Engaged in web development programmers should not people heard of http and https these two words, even if not very familiar with should also be aware of security https than http, https is encrypted, and will become the mainstream in the future will replace the http and so on.
A little bit of understanding will know the biggest difference is that the former http and https cover with a layer of SSL / TLS protocol based on http protocol, with SSL / TLS encryption protocol http packets before transmission. Today we'll talk about the SSL / TLS protocol core - certificate .
SSL / TLS simple science
(Secure Sockets Layer, English: Secure Sockets Layer, abbreviation: SSL) SSL, an evolution called TLS (Transport Layer Security protocol English: Transport Layer Security, abbreviation: TLS), both collectively SSL / TLS protocol, a asymmetric encryption protocol, are widely used for authentication and encryption of data transfer between the Web browser and the server.
In simple terms, the agreement in principle is the web application client (eg: browser) HTTP packets transmitted to the server before the server initiates a request will first say:
" I want to use the SSL protocol and communications you! "
After receiving the request the server knows the client to use SSL communication protocol and its own public key and certificate is sent back to the client, the client receives the server sends back a certificate and public key, after legal verification certificate with a public key to the server http encrypted message, and then transmitted to the server.
This process and the TCP three-way handshake like, in fact, this process is called the SSL handshake. After the handshake is completed the client is encrypted with the public key server HTTP request packet to the server, the server with the private key to decrypt messages received HTTP request, after handling the business logic and back to the HTTP response with a private key to encrypt the message after the client, the client receives an encrypted HTTP response message with a web page or public key data is decrypted customers see the server. This is the working process of https.
SSL certificate is what?
From the above we probably know how it works SSL protocol, which is the key server to the client's SSL certificate. After the client needs to verify that the certificate is legitimate to believe that the public key is the public key received indeed they want to access the server, rather than a virus which replaced the fake website, which is not subjected to intermediaries ***, verify legal SSL handshake can be established.
So what is a certificate? As the name suggests, the certificate is able to prove the identity of the server stuff, how can you prove it? In real life we have is how to prove I was me and not fake it?
ID card! ! !
Take account of this went to the Public Security Bureau office identity cards, have our photo Name Sex Birthplace Date of birth and other information above, show our ID cards to others looking for a job bank card will be able to buy tickets to do to prove I'm me, and everything credit card required to follow the matter has.
The SSL certificate is the network ID, server With this certificate we have the equivalent of identity cards will be able to prove that they really want the client to access the server, not fake.
SSL certificates come from?
SSL certificate is the server's identity, that is where the certificate? Why should I believe a client certificate?
Our ID cards are issued by the Public Security Bureau, endorsed by the state for us, it is certainly the country's credit Leverage anyone letter.
For SSL certificates also exist for this role to the Public Security Bureau endorsement certificate that CA (certificate authority English: Certificate Authority, abbreviated as CA).
CA is the authority responsible for issuing and managing digital certificates, certificate on the server you want to bring your own account of this went to apply for a CA certificate, CA after receipt of the application server through a very strict verification procedures to prove that the server is indeed the server after using his official seal ( public key ) to the application server's autograph ( encryption after) a certificate is produced.
So the server will send the client certificate with the official seal of the CA (signature), after the client see the official seal of CA relieved believe the identity of the server.
You might see this will ask, Why the hell I believe the client CA? Because the operating system either windows or linux, factory-built-in Trusted Root Certification Authorities list, in fact, kept the CA's public key, when the server said his certificate which is issued by the CA which took public CA look out the decryption key is not true, because the CA's private key is not easy to steal ***.
Self-signed certificate is Editor's Note?
CA nice, but there is a question: CA is not Lei Feng, CA Rush is looking for money, and this money is OK as we only accept ID cards handed down a 20 fee:
This price is really touching, to debug SSL protocol also need to spend the money it is not a waste of time if we some intranet sites or we develop? In addition to charge money Is no other way? Really I have, and that is self-signed certificate.
We already know that the Internet is the CA Public Security Bureau issued ID card, but the CA and the reality of the Public Security Bureau there are differences. The Public Security Bureau in reality only one, that is the People's Republic of China's Public Security Bureau, other agencies issued false identity documents are still breaking the law.
However, there are a lot of Internet in CA home, and even individuals can own a carved radish CA chapter self, and this self CA-signed certificate is called a self-signed certificate. However, the operating system only recognize the Trusted Root Certification Authorities list in that several CA, radish carved our own chapter CA built for the operating system is not safe, so that opens with a self-signed certificate in the browser website will receive a red card following warning:
But no matter how the money is saved up!
At last
About SSL certificates on science to this, we probably know HTTPS certificate used in the Editor's Note, and also know for our developers most commonly used is actually a self-signed certificate can be self-signed certificate can not be easily generated, next time I give you about how to generate a self-signed certificate.
Author: Chen Siveco
Publisher: Kerry for the technology
Other high-quality articles
[Case Study] How to Implement SSL certificates effective management and monitoring?
[CRE] FMCG distance between brands and consumers, is an excellent digital team!
How to set up private servers based Artifactory?