- “Order”
When we browse some websites, sometimes the browser prompt to install the root certificate, but why does the browser prompt? It is estimated that some people did not want to directly install, do not understand is not good?
So what is a root certificate? I knew something about it after I swallowed a few times, but I was still very confused. I finally chose to understand it. First of all, BEFORE learning, I threw out some confused questions when I began to understand.
-
What is a root certificate
Calm down and then watched the data on the Internet to find a phone, the magic of baidu encyclopedia to answer is “in the field of cryptography and computer security, the root certificate is not being signed public key certificate or self-signed certificate”, a look at this kind of words is a bit empty, can’t the official explanation is so professional, professional to professional people also look very laborious.
-
Where does the certificate come from?
Issued by the CA certificate need specialized institutions paid, actually can also get free yourself, but don’t know the somebody else will use your, thrown to the concept of paperwork, popular point is a program that has some information about the installation to your browser, as for the Https Http + SSL is a kind of implementation, the SSL is a secure transport protocol, I’m thinking if I don’t even know HTTP, I don’t need to learn HTTPS any more.
-
What is the Https?
In fact, from the above part of the introduction, we can know that HTTPS is a secure transport protocol, why it is safe, is because of the SSL (CA) certificate, simple understanding of SSL certificate is CA certificate, which should involve a lot of professional knowledge, but I did not go into the details. Because if you focus on one point, you may mislead the overall direction of learning.
-
Its execution process
When a client wants to access a server that has a CA certificate installed (or that implements Https transport) with an Https request, a root certificate needs to be installed in the local browser.
Most browsers now install the root certificate provided by the major CA vendors by default, so you don’t need to install the root certificate when accessing the server with the same certificate. Similarly, you can also install an SSL certificate on the client as well as a service program.
As an aside, there are free certificates on the Internet, if enough cattle people, write a should also be no difficulty, as for the principle of the implementation to be explored later, and then describe the process of exchange request in detail.
- 1. When the browser with the root certificate is installed uses HTTPS to request the server, the server will return a certificate information, including
| Information about the validity period of the certificate and the CA supplier that issued the certificate | Information about a public key and certificate holder generated by the server | Some extended information and a digital signature (a digital signature is an MD5 digest of the previous information and encrypted with the CA vendor’s encryption key) |
|---|
-
2. After receiving the certificate, the client unvalidates the digital signature of the certificate based on the public key in the root certificate to verify that the certificate is provided by the current CA provider. However, the client needs to verify that the certificate is correct because it has only received the certificate.
-
3. In this case, the client does not know whether the certificate content is correct. Therefore, the client needs to compare the first several messages of the received certificate with the MD5 digest and decrypted digital signature.
-
4. Then the client starts to access the server, but the check is not complete at this point, because we have only verified and determined the validity of the certificate, but have not determined whether the currently accessed server is the correct server.
-
5. Therefore, the client needs to use the public key returned in the certificate to encrypt the information to be sent, and then send the information to the server. Only when the server uses its private decryption key, it can decrypt the requested encryption information and return it to the client.
-
6. If the authentication is successful, the client and server will use the information just sent as a symmetric key to encrypt the information to be transmitted.
According to the above steps with encryption and decryption to ensure Https security, compared with Http protocol request is very insecure, but in the usual Web development if it does not involve important information, but also enough, if there is really a need to ensure the request and data security scenarios, now has a formed solution.
Assuming the programming, client to server, custom data protocol, implementation of SSL, and some other things I don’t know, it would be a huge amount of work to implement the whole process yourself, and it would require a strong technical support behind the implementation.
It may not be good, but if you read it, please click a “like” as encouragement, thank you