SSL Security Certificate-Conceptual resolution

first, about the certificate

Digital certificate is a kind of authentication mechanism. Simply put, it represents a security flag issued by an authoritative authority.

Origin

In the past, traditional Web sites used HTTP protocol for data transmission, all the data used in almost plain text, it is easy to happen privacy leaks. In order to solve the security problem, we began to consider the use of encryption and decryption scheme, thus the birth of public key cryptography (asymmetric encryption and decryption) and signature algorithm. The browser obtains the public key from the server, negotiates and generates a dynamic key, after which all request responses are based on the dynamic key plus decryption. For browsers, however, is it true that all servers that claim HTTPS are trustworthy. The answer is no, the server must provide a credential to prove that it is trustworthy, so there is a certificate, the common certificate contains the public key. The premise of encrypted data transfer between the browser and the server is that the server certificate is trusted, that is, in the list of trusted certificates in the browser.

Second, PKI-public Key Infrastructure

Public key Infrastructure is a general-purpose platform for solving network security problems, which is built on the basis of publicly-used key technology. Its range of services includes public key management, authentication, encryption, integrity, and accountability services.
PKI can almost endorse the entire public key technology system standard. Conceptually, PKI covers PMI (Rights Management), however, in fact PKI is not only so, all protocols, components, services, etc. that are based on public key technology to realize network security are all subordinate to PKI, including the above certificates.

key elements of the PKI:

1 Digital Certificate Certificate
2 Certificate Signing Agency CA and approving agency RA
3 Storage Directory
4 certificate policy, certificate path, and user

Third, CA-Certificate Authority Center

Certificate Authority,ca is the third-party authority responsible for issuing and managing digital certificates, which manages all organizations, individuals, and their digital certificates in the PKI system, binds the user's public key and other information of the user, and authenticates the user online. The digital signature of the CA institution allows an attacker to forge and tamper with the certificate.

hierarchical structure of CAS

The CA establishes a top-down chain of trust, subordinate CAs trust the superior CA, and subordinate CAs are issued certificates and certified by Superior CAS
such as GitHub's certificate hierarchy:

functions of the CA:

Certificate issuance: The application for receiving, verifying and accepting digital certificates from users (including subordinate certification authorities and end users).
Certificate Update: The certificate authority can periodically update all users ' certificates, or update the user's certificates according to the user's request
Certificate query: Query the current user certificate request processing process; Query the issuance information of the user certificate, which is done by the directory server LDAP
Invalid Certificate: Due to the disclosure of the user's private key and other reasons, it is necessary to make a request to the certification center to invalidate the certificate, the certificate has been expired, the certification center automatically void the certificate. The Certification center accomplishes these functions by maintaining the certificate revocation list (Certificate revocation list,crl).
Certificate Archive: The certificate has a certain period of validity, the certificate expires after the expiration date, but we can not simply discard the invalid certificate, because sometimes we may need to verify the previous transaction process generated by the digital signature, then we need to query the obsolete certificate.
Source:

Four, certificates digital certificateMain composition

1. Applicant information;
2. The applicant's public key;
3. Issuing agency CA and digital signature
4. Certificate Validity period

Certificate Standards

1. The most basic standard in the PKI system is the first, which defines the fundamental structure of the public key certificate:
   SSL Public Key Certificate
   Certificate Revocation List CRL (Certificate revocation lists)

2. Pkcs#12
   Certificate standards used by Windows platforms and Mac platforms, typically using PFX/P12 as the file name extension,
   The standard adds a private key and access password on top of the X509.

encoding Format

Pem-privacy Enhanced Mail, BASE64 encoded, readable
The encoding format used by Apache and Unix/linux servers.
der-distinguished Encoding Rules, binary format, unreadable.
The encoding format used by the Windows server.

file name extension

Pem/der digital certificate, the encoding format corresponds to its name;
CRT digital certificate, common in Unix/linux system;
CER digital certificate, common in Windows systems;
Key non-certificate, usually a public or private key file;
CSR Certificate signing request, certificate signing requests file;
Pfx/p12-predecessor of Pkcs#12, is the PKCS#12 standard certificate file,
Both the public and private keys are included, and the access is provided with a password, DER-encoded

v. examplesget a github certificate

To open https://github.com/with Chrome, click the area to the left of the link to see the info panel:

Find certificate information, export details

Certificate Content

SSL Security Certificate-Conceptual resolution