HTTPS Settings Instruction

The open platform recommends that developers set the HTTPS callback interface address to ensure safety.

For developers who have purchased a cloud server and certificate from a cloud service provider (Tencent Cloud, Huawei Cloud, Alibaba Cloud, etc.), they can quickly configure it according to its operating instructions. Please refer to the cloud service provider's manual.

The following description of the general configuration steps is for developers' reference only.

I. SSL Certificate Application

1. Confirm the domain name that needs to apply for the certificate

2. Generate private key and CRS file

Execute the following command on the Linux machine to generate the private key.

#openssl genrsa -out server.key 2048

Execute the following command on the Linux machine to generate the CSR file.

Noted: Information filled in here is for reference only. Developers may fill in according to their needs:

#openssl req -new -key server.key -out certreq.csr
Country Name： CN                      //Country ISO. eg. ISO for China is CN
State or Province Name：guangdong       //State or province of your business's location
Locality Name：shenzhen                 //City of your business
Organization Name： Tencent Technology (Shenzhen) Company Limited                 //Legal full name of your company 
Organizational Unit Name： R&D         //Department Title
Common Name： www.example.com     //Common name，For example：www.itrus.com.cn。This item must exactly match the domain name used when you access the server that provides the SSL service
Email Address：                          //Your email address. Does not required. Press enter to skip
"extra"attributes                        //Does not required. Press enter to skip until commend is executed

After executing the above command, the private key files server.key and certreq.csr CSR files can be generated in the current directory.

3. Submit the generated CSR file to a third-party certificate authority to apply for the server certificate of the corresponding domain name Please save the private key file carefully.

4. After the certificate application, the certificate authority will provide the content of the server certificate and two intermediate CA certificates. Please generate the server certificate according to the instructions of the certificate issuance machine. The server certificate file name is assumed to be server.pem.

5. Copy the generated private key file server.key and server certificate server.pem to the directory specified by the server to configure the HTTPS server.

II. HTTPS Server Configuration

Take Nginx as an example, and its HTTPS certificate configuration is as follows:

server {
    listen       443;   #指定ssl监听端口
    server_name  www.example.com;
    ssl on;    #开启ssl支持
    ssl_certificate      /etc/nginx/server.pem;    #Assign the server certificate path
    ssl_certificate_key  /etc/nginx/server.key;    #Assign the certificate key path
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     #Assign the protocol version supported by the SSL server
    ssl_ciphers  ALL：!ADH：!EXPORT56：RC4+RSA：+HIGH：+MEDIUM：+LOW：+SSLv2：+EXP;    #Assign encryption algorithm
    ssl_prefer_server_ciphers   on;    #When using SSLv3 and TLS protocols, assign the encryption algorithm of the server is prior to the encryption algorithm of the client
    #The following content is for reference only. Please configure according to the requirement of the domain name 
    location / {
        return 444;
    }
}

Frequently Asked Question:

1. Certificate trusted issue: Some SSL certificates issued in China are not trusted on Android. GeoTrust is recommended;

2. If the page has dynamic and static separation and the static resource uses an independent domain name, it is also necessary to apply for a certificate for the domain name;

3. The lower version of android does not support SNI extension. Due to this limitation, a server can only deploy one digital certificate;