HTTPS related knowledge

ConceptHTTP(Hypertext Transfer Protocol Hypertext Transfer Protocol)

Sending content in clear text, without any data encryption, is a standard (TCP) for client and server-side requests and responses that transmits hypertext to the local browser's transport protocol from the WWW server

HTTPS ( Hyper Text Transfer Protocol over Secure Socket Layer Hypertext Transfer Protocol based on Secure sockets)

is the security version of HTTP, that is, HTTP under the SSL layer, HTTPS security is based on SSL, so the details of the encryption requires SSL

Role: One is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.

SSL(Secure Sockets layer Secure Sockets)

is the protocol for securely exchanging information between Web browsers and Web servers, providing two basic security services: Authentication and confidentiality

TSL(Transport Layer Security transport)

Used to provide confidentiality and data integrity between two communication applications

Symmetric and Asymmetric encryption

Symmetric encryption: Encryption and decryption use the same key

Asymmetric encryption: There are two different keys, either one can be the encryption key, and the other is the decryption key.

Public and private keys

When using asymmetric encryption, a key is made public, known as a private key, and another key is not known to the owner of the key, known as the secret key.

Digital signatures

Based on asymmetric encryption.

Server-to-browser: the party with the private key encrypts the content with the private key and sends it out, because anyone can get the public key corresponding to the private key, so the owner of the public key uses the public key to decrypt the content and decrypt it correctly, stating that the content must be issued by the party that owns the private key.

Browser---> Server: Entities that have public keys encrypt content using public keys, and only private key owners can decrypt

Digital certificates

Digitally signed through the authoritative certification authority CA effective online authentication, to help each entity identify each other identity

A digital certificate is a file that holds the information of an entity and the public key corresponding to the private key owned by that entity.

CA(Certificate Authority certification authority)

is the abbreviation of the digital Certificate Certification Center, refers to the issuing, management, abolition of the digital certificate institutions.

The role of a CA is to check the legitimacy of the identity of the certificate holder and issue a certificate (signed on the certificate) to prevent the certificate from being forged or tampered with, and to manage the certificate and key.

SSL and CA

A CA is a digital certificate authority, an SSL certificate is a digital certificate, a CA issues an SSL certificate, and HTTPS is a representation of the SSL certificate

HTTPS Access process

Self-signed certificate making (own CA) Goal:

Server The files used are: Ca.crt,server.crt,server.key

Noun:

Certificate format:

Certificate Format conversion: http://blog.csdn.net/adeyi/article/details/8299473

PEM format: BASE64 encoded ASCII file, usually Storage Server authentication certificate, intermediate certificate and private key; applications: Apache and similar servers;. PEM,. CRT,. cer,. Key

Der Format: Binary encoded ASCII file, all certificates and private keys can be stored; application: JAVA; extension. der,. cer,. crt

PKSC#7/P7B format: base64 format; stores certificates in certificates or certificate chains, cannot store private keys; applications: Windows and Tomcat support; extension. p7b,. p7c,. SPC

PKS#12/PFX format: encrypted binary format; Storage server certificate, intermediate certificate and private key; application: Import and export certificate and private key in Windows;. PFX,. P12

Csr:certificate Signing Request

1. Making a CA

1.1. Create an RSA private key for the CA (Des3 encrypted and in PEM format)

OpenSSL genrsa-des3-out ca.key 1024x768

des3--Encryption algorithm

A password is prompted during the process, and the DES3 encryption algorithm encrypts the Ca.key file with the input password.

attached:

View details of the private key:OpenSSL rsa-noout-text-in ca.key

Password to remove private key:OpenSSL rsa-in server.key-out ca.key

1.2. Create a self-signed certificate for the CA (x509 structure, output to PEM format)

OpenSSL req-new-x509-days 365-key ca.key-out ca.crt

x509--structure

attached:

View certificate information: OpenSSL x509-noout-text-in CA.CRT

2. Self-built server certificate

2.1 Generating the server private key

OpenSSL genrsa-des3-out server.key 1024x768

2.2 Generating server certificate requests

OpenSSL req-new-key server.key-out SERVER.CSR

2.3 Signing a server certificate with a CA

OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey ca.key-out servercert.crt

When the visa is completed, the certificate request response and the CA root certificate are returned to the requestor, the server side

2.4 Server has another server that accesses https through code, using Keytool to import the root certificate (chain) and the certificate request response into the Java Cacerts Library

keytool-import-alias isupcert-trustcacerts-file servercert.crt-keystore $JAVA _home/jre/lib/security/ Cacerts

attached:

View existing certificates:keytool-list-keystore cacerts-alias isupcert

Delete a certificate keytool-delete-alias isupcert-keystore cacerts

3.client Trusted Security Certificate

It is generally added to the browser's whitelist of trust.

However, in some operating systems, it is also necessary to configure the root certificate as a system-level certificate to allow for continued use.

　　　　Mac OS X
To add a certificate:
sudo security add-trusted-cert-d-R trustroot-k/library/keychains/system.keychain~/new-root-certificate.crt
To remove a certificate:
sudo security delete-certificate-c ""

　　　Windows
To add a certificate:
Certutil-addstore-f "ROOT" new-root-certificate.crt
To remove a certificate:
Certutil-delstore "ROOT" Serial-number-hex

　　　　Linux (Ubuntu, Debian)
To add a certificate:
1. Copy the CA files to the directory:/usr/local/share/ca-certificates/
2. Execution: sudo cp foo.crt/usr/local/share/ca-certificates/foo.crt
3. Update CA Certificate library: sudo update-ca-certificates
To remove a certificate:
1.Remove your CA.
2.Update the CA Store:
sudo update-ca-certificates--fresh
Restart Kerio Connect to reload the certificates in the 32-bit versions Ordebian 7.

　　　Linux (CentOs 6)
To add a certificate:
1. Installing ca-certificates Package:yum Install Ca-certificates
2. Enable dynamic CA configuration Feature:update-ca-trust force-enable
3.Add it as a new file TO/ETC/PKI/CA-TRUST/SOURCE/ANCHORS/:CP foo.crt/etc/pki/ca-trust/source/anchors/
4. Execution: Update-ca-trust extract
Restart Kerio Connect to reload the certificates in the 32-bit version.

　　　　Linux (CentOs 5)
To add a certificate:
Append your trusted certificate to File/etc/pki/tls/certs/ca-bundle.crt:cat FOO.CRT >>/etc/pki/tls/certs/ Ca-bundle.crt

Reference:

How to add a custom CA Root certificate to the operating system to gain trust

Https://www.qiansw.com/add-the-ca-root-certificate-to-the-operating-system-for-trust.html

SSL with the CA

http://blog.csdn.net/lzs109/article/details/6960461

HTTPS related knowledge