Current location - Quotes Website - Signature design - SSL certificate issuance
SSL certificate issuance
HTTPS = HTTP + TLS/SSL

SSL: secure socket layer

TLS: standardized SSL

Provide privacy and data before the integrity of two communication entities.

It consists of two layers: TLS recording protocol and TLS handshake protocol.

The core of SSL is to provide secure and reliable communication.

In practical application, there are usually two ways to realize one-way authentication and two-way authentication.

1 client: send SSL version information of the client, etc.

Server: Returns SSL version information and server public key.

Client: Check whether the certificate is legal.

Verify whether the certificate is expired, whether the CA is reliable, etc.

4 client: send a symmetric encryption scheme to the server.

5 Server: Select the encryption method.

6 server: send the encryption scheme to the client in plain text.

7. Client: generate a random code, generate a symmetric encryption key, encrypt it with the server public key, and send it to the server.

8 server: decrypt with private key to obtain symmetric encryption key.

9 Handshake over, symmetric encryption, secure communication

1 client: send SSL version information of the client, etc.

Server: Returns SSL version information and server public key.

Client: Check whether the certificate is legal.

4 Client: Send its own certificate and public key to the server.

5 server: check the client certificate and get the client public key.

6 client: send the docking encryption scheme to the server.

7 Server: Select the encryption method.

8 server: encrypt the encryption scheme with the client's public key and send it to the client.

9 client: decrypt with private key to obtain encryption mode, generate random code, generate symmetric encryption key, encrypt with server public key, and send it to server.

10 server: decrypt with private key to obtain symmetric encryption key.

1 1 handshake terminal, symmetric encryption and secure communication.

Concepts of SSL core: ca, private key, public key and certificate.

The default format of the private key is pkcs 1, which is a simplified private key generation command:

OpenSSL gen RSA-out private . PEM 3072

Java requires private key format, which needs to be converted into pkcs8 format. The conversion command is:

OpenSSL pkcs 8-top k8-inform PEM-in private . PEM-out form PEM-nocrypt-out private-pkcs 8 . PEM

Certification center, a third-party certification provider, provides reliability certification for certificates.

In the process of development, the self-issued certificate is generally used for testing, and then the official certificate is used.

When using ca, CA certificate is mainly used, which is issued by ca key.

Elements: CA private key, CA CSR and issuing certificate.

Enter the name of the country, state or province as prompted.

Composition: CA root certificate, which issues client certificates.

When creating a client certificate using OpenSSL, please note that

When creating the private key, specify the length as 4096.

When creating a certificate, specify usr_cert for the -extensions parameter.

Generate private key

Openssl genrsa -out products. Key 3072

Generate a certificate issuance request

OpenSSL req- new key product. Key output product. csr

Sending a certificate issuance request to a CA to issue a certificate is usually imperceptible, which may mean executing the following issuance command.

Openssl ca -in products. csr -out products. crt -days 365.

The above one still hides a lot of details, and then look at the following one.

The signing process needs the participation of CA's certificate and private key, and finally a certificate signed by CA is issued.

OpenSSL x509-req-CA CA . CRT-CAkey CA . key-cacreate serial-in product . CSR-out product . CRT

This product.crt is the official certificate that can be used.

The difference between TLS one-way authentication and two-way authentication