Verification process and generation method of HTTPS certificate

Source: Internet
Author: User
Tags decrypt openssl rsa openssl x509 ssl certificate asymmetric encryption

1. Concise Explanation:

1. Server generates public and private keys with RSA
2. Put the public key in the certificate sent to the client, the private key to save itself
3. The client first checks the validity of the certificate to an authoritative server, if the certificate is valid, the client generates a random number, the random number as the key of the communication, we call it the symmetric key, encrypt the random number with the public key, and then send to the server
4. The server uses the key to decrypt the symmetric key, and then the two sides encrypt and decrypt the symmetric key to communicate.
PS: Asymmetric RSA encryption performance is very low, because of the search for large prime numbers, large number of calculations, data segmentation requires a lot of CPU cycles, so the general HTTPS connection only in the first handshake using asymmetric encryption, through the handshake exchange symmetric encryption key, after the communication away symmetric encryption.

2. In detail:

1. The browser sends a set of encryption rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After the browser obtains the website certificate, the browser will do the following work:
A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
c) computes the handshake message using the agreed-upon hash algorithm, encrypts the message using the generated random number, and finally sends all previously generated information to the Web site.
4. After the Web site receives the data from the browser, do the following:
A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.
b) Encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.

3. Implementation: Generate key, certificate

The first step is to prepare the public and private keys for the server side and client

[Java]View PlainCopy
    1. # Generate server-side private key
    2. OpenSSL genrsa-out server.key 1024x768
    3. # Generate server-side public key
    4. OpenSSL rsa-in server.key-pubout-out Server.pem
    5. # Generate client private key
    6. OpenSSL genrsa-out client.key 1024x768
    7. # Generate client Public key
    8. OpenSSL rsa-in client.key-pubout-out Client.pem

Step two, generate the CA certificate

[Java]View PlainCopy
    1. # Generate CA Private key
    2. OpenSSL genrsa-out ca.key 1024x768
    3. # X.509 Certificate Signing Request (CSR) Management.
    4. OpenSSL req-new-key ca.key-out CA.CSR
    5. # X.509 Certificate Data Management.
    6. OpenSSL x509-req-in Ca.csr-signkey ca.key-out ca.crt

When you perform the second step, it appears:

[Java]View PlainCopy
  1. ? Keys OpenSSL req-new-key ca.key-out CA.CSR
  2. You is about-to is asked to-enter information that'll be incorporated
  3. into your certificate request.
  4. What's about-to-enter is called a distinguished Name or a DN.
  5. There is quite a few fields but can leave some blank
  6. For some fields there would be a default value,
  7. If you enter '. ', the field would be a left blank.
  8. -----
  9. Country Name (2 letter code) [AU]:CN
  10. State or province name (full name) [Some-state]:zhejiang
  11. Locality Name (eg, city) []:hangzhou
  12. Organization Name (eg, company) [Internet widgits Pty ltd]:my CA
  13. Organizational Unit Name (eg, section) []:
  14. Common name (e.g. server FQDN or YOUR name) []:localhost
  15. Email Address []:

Note that the Organization Name (eg, company) [Internet Widgits Pty Ltd]: later generation of the client and server-side certificate is also required to fill in, do not write the same!!! Feel free to write as follows: My CA, my Server, my Client.

Then Common Name (e.g. server FQDN or YOUR name) []: this one, is the last to access the domain name, I here for the convenience of testing, written localhost , if it is to give my site to generate certificates, need to write .

Step three, generate the server-side certificate and the client certificate

[Java]View PlainCopy
  1. # The server needs to request a signing certificate from the CA institution and still create its own CSR file before requesting a signing certificate
  2. OpenSSL req-new-key server.key-out SERVER.CSR
  3. # Request a certificate from your CA institution, the signing process requires a CA's certificate and private key participation, and eventually a certificate with a CA signature
  4. OpenSSL x509-req-ca ca.crt-cakey ca.key-cacreateserial-in server.csr-out server.crt
  5. # Client Side
  6. OpenSSL req-new-key client.key-out CLIENT.CSR
  7. # Client-to-CA signature
  8. OpenSSL x509-req-ca ca.crt-cakey ca.key-cacreateserial-in client.csr-out client.crt

At this point, our keys folder already has the following content:

[Java]View PlainCopy
  1. .
  2. ├──https-client.js
  3. ├──https-server.js
  4. └──keys
  5. ├──ca.crt
  6. ├──ca.csr
  7. ├──ca.key
  8. ├──ca.pem
  9. ├──
  10. ├──client.crt
  11. ├──client.csr
  12. ├──client.key
  13. ├──client.pem
  14. ├──server.crt
  15. ├──server.csr
  16. ├──server.key
  17. └──server.pem

See the above two JS files, we run a few demo.

HTTPS Local test

Server code:

[Java]View PlainCopy
  1. File Http-server.js
  2. var https = require (' https ');
  3. var fs = require (' FS ');
  4. var options = {
  5. Key:fs.readFileSync ('./keys/server.key '),
  6. Cert:fs.readFileSync ('./keys/server.crt ')
  7. };
  8. Https.createserver (Options, function (req, res) {
  9. Res.writehead (200);
  10. Res.end (' Hello World ');
  11. }). Listen (8000);

Just a few lines of code to build a simple HTTPS server, options to the private key and certificate on the. Then use Curl to test:

[Java]View PlainCopy
  1. ? HTTPS Curl https://localhost:8000
  2. Curl: (certificate) SSL problem:invalid certificate chain
  3. More details Here:
  4. Curl performs SSL certificate verification By default, using a "bundle"
  5. of Certificate Authority (CA) public keys (ca certs). If the default
  6. Bundle file isn ' t adequate, you can specify an alternate file
  7. Using the--cacert option.
  8. If This HTTPS server uses a certificate signed by a CA represented in
  9. The bundle, the certificate verification probably failed due to a
  10. Problem with the certificate (it might is expired, or the name might
  11. Not match the domain name in the the URL).
  12. If you' d like to turn off Curl's verification of the certificate, use
  13. The-k (or--insecure) option.

When we visit directly,curl https://localhost:8000

A bunch of hints, the reason is that without CA certification, adding -k parameters can solve this problem:

[Java]View PlainCopy
    1. ? HTTPS curl-k https://localhost:8000
    2. Hello world%

Such a way is unsafe, there is the man-in-the-middle attack problem we mentioned above. Can get a client to bring the CA certificate to try:

[Java]View PlainCopy
  1. File Http-client.js
  2. var https = require (' https ');
  3. var fs = require (' FS ');
  4. var options = {
  5. Hostname: "localhost",
  6. Port: 8000,
  7. Path: '/',
  8. methed: ' GET ',
  9. Key:fs.readFileSync ('./keys/client.key '),
  10. Cert:fs.readFileSync ('./keys/client.crt '),
  11. CA: [Fs.readfilesync ('./keys/ca.crt ')]
  12. };
  13. options.agent = new https.  Agent (options);
  14. var req = https.request (options, function (res) {
  15. Res.setencoding (' utf-8 ');
  16. Res.on (' data ', function (d) {
  17. Console.log (d);
  18. });
  19. });
  20. Req.end ();
  21. Req.on (' Error ', function (e) {
  22. Console.log (e);
  23. });

First open the server and node http-server.js then execute

[Java]View PlainCopy
    1. ? HTTPS node Https-client.js
    2. Hello World

If your code doesn't output

hello world, stating that there was a problem with the certificate generation. You can also access it via the browser:

Prompt error:

This server cannot prove that it is localhost, and your computer's operating system does not trust its security credentials. This problem may occur because of an incorrect configuration or if your connection is blocked.

The reason is that the browser does not have a CA certificate, only the CA certificate, the server can determine that the user is the real access request from localhost (for example, not the proxy).

You can click on 继续前往localhost(不安全) this link, equivalent to execute curl -k https://localhost:8000 . If our certificate is not issued by ourselves, but to a reliable institution to apply for, then there will be no such problem, because the certificate of the Organization will be placed in the browser, the browser will help us do a lot of things. The first attempt of the classmate can go to to apply for a free certificate.

Reference Link: 71512809

Verification process and generation method of HTTPS certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.