A CA also has a certificate (including a public key and a private key). Public users on the Internet trust CA by verifying its signature, and anyone can get CA's certificate (including public key) to verify the certificate issued by it. If a user wants to obtain a certificate of his own, he should apply to CA first. After the CA recognizes the identity of the applicant, it assigns a public key to it, and the CA binds the public key to the identity information of the applicant, and forms a certificate after signing it and sends it to the applicant. If the user wants to verify the authenticity of another certificate, he will use the CA's public key to verify the signature on that certificate. Once the certificate is verified, it is considered valid. A certificate is actually the authentication of a user's public key issued by a certificate authority (CA). The contents of the certificate include: information of the electronic visa authority, public key user information, public key, authority signature and validity period, etc. At present, the format and verification method of certificates generally follow the international standard of X.509 encryption: the process of converting words into unreadable forms (that is, ciphertext) is called encryption. That is to say, the "http" we usually see is encrypted into "https" for transmission, which ensures that the information will not be eavesdropped during transmission. At present, the CA that can complete this work in China is GlobalSign. Decryption: The process of converting ciphertext into words that can be read directly is called decryption. How to achieve the purpose of signing an electronic document? We can use digital signatures. RSA public key system can realize digital signature of digital information. Methods: The information sender uses its private key to perform RSA algorithm operation on the characteristic data (or digital fingerprint) extracted from the transmission message, so as to ensure that the sender cannot deny the transmission information (i.e. non-repudiation) and that the information message has not been tampered with (i.e. integrity) during transmission. When the information receiver receives the message, he can verify the digital signature with the sender's public key. Digital fingerprint is generated by a special HASH function (hash function) and plays an important role in digital signature. Process: CA certificate issuing process. Accepted input message data has no length limit; 2. Generate a fixed-length abstract (digital fingerprint) output for any input message data; 3. The abstract can be easily calculated from the message; 4. It is difficult to generate a message for the specified abstract, from which the specified abstract can be calculated; 5. It is difficult to generate two different messages with the same summary. Verification: After receiving the message, the receiver verifies the signature according to the following steps: 1. Use your own private key to convert the message into plaintext; 2. Use the sender's public key to obtain the original abstract from the digital signature part; 3. The receiver hashes the source information you sent and generates a summary; 4. The receiver compares the two abstracts, and if they are the same, it can prove the identity of the information signer. If the contents of the two abstracts are inconsistent, what are the reasons? The private key that may be used for abstract signature is not the private key of the signer, which means that the signer of the information cannot be trusted; It is also possible that the information received is not the information sent by the signer at all, and the information has been destroyed or tampered with during transmission. Digital certificate: Digital certificate provides electronic authentication for secure communication between both parties. In the Internet, intranet or external network, digital certificates are used to realize identity identification and electronic information encryption. Digital certificate contains the identity information of the owner of the key pair (public key and private key), and the identity of the certificate holder can be authenticated by verifying the authenticity of the identity information. Installation method: In many cases, there is no need to install the CA certificate. By default, CA certificates for most operating systems are installed. These default CA certificates are issued by well-known commercial certificate authorities (such as GoDaddy or VeriSign). Therefore, if a device needs to trust an unknown or local certificate authority, it only needs to install a CA certificate. There is no real standard process for downloading and installing CA certificates. The method adopted depends on many factors, such as the type of server used as the certification authority, the configuration mode of the certification authority, and the operating system used on the device where the CA certificate is installed. If the Windows server is configured as a certificate authority, in general, the administrator can generate and download certificates through the Web interface. The address of this Web interface is usually https://