ConceptHTTP(Hypertext Transfer Protocol Hypertext Transfer Protocol)
Sending content in clear text, without any data encryption, is a standard (TCP) for client and server-side requests and responses that transmits hypertext to the local browser's transport protocol from the WWW server
HTTPS ( Hyper Text Transfer Protocol over Secure Socket Layer Hypertext Transfer Protocol based on Secure sockets)
is the security version of HTTP, that is, HTTP under the SSL layer, HTTPS security is based on SSL, so the details of the encryption requires SSL
Role: One is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.
SSL(Secure Sockets layer Secure Sockets)
is the protocol for securely exchanging information between Web browsers and Web servers, providing two basic security services: Authentication and confidentiality
TSL(Transport Layer Security transport)
Used to provide confidentiality and data integrity between two communication applications
Symmetric and Asymmetric encryption
Symmetric encryption: Encryption and decryption use the same key
Asymmetric encryption: There are two different keys, either one can be the encryption key, and the other is the decryption key.
Public and private keys
When using asymmetric encryption, a key is made public, known as a private key, and another key is not known to the owner of the key, known as the secret key.
Digital signatures
Based on asymmetric encryption.
Server-to-browser: the party with the private key encrypts the content with the private key and sends it out, because anyone can get the public key corresponding to the private key, so the owner of the public key uses the public key to decrypt the content and decrypt it correctly, stating that the content must be issued by the party that owns the private key.
Browser---> Server: Entities that have public keys encrypt content using public keys, and only private key owners can decrypt
Digital certificates
Digitally signed through the authoritative certification authority CA effective online authentication, to help each entity identify each other identity
A digital certificate is a file that holds the information of an entity and the public key corresponding to the private key owned by that entity.
CA(Certificate Authority certification authority)
is the abbreviation of the digital Certificate Certification Center, refers to the issuing, management, abolition of the digital certificate institutions.
The role of a CA is to check the legitimacy of the identity of the certificate holder and issue a certificate (signed on the certificate) to prevent the certificate from being forged or tampered with, and to manage the certificate and key.
SSL and CA
A CA is a digital certificate authority, an SSL certificate is a digital certificate, a CA issues an SSL certificate, and HTTPS is a representation of the SSL certificate
HTTPS Access process
Self-signed certificate making (own CA) Goal:
Server The files used are: Ca.crt,server.crt,server.key
Noun:
Certificate format:
Certificate Format conversion: http://blog.csdn.net/adeyi/article/details/8299473
PEM format: BASE64 encoded ASCII file, usually Storage Server authentication certificate, intermediate certificate and private key; applications: Apache and similar servers;. PEM,. CRT,. cer,. Key
Der Format: Binary encoded ASCII file, all certificates and private keys can be stored; application: JAVA; extension. der,. cer,. crt
PKSC#7/P7B format: base64 format; stores certificates in certificates or certificate chains, cannot store private keys; applications: Windows and Tomcat support; extension. p7b,. p7c,. SPC
PKS#12/PFX format: encrypted binary format; Storage server certificate, intermediate certificate and private key; application: Import and export certificate and private key in Windows;. PFX,. P12
Csr:certificate Signing Request
1. Making a CA
1.1. Create an RSA private key for the CA (Des3 encrypted and in PEM format)
OpenSSL genrsa-des3-out ca.key 1024x768
des3--Encryption algorithm
A password is prompted during the process, and the DES3 encryption algorithm encrypts the Ca.key file with the input password.
attached:
View details of the private key:OpenSSL rsa-noout-text-in ca.key
Password to remove private key:OpenSSL rsa-in server.key-out ca.key
1.2. Create a self-signed certificate for the CA (x509 structure, output to PEM format)
OpenSSL req-new-x509-days 365-key ca.key-out ca.crt
x509--structure
attached:
View certificate information: OpenSSL x509-noout-text-in CA.CRT
2. Self-built server certificate
2.1 Generating the server private key
OpenSSL genrsa-des3-out server.key 1024x768
2.2 Generating server certificate requests
OpenSSL req-new-key server.key-out SERVER.CSR
2.3 Signing a server certificate with a CA
OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey ca.key-out servercert.crt
When the visa is completed, the certificate request response and the CA root certificate are returned to the requestor, the server side
2.4 Server has another server that accesses https through code, using Keytool to import the root certificate (chain) and the certificate request response into the Java Cacerts Library
keytool-import-alias isupcert-trustcacerts-file servercert.crt-keystore $JAVA _home/jre/lib/security/ Cacerts
attached:
View existing certificates:keytool-list-keystore cacerts-alias isupcert
Delete a certificate keytool-delete-alias isupcert-keystore cacerts
3.client Trusted Security Certificate
It is generally added to the browser's whitelist of trust.
However, in some operating systems, it is also necessary to configure the root certificate as a system-level certificate to allow for continued use.
Mac OS X
To add a certificate:
sudo security add-trusted-cert-d-R trustroot-k/library/keychains/system.keychain~/new-root-certificate.crt
To remove a certificate:
sudo security delete-certificate-c ""
Windows
To add a certificate:
Certutil-addstore-f "ROOT" new-root-certificate.crt
To remove a certificate:
Certutil-delstore "ROOT" Serial-number-hex
Linux (Ubuntu, Debian)
To add a certificate:
1. Copy the CA files to the directory:/usr/local/share/ca-certificates/
2. Execution: sudo cp foo.crt/usr/local/share/ca-certificates/foo.crt
3. Update CA Certificate library: sudo update-ca-certificates
To remove a certificate:
1.Remove your CA.
2.Update the CA Store:
sudo update-ca-certificates--fresh
Restart Kerio Connect to reload the certificates in the 32-bit versions Ordebian 7.
Linux (CentOs 6)
To add a certificate:
1. Installing ca-certificates Package:yum Install Ca-certificates
2. Enable dynamic CA configuration Feature:update-ca-trust force-enable
3.Add it as a new file TO/ETC/PKI/CA-TRUST/SOURCE/ANCHORS/:CP foo.crt/etc/pki/ca-trust/source/anchors/
4. Execution: Update-ca-trust extract
Restart Kerio Connect to reload the certificates in the 32-bit version.
Linux (CentOs 5)
To add a certificate:
Append your trusted certificate to File/etc/pki/tls/certs/ca-bundle.crt:cat FOO.CRT >>/etc/pki/tls/certs/ Ca-bundle.crt
Reference:
How to add a custom CA Root certificate to the operating system to gain trust
Https://www.qiansw.com/add-the-ca-root-certificate-to-the-operating-system-for-trust.html
SSL with the CA
http://blog.csdn.net/lzs109/article/details/6960461
HTTPS related knowledge