First, to borrow a map on the network is the fire to record the understanding about the https protocol
as the picture shows:
1, the client initiates a request to port 443, the server is connected to the server
2, the server certificate has a key pair that he holds the private key, the public key can be distributed to anyone
3, the server to respond to requests, sends the public key to the client
4, after the client receives the server's public key will verify the legality of (but in reality is the public key of the CA certificate verify the legitimacy of the process), if the check is passed, the client itself generate a random value ( client key), the random value as a symmetric encryption transmission server data (symmetric encryption key client key), then the server using the key sent by the client public key encryption, so that it becomes a client secret key culture
End of the first http request in https
5. http client initiates a second request for https in the client encrypted key sent to the server
6, the server receives client key, perform asymmetric with his private decrypting plaintext client key is decrypted, and then encrypted with a symmetric data client key, so that the data becomes the ciphertext.
7, the server will be encrypted data to the client
8, the client receives the server sent by the ciphertext, decrypt the symmetric key with its client, the server sends the obtained data. So the whole https transfer is complete.
Two, CA certificate to verify the legitimacy of the process:
1. First, look for a local computer ca root certificate if there is this mechanism on the server certificate. If there continue to the next step, if no pop-up warning.
2. Use ca authority root certificate on the public key of the server certificate fingerprint and fingerprint algorithm to decrypt.
3. After get fingerprint algorithm, take this fingerprint algorithm to calculate the digest server certificate to obtain fingerprints.
4. the calculated fingerprint and decrypts the server certificate from the fingerprint collation as if to see if the same is authenticated.
Third, recognize CA and CA certificate
CA (Certificate Authority) is the certificate issuing authority, which is responsible for managing and issuing certificates of third parties, it is widely trusted institutions. In general our computer, browser, or phone number of the root certificate will be built so trusted institutions.
As the name suggests CA certificate is issued by the CA certificate. In fact, anyone can sign the certificate, you can also issue certificates for ourselves, but because you yourself are not widely trusted institutions, so your own certificates issued and no use. The public will not trust your certificate. Server certificate includes the following information:
Certificate chain of trust:
for example, I was a CA issued a certificate I I This certificate is another B B certificate trust certificates and trust certificates of the other C ...... then this chain can go on trust. So once the root CA certificate institutions can not be trusted, then out of all certificates issued by him will all become credible, very serious consequences.
