Http://www.cnblogs.com/P_Chou/archive/2010/12/27/https-ssl-certification.htmlGlobal trusted SSL Digital certificate request: http://www.shuzizhengshu.com
In the Internet Secure Communication mode, the most used is HTTPS with SSL and digital certificates to ensure the security of transmission and authentication. This article has been traced around this model for a brief discussion.noun explanation
First explain some of the above nouns:
Therefore, the relationship between the three is clear: HTTPS relies on a way of implementation, the current common is SSL, digital certificate is to support this secure communication files. There is also SSL-derived TLS and WTLS, the former is Ieft SSL standardization (TSL1.0), and the SSL difference is very small, the latter is used in the wireless environment of the TSL.How to encrypt Common encryption Algorithms
encryption process for SSL
In the hashing algorithm (also called the Digest algorithm), there are two concepts, strong collision-free and weak collision-free. Weak collision-Free is the same summary information for the given message X, which is the plaintext you want to forge. That means you can control the contents of the plaintext. Strong collision-free refers to the ability to find the same summary information, but the forged plaintext is not known.
The efficiency of asymmetric encryption and decryption algorithm is much lower than that of symmetric plus decryption. Therefore, SSL in the handshake process using asymmetric cryptographic algorithm to negotiate the key, the actual use of symmetric encryption and decryption method to encrypt the transmission of HTTP content. Here is a metaphor for the image of the process (excerpt from http://blog.chinaunix.net/u2/82806/showart_1341720.html):
Suppose a communicates with B, A is the SSL client and B is the SSL server side, and the encrypted message is placed in square brackets  to highlight the difference between the plaintext messages. The description of the handling action of both parties is enclosed in parentheses ().
A: I want to talk to you safely, I here the symmetric encryption algorithm has DES,RC5, the key exchange algorithm has RSA and DH, Digest algorithm has MD5 and SHA.
B: We'll use the Des-rsa-sha to set it up.
This is my certificate, which has my name and public key, you take to verify my identity (send the certificate to a).
A: (see if the name of B on the certificate is correct, and verify the authenticity of B's certificate through a certificate of the number already in hand, if one of the errors, issue a warning and disconnect, this step ensures the authenticity of B's public key)
(generates a secret message that will be treated as a symmetric encryption key, encrypting the initialization vector and the HMAC key.) This secret message-the protocol, known as per_master_secret-, is encrypted with the public key of B, encapsulated in a message called Clientkeyexchange. Due to the use of B's public key to ensure that third parties cannot eavesdrop)
I generated a secret message and encrypted it with your public key and gave it to you (send Clientkeyexchange to B)
Note that I'm going to send you a message in an encrypted way!
(Process secret messages, generate encryption keys, encrypt initialization vectors, and keys for HMAC)
B: (Use your own private key to decrypt the secret message in Clientkeyexchange, and then process the secret message, generate the encryption key, encrypt the initialization vector and the HMAC key, the two sides have negotiated a set of encryption method safely)
Note that I will also start to send you a message in an encrypted way!
A: [My secret is ...]
B: [Others won't hear ...]
As you can see from the above procedure, how the SSL protocol negotiates the key with an asymmetric cryptographic algorithm and encrypts the plaintext and transmits it using the key. Here are some additional points:
1.B uses a digital certificate to wrap its public key and other information to send the identity of A,a authentication B, the following talks about how a is verified.
2.A generates cryptographic keys, cryptographic initialization vectors, and HMAC keys that are used by both parties to digest and encrypt plaintext. The cryptographic initialization vector and the HMAC key are first used to digest the plaintext (prevent the plaintext from being tampered with), and then the digest and plaintext are encrypted with the encryption key and then transmitted.
3. Since only B has a private key, only B can decrypt the Clientkeyexchange message and obtain a subsequent communication key.
4. In fact, the above process B does not verify the identity of a, if necessary, SSL is also supported, at this time a also need to provide their own certificate, here is not expanded. When you set up SSL require for IIS, the Igore client certification is usually the default.Digital Certificates
As can be known from the above discussion, digital certificates play the role of identity authentication and key distribution during SSL transmission. What exactly is a digital certificate?
In short, a digital certificate is a file that proves the identity of the bearer on a network and also contains a public key. On the one hand, since it is possible to "forge" the document, therefore, the authenticity of the certificate requires a verification method, on the other hand, the verifier needs to agree with this method of authentication.
For the first requirement, the current solution is that the certificate can be issued by an internationally recognized certificate authority, which is recognized as a trust authority, and some client applications that verify certificates: such as browsers, mail clients, etc., that are fully trusted for certificates issued by these institutions. Of course, to ask these institutions to issue certificates but to pay "to", usually when the Windows Deployment system will let the client install our own server root certificate, so that the client can also trust our certificate.
For the second requirement, the client program usually maintains a "list of root trusted institutions", when a certificate is received, to see if the certificate is issued by the authority in the list, and if it is, the certificate is trustworthy, otherwise it will not be trusted.Trust of Certificates
Therefore, as an HTTPS site needs to be bound with a certificate, in any case, the certificate always requires an agency issued, the institution can be an internationally recognized certificate authority, or any computer that has Certificate Services installed. Whether the client can trust the certificate for this site depends first on whether the client program has imported the certificate issuer's root certificate. Illustrates this process:
Sometimes a certificate authority may authorize another certificate authority to issue a certificate, so that a certificate chain appears.
IE browser in the verification of the certificate is mainly from the following three aspects, as long as any one of the unsatisfied will give a warning
In addition, the browser periodically views the certificate revocation list published by the certificate issuer, and warns if a certificate is listed in the certificate revocation list by its issuer, although it meets the above criteria. The CRL distribution Point field for each certificate shows the URL to view the list. However, Windows is "insensitive" to this list, which means that the Windows API caches the list until the cached expiration of the set expires before the new list is downloaded from the CRL distribution point. Currently, you can only make Windows clients "sensitive" by setting this validity period (minimum 1 days) as small as possible on the certificate issuing server. The specific setting method is (winserver2003):
Access the Administrator tool, certificate Authority, right-click the revoked certificates directory, under one of the Certificate Services properties:
Change the CRL publishing cycle to 1 days, as set in the figure.Deploying a digital certificate-based HTTPS Web site in IIS
Building an HTTPS site in IIS6 requires several key steps:
In the SSL encryption Process section, we know that to implement SSL encrypted communication, both parties must negotiate the key, and SSL uses asymmetric encryption to implement the key exchange. In this process, the public key that the server sends to the client is included in the certificate. The client encrypts its generated key with the public key, and the service side decrypts the private key that is matched by the public key. As a result, it can be thought that the server has a private key saved and is bound to the HTTPS site.bind the private key and the certificate that does not bind the private key
If the certificate holder has the private key of the certificate, you can divide the certificate into two types: for example, when our native owns the certificate's private key, as shown on the left, otherwise, as shown on the right :
As you can see, the diagram on the left identifies "you have a private key that matches the certificate" and the right image does not. For a certificate that needs to be bound to an HTTPS site, it must be in the form of a left-hand image, which should be distributed to the client in the form of the right figure instead of the left figure.
For the certificate on the left, you can also export the. pfx format, which contains the private key, for backing up certificates or distributing them as follows:
Select to export the private key at the same time
The password entered here is to be entered when reinstalling, so comfirm.
Select a file to be stored with a. pfx suffix automatically
For normal certificates, you cannot export a. PFX form that contains a private key, only the following three formats can be exported:Summary
This paper summarizes the basic concepts of https/ssl/digital certificate, expounds the implementation principle of SSL protocol, and expounds the role that digital certificate plays in it.
Fruits of labor, reproduced please specify the source: http://www.cnblogs.com/P_Chou/archive/2010/12/27/https-ssl-certification.html
[Turn] on https\ssl\ digital certificate