SSL certificates must be known: digital certificates and CA Basics

SSL certificates must be known: digital certificates and CA Basics

Digital certificates

Digital certificate is a serial number of identity information in Internet communication, which provides a way to verify the identity of the communication entity on the Internet, and the digital certificate is not the number * * *, but a chapter or a seal (or a signature on the number * * *) that is covered by the identity certification authority. It is issued by the Authority--CA agency, also known as the Certificate Authority (Certificate Authority) center, where people can use it to identify each other. The simplest certificate contains a public key, a name, and a digital signature for the Certificate Authority Center. An important feature of digital certificates is that they are only valid for a specific period of time.

Digital certificates contain a lot of numbers and English, when using digital certificates for identity authentication, it will randomly generate 128-bit identity code, each digital certificate can generate a corresponding but not the same every time the same digital, so as to ensure the confidentiality of data transmission, that is equivalent to generate a complex password.

Digital certificates bind the public key and its holder's true identity, it is similar to the real life of the residents * * *, the difference is that the digital certificate is no longer a paper certificate, but a piece of information containing the identity of the certificate holder and approved by the Certification center issued electronic data, can be more convenient and flexible use in e-commerce and e-government.

Digital certificates can be used to: Send secure e-mail, access secure sites, online securities transactions, online bidding procurement, online office, online insurance, online tax, online sign-up and online banking security electronic transaction processing and secure electronic transaction activities.

Digital certificates can be popularly understood as the ancient call army Hufu or tokens, the general is a public key certificate, the emperor is the CA agency provided to the Minister of the Army is the certificate corresponding to the private key information.

CA Organization

CA institution, also known as Certificate Grant (Certificate Authority) center, as a trusted third party in e-commerce transactions, undertakes the responsibility of verifying the legitimacy of public key in public key system. The CA center issues a digital certificate for each user who uses the public key, and the role of the digital certificate is to certify that the user listed in the certificate has a legitimate public key listed in the certificate. The digital signature of the CA institution allows an attacker to forge and tamper with the certificate. It is responsible for generating, distributing and managing the digital certificates required by all individuals involved in online transactions, and is therefore a central part of secure electronic transactions. Thus, the construction of Certificate Authority (CA) center, is a necessary step to develop and standardize the e-commerce market. In order to guarantee the security, authenticity, reliability, integrality and non-repudiation of the information between users, it not only needs to verify the authenticity of the users, but also needs an authoritative, impartial and unique organization, which is responsible for issuing and managing the various subjects of e-commerce in line with the domestic and E-Commerce Security Certificate of the International Secure Electronic Transaction protocol standard.

WebTrust is a safety audit standard jointly developed by two leading certified Public Accountants Associations AICPA (American Institute of Certified Public Accountants) and CICA (Certified Public Accountants Association of Canada), which mainly focuses on the logical security of the system and business operation of Internet service providers, A total of seven items, such as confidentiality, are subject to near-rigorous scrutiny and verification.

Only through the WebTrust International Security Audit certification, the root certificate can be pre-provisioned to the mainstream browser and become a global trusted certification authority (CA).

The root certificate is installed into the operating system or browser, and the browser will default on all the child-signed certificates signed by the root certificate, which is also the Chinese Ministry of Railways, Cnnic,alibaba by inducing users to install root certificates for the ultimate purpose, This allows all certificates (software and Web sites) that are signed by these non-authoritative CA institutions to run on your computer without hindrance.

Certificate Issuance Process

A CSR is an acronym for Cerificate Signing request, a certificate requesting file, that is, when a certificate requester generates a private key while requesting a digital certificate, and the certificate requester generates a certificate request file, the certification authority CA uses the CSR file as soon as it is submitted to the certification authority The root certificate private key signature generates the certificate public key file , which is the certificate issued to the user.

The digital certificate issuance process is typically:
The user first generates their own key pair and transmits the public key and some personally identifiable information (CSR) to the certification authority (CA). Certification Center after verifying the identity, the necessary steps will be taken to make sure that the request is actually sent by the user, and then the certificate authority will send the user a digital certificate containing the user's personal information and his public key information, along with the signature information of the certificate authority. Users can use their own digital certificates for various activities related to them. Digital certificates are issued by a separate certificate issuer. Digital certificates vary, and each certificate can provide different levels of confidence. You can obtain your own digital certificate from the certificate issuer.

Working principle

The digital certificate adopts the public key system, which uses a pair of matching keys to encrypt and decrypt. Each user sets a specific private key (private key) that is only known to me, decrypts and signs it, and sets a public key (public key) to be shared with a group of users to encrypt and verify the signature. When a confidential file is sent, the sender encrypts the data with the receiver's public key, and the receiver decrypts it with its own private key, so that the information can arrive at the destination safely and without error. The encryption process is ensured by means of a digital process, that is, only the private key can be decrypted. In the public key cryptosystem, the RSA system is commonly used. Its mathematical principle is to decompose a large number into two prime numbers, and encrypt and decrypt two different keys. Even if plaintext, ciphertext, and encryption keys (public keys) are known, it is computationally impossible to derive the decryption key (The secret key). According to the current computer technology level, to crack 1024-bit RSA key, it takes thousands of years of computing time. Public key technology addresses the management of key publishing, where merchants can expose their public keys while preserving their private keys. Shoppers can encrypt the information they send with a publicly known public key and securely deliver it to the merchant, which is then decrypted by the merchant with its own private key.
The user can also use their own private key to the information processing, because the key is only for me, so that the others can not generate files, also formed a digital signature. With digital signatures, you can confirm the following two points:
The guarantee information is sent by the signer's own signature, and the signer cannot deny it or is difficult to deny.
The warranty information has not been modified since it was issued and the documents issued are real documents.

Digital signatures

The message is calculated by the hash algorithm agreed by both parties to obtain a fixed-digit message digest. Mathematically guaranteed: As long as any change in the message, the recalculation of the digest will be the value of the original value does not match. This guarantees the non-change of the message.
The digest value of the paper is encrypted with the sender's private key (there is no problem in decrypting the plaintext, an unreadable "plaintext" is obtained), which is then sent to the receiver along with the original message, and the "encrypted" message is called a digital signature.
After receiving the digital signature, the same hash algorithm is used to calculate the digest value of the original message, and then to decrypt the digital signature with the sender's public key (the original signature has been encrypted, and then decrypted can be restored) to compare the value of the reported digest. If equal, the message does come from the alleged sender.
(because only signers with private keys can generate signatures through a "decryption" digest, they are secure and non-repudiation.) ）
Then why is the digest to be encrypted instead of encrypting the original message? This is because RSA plus decryption is time-consuming, the larger the encrypted message, the more time it takes, so smart humans encrypt its digest (because the digest is much smaller than the original message), it can still play the same role. This is why a message digest is more.

Certificate Classification

Based on the application angle classification of digital certificates, digital certificates can be divided into the following types:

Server certificate

The server certificate is installed on the server device to prove the identity of the server and to encrypt the communication. Server certificates can be used to prevent fraudulent phishing sites.

After the server certificate is installed on the server, the client browser can establish an SSL connection with the server certificate, and any data transmitted over the SSL connection will be encrypted. At the same time, the browser will automatically verify that the server certificate is valid, verify that the site visited is a fake site, server certificate Protection of the site is used for password login, order Processing, online banking transactions. The world famous server certificate brand has Globalsign,verisign,thawte,geotrust and so on.
SSL certificate is mainly used for server (application) data transmission link encryption and identity authentication, binding website domain name, different products for different value of data and require different identity authentication.
The latest high-end SSL certificate product is an extended validation (EV) SSL certificate. Under the new generation of high security browsers such as IE7.0, FireFox3.0, and Opera 9.5, the browser address bar of a website that uses an extended authentication VeriSign (EV) SSL certificate is automatically rendered Green, which clearly tells users that the site they are visiting is strictly authenticated.
SSL certificates also have an enterprise Type SSL certificate (OVSSL) and a domain name certificate (DVSSL).

e-Mail Certificate

An e-mail certificate can be used to prove the authenticity of an e-mail sender. It does not prove the authenticity of the certificate owner name identified in the CN one above the digital certificate, which only proves the authenticity of the email address.
By receiving an e-mail with a valid electronic signature, we can be sure that the message has not been tampered with since it was issued, in addition to believing that it was actually sent out by the specified mailbox.
In addition, we can also send encrypted messages to the receiving party using the received mail certificate. The encrypted message can be transmitted over a non-secure network, and only the bearer of the receiver may open the message.

Personal certificate

client certificates are primarily used for authentication and electronic signatures.
A secure client certificate is stored in a dedicated usbkey. The certificate stored in key cannot be exported or copied, and key must be entered with the key's protection password. The use of the certificate requires physical acquisition of its storage media usbkey, and the need to know the key's protection password, which is also known as two-factor authentication. This kind of authentication means is one of the most secure authentication means in the Internet at present. There are various types of key, such as fingerprint identification, third key confirmation, voice reading, and special Usbkey and ordinary usbkey with display.
The digital certificate can be broadly divided into: Personal digital certificate, Unit digital certificate, Unit employee digital certificate, server certificate, VPN certificate, WAP certificate, code signing certificate and form signing certificate.

Code Signing Certificate Code Signing SSL
Code-signing certificate Codes Signing SSL provides an ideal solution for software developers, enabling software developers to digitally sign their software code. The code is digitally signed to identify the source of the software and the true identity of the software developer, ensuring that the code is not maliciously tampered with after signing. Enables users to effectively validate the trustworthiness of a signed code when it is downloaded.

Benefits of using code signing certificates a code program or content issued by a developer can enhance the software's download, adoption, and release rates by code signing verification. Reduce code programs and content error messages and security warnings to establish a brand trust relationship. Prevent users from downloading code programs and content that contain malicious files. When users download, install code programs and content through the Internet and mobile network, the system jumps out of the developer's information and increases security significantly. Make sure that the end user knows that the software is legitimate and that the code has not been tampered with since it was released. A Code Signing certificate eliminates Internet Explorer and the "unknown publisher" that pops up on the Windows operating system.

Extended reading:

Frequently asked questions when generating a CSR file

1. Do not use certain special characters

Do not use certain special characters when you request a server SSL certificate, or you will receive a "105" error code after you submit the CSR file. This error is due to the fact that when you generate the CSR file, the information entered contains special characters such as: (@,#,&,!, and so on, for example: you can replace "&" with "and").

What is the common name common name?

2. Save the private key key file
To generate a CSR file, you must create a key for the server key. Key key and SSL certificate is inseparable, once the public key, private key or password is lost or damaged, after the key key file is regenerated, and the original SSL certificate does not match, then need to regenerate the CSR file.

Apache Related configuration:

Sslengine on enable SSL feature
Sslcertificatefile certificate File Domain.crt
Sslcertificatekeyfile private Key File Domain.key
Sslcertificatechainfile Certificate chain file Ca.crt

Nginx Related configuration:
Listen 443 SSL Access port number is 443
SSL on enable SSL feature
Ssl_certificate certificate File Yourdomain_server.crt
Ssl_certificate_key private Key File Yourdomain_server.key

Saves the certificate as a specified directory and file name, and also saves the key file as a file name under the specified directory.
Certificate file: Httpd/conf/ssl.crt/server.crt (this file is the certificate authority sent back to you. )
Key file: Httpd/conf/ssl.key/server.key

SSL Certificate Request process
1. Generate a Certificate signing request CSR file
2. Submit the CSR file and relevant supporting documents to the CA agency or the relevant agent for the relevant SSL certificate
3. After the SSL certification Authority Comodo/rapidssl/geotrust/thawte/verisign/globalsign/alphassl/symantec/trustwave accepted the certificate request file CSR , the system automatically sends a confirmation email to the domain administrator's mailbox to verify that the domain owner is true and valid.
4. Verify the organization information through the domain name Public information and confirm the authenticity of the Organization information through the manual verification method.
5. Issue an SSL certificate
The domain authentication DV SSL certificate usually can issue the related SSL certificate 1-2 hours after the confirmation message completes; Enterprise Authentication ov SSL Certificate/enhanced authentication EV SSL Certificate verification time will be longer, 5-15 business days, need to cooperate with the submission of some necessary files to the certificate authority, after verification is completed the CA will send SSL certificate to the registered mailbox.

This article from "Ops said: from rookie to veteran" blog, please be sure to keep this source http://liuqunying.blog.51cto.com/3984207/1664246

SSL certificates must be known: digital certificates and CA Basics