Https and SSL learning notes (2) and httpsssl learning notes

Https and SSL learning notes (2) and httpsssl learning notes

This article describes the certificate information, refer to the article link http://www.guokr.com/post/116169/

I. certificate type

Common certificates are as follows:

(1) SSL Certificate, used to Encrypt HTTP

(2) code signature certificate, used to sign binary files, such as Windows Kernel drivers, Firefox plug-ins, and Java code signatures.

(3) client certificate, for example, used to encrypt emails

(4) two-factor certificate. This type of certificate is used in the USB Key used by the online banking Professional Edition.

The certificate format is defined by the X.509 standard.

These certificates need to be issued by the authenticated certificate authority (usually known as the CA), and the certificates issued by the CA are trusted. Enterprises and individuals can apply for a certificate based on the certificate type and time. The charges are also different.

Ii. Apply for a certificate from CA

Generally, enterprise certificates are more expensive than individual certificates. When you apply for a certificate, the certificate is valid. After the validity period expires, you need to apply for a new certificate.

When applying for a certificate, you must provide the Domain Name of the website. When providing the domain name, you must prove that the applicant has ownership of the domain name. Generally, a certificate can only be bound to one domain name. This certificate is trusted only when you access this domain name. In addition, the domain name can contain wildcard *, but such a certificate is expensive. Baidu's certificate contains wildcards (1 ). The general name in the issued certificate is the domain name filled in when the certificate is applied for, and the general name of the issuer is the issuing authority. If "Extended Validation SSL" is entered, it indicates that this certificate is an ev ssl Certificate (Extended Validation SSL certificate ), an ev ssl Certificate features a green address bar in the browser and displays the name of the company to which the certificate belongs. The two periods in the validity period are the effective time and effective time of the certificate. When applying for a certificate, in addition to providing a domain name, you also need to provide a business license and identity information.

Figure 1

Iii. Certificate verification process

Certificates are organized in the form of a certificate chain. When issuing certificates, you must first have the root certificate issued by the root CA, and then the Root CA will issue certificates from the intermediate CA, at last, an SSL certificate is issued by an intermediate CA. The certificate is also verified at the first level. Only when all certificates are trustable can the SSl Certificate be trusted by the browser. If the root certificate is untrusted, all the certificates issued below are untrusted. Shows the certificate path:

4. reasons why the certificate is not trusted by the browser

(1) Certificate Expired

(2) The domain name in the certificate is inconsistent with the accessed Domain Name

(3) untrusted authority