It, on the certificate
digital certificate is an authentication mechanism. Simply put, it represents a sign of security issued by an authorized authority. 
The origin
In the past, the traditional site uses HTTP protocol for data transmission, all data almost all of plaintext, it is prone to loss of privacy. In order to solve the security problem, we began to consider the use of encryption and decryption programs, Ever since the birth of the public key encryption (asymmetric encryption) and signature algorithm. Browser obtained from the server public key, generating a dynamic key through negotiation and, after all the requests are based on dynamic response decryption key. However, for the browser, is not all claimed that HTTPS servers are trusted it. The answer is no, the server must provide a certificate to prove himself worthy of trust, and thus which have a certificate, which is usually the certificate contains a public key. Premise browser and server to encrypt data transmission are the server certificates are trusted, trusted certificate that is present in the browser list.
Two, PKI - Public Key Infrastructure
Public Key Infrastructure, is based on public-key technology built to solve network security problems common base platform. Its services include Public Key, provides authentication, encryption, integrity and accountability services.
PKI public key technology can almost speak for the entire system standards. Conceptually, PKI covers the PMI (rights management), but essentially PKI Not only that, as long as the current protocol is based on public-key technology for all network security, components, services and so subordinate PKI, including the above-mentioned certificate.
The key elements of PKI:
1 digital certificate Certificate
2 CA certificate signed and approved by the institutional bodies RA
3 storage directory
4 certificate policy, the certification path and users
Three, CA - Certificate Authority
Certificate Authority, CA is responsible for issuing and managing digital certificates of third-party authority, which is responsible for all PKI organization and management system, individuals, and they hold the digital certificate, the user's public key and other information tied to the user on the internet to verify the user's identity. CA digital signature allows institutions *** can not forge and tampering with a certificate.
CA hierarchy of
CA to establish a top-down chain of trust, trust in the superior subordinate CA CA, subordinate CA certificate issued by a superior CA and certified
as github certificate hierarchy:
CA functions:
Certificate: receiving, verifying and accepting user applications (including subordinate certification center and end-user) of digital certificates.
Certificate update: Certificate Authority certificate can be updated on a regular basis for all users, or to update the user based on the user's request a certificate
Certificate query: query the current user certificate request process; queries the user certificate authority information, such inquiries done by the LDAP directory server
certificate obsolete: due to user's private key leaks and other reasons, it is necessary to set aside the certificate request to the certification center; validity of the certificate has passed, the certificate Authority automatically void. Certification Center to complete the above function void list (Certificate Revocation List, CRL) by maintaining the certificate.
Archive Certificates: The certificate has a certain validity, the certificate will be invalid after the period has been exceeded, but we can not set aside the certificate will simply be discarded, because sometimes we may need to verify the digital signature of a previous transaction generated in the process, then we need to check the certificate obsolete.
source:
Four, Certificates digital certificate
is mainly composed of
applicant information;
applicant's public key;
issuing authority CA and the digital signature
certificate is valid
certificate standard
x.509 PKI system is the most basic standard that defines the basic structure of the first public key certificate:
SSL certificate public key
certificate revocation list CRL (certificate revocation lists)
# 12 PKCS
Windows certificate standard platform and mac platforms, often using pfx / p12 as a file extension,
the X509 is standard on the basis of increased private key and access code.
Encoding format
PEM - Privacy Enhanced Mail, BASE64 coding, readable
Apache and Unix / Linux server using the encoding format
DER -. The Distinguished Encoding Rules, binary format unreadable
Windows Server using the encoding format.
File name extension
/ der digital certificate, corresponding to their names PEM encoding format;
CRT digital certificate, common in the unix / linux system;
CER digital certificate, common in the windows system;
Key non certificates, public or private key is typically a file;
CSR Certificate Signing Request, a certificate signing request file;
PFX / P12 - the predecessor of PKCS # 12, is the standard PKCS # 12 certificate file
contains both public and private keys required to access password, using the DER encoding