The function realization of TLS/SSL mainly depends on three basic algorithms: Hash function hash, symmetric encryption and asymmetric encryption. Among them, asymmetric encryption is used to realize identity authentication and key negotiation, and symmetric encryption algorithm uses negotiated key to encrypt data, and verifies the integrity of information based on hash function.

The key to solve the above authentication problem is to ensure that the obtained public key is legal and can verify the identity information of the server. Therefore, it is necessary to introduce the authoritative third-party organization CA. CA is responsible for verifying the information of public key owners, issuing authentication "certificates" and providing certificate verification services for users, namely PKI system.

The basic principle is that CA is responsible for auditing information, then "signing" the key information with the private key, and disclosing the corresponding public key, and the client can verify the signature with the public key. A CA can also revoke a certificate that has been issued. The basic methods include two types of CRL files and OCSP. The specific process of using CA is as follows: