial SSL Certificates include a warranty in case of security compromise, often in the order of $250,000 or even higher for EV certificate (go here for an example).

   商业SSL证书包括在安全性受到损害的情况下的担保，对于EV证书，担保通常约为250,000美元(甚至更高)(以此处为例 )。

4. Some e-commerce sites need to comply with PCI requirements. It is recommended to use OV or EV certificate for transactions (in that pdf, look at the section headed “4.1 Certificate Types (DV, OV, EV) and Associated Risks”).

   一些电子商务站点需要符合PCI要求 。 建议使用OV或EV证书进行交易(在该pdf中，请查看“ 4.1证书类型(DV，OV，EV)和相关风险 ”一节)。

The following were some reasons to go for a more expensive EV certificate, but I believe they no longer important but useful for reference:

以下是获得更昂贵的EV证书的一些原因，但我认为它们不再重要，但对参考很有用：

1. EV certificates were even better than OV, as they are not only verified before issuance like OV type, it came with the green bar where you can display your company’s name next to the URL. It can established a higher level of trust from your user. This is no longer the case since Chrome 69 and it doesn’t even show the word “Secure”. The higher warranty monetary compensation that comes with an EV certificate is probably the only reason to get it.

   EV证书甚至比OV更好，因为它们不仅像OV类型一样在发行前进行了验证，还带有绿色栏，您可以在URL旁边显示公司名称。 它可以建立用户的更高信任度。 自Chrome 69以来，情况已不再如此，它甚至都没有显示“安全”一词。 EV证书随附的更高保修货币补偿可能是获得证书的唯一原因。

2. Paid SSL Certificates come with static or dynamic site seals which show the logo of the issuer on your website. Static one is just a picture, while the dynamic actually link back to the issuer’s website, displaying the details of the certificate. I am not sure if it adds any value, considering even big companies like banks don’t use them.
   付费SSL证书带有静态或动态的站点印章，可在您的网站上显示颁发者的徽标。 静态的只是一张图片，而动态的实际上又链接回发行者的网站，显示证书的详细信息。 我不确定它是否会增加任何价值，因为考虑到像银行这样的大公司也不会使用它们。
3. You might have read articles saying you need to go for a commercial certificate if you need to cover subdomains (also known as wildcard), or multiple websites under a single SSL installation (also known as multiple domains). Looking at Let’s Encrypt forum, that’s no longer the case.
   您可能已经读过一些文章，说如果您需要涵盖子域(也称为通配符)或单个SSL安装下的多个网站(也称为多个域)，则需要获得商业证书。 在“让我们加密”论坛上看，情况已不再如此。

结论 (Conclusion)

So should you use Let’s Encrypt? I would say if you are not doing something highly critical, e.g. an early stage startup with not many users, then you probably can start with Let’s Encrypt. Go here to get started. If your organization is already making a profit, then you should go for a paid certificate, to get a higher level of customer trust and recognition. Also, Let’s Encrypt is supported by a community. If you need support, then you may want to go for a commercial solution.

因此，您应该使用“让我们加密”吗？ 我想说的是，如果您没有做一些非常关键的事情，例如用户数量不多的早期启动，那么您可以从Let's Encrypt开始。 转到此处开始。 如果您的组织已经在盈利，那么您应该获得有偿证书，以获得更高级别的客户信任和认可。 此外，社区支持“让我们加密”。 如果需要支持，则可能需要寻求商业解决方案。

Regardless of which type of SSL certificate you choose, make sure you have the relevant technical personnel to look after your SSL matters. He/ she needs to handle the rare event of your CA being compromised (switch to the new certificates ASAP), and also to check certificates are renewed correctly before expiry.

无论选择哪种类型的SSL证书，请确保都有相关的技术人员来照顾您的SSL事务。 他/她需要处理您的CA遭到破坏的罕见事件 (尽快切换到新证书)，并在到期前检查证书是否正确更新。

翻译自: https://medium.com/swlh/how-to-secure-your-website-with-a-ssl-tls-certificate-for-free-in-a-few-minutes-ef038e2c599b

tls证书和ssl证书