1 PKI certificate system
Concepts: 'PKI', 'CA', 'Digital Certificate', 'Certificate Chain', 'Digital Signature' The public key explained before is different from the certificate obtained by the https site. The public key is only a part of the information of the digital certificate. Note: The following content is only as a "personal" note
Huawei Cloud Certificate Management Service CCM
① Basics
PKI currently has a series of 'standard specification' definitions, mainly including:
② CA organization
Keywords: root CAs and intermediates CAs 1. The organizational structure of CA is a "tree" structure, composed of multiple "levels" 2. A root CAs contains multiple intermediates CAs Note: intermediates' can contain' multiple intermediates CAs 3. Both root CAs and intermediates CAs can issue certificates to users Note: The issued certificates are root Certificates and intermediates Certificates respectively. 4. The final 'certificate used by the user to authenticate the public key' is called 'end-user Certificates' Emphasis: The intermediate CAs are 'intermediates CAs', they will 'issue' end-user certificates
1. Root certificate 'root certificates' description Browsers and operating systems will have some built-in root certificates, called trusted root certificates 2. How is the reliability of intermediate certificates 'guaranteed'? This involves 'Certificate Chain', Certificate Chain,'Chain Upward'Verification Certificate
certificate chain
③ Certificate issuance process
Note: The following three 'components' of PKI are responsible for the 'life cycle' of the certificate
1. After generating the 'public and private keys', initiate an 'application' with the 'public key and personal identity information' to a CA certification authority. Legacy: 'Personal' information contains 'Follow-up' explanation 2. After the CA'verifies the identity information' and there is no problem 3. The information will then be encrypted using the 'CA's own private key'. After encryption, a 'digital certificate' will be generated, which is called a 'public key certificate'
④ Signature and verification process
Thinking: Why does the 'public key digital certificate' issued by the 'CA organization' play the role of 'identity verification'?
Description: 'Details' when the communicating parties 'authenticate the other party's' digital certificate
SSL two-way verification The role of ssl_verify_depth ssl_verify_depth 0 1 2 Meaning
Detailed explanation of nginx two-way authentication configuration proxy_ssl_verify_depth
Legacy: 1. 'In-depth' exploration of certificates 2. Certificate 'splicing', that is, putting the certificate of the 'intermediate CA authority' into it
How to solve the problem of incomplete SSL certificate chain due to lack of middle layer. How does openssl convert the certificate format to PEM format?
https two-way authentication
⑤ Certificate trust chain
Certificate chain Certificate trust chain map Certificate trust chain
Middleman: 'authoritative CA' organization is the 'middle layer agent' CA organization, 'difference' root CA organization Supplement: Each intermediate CA institution is provided with a 'credit endorsement' by the 'upper level' CA institution --> 'guaranteed'
Description: 'Verify'certificate chain
⑥ PKI public key infrastructure
'Operation' system of public key digital certificates --> PKI public key infrastructure Note: 'CRL' is relatively slow, now uses 'OCSP'
Explanation: 'PKI' operation process
Note: In the TLS communication protocol of 'ECDHE', 'key negotiation' does not use the public key in the other party's certificate
⑦ Public key certificate type
The differences between various types of SSL certificates
Core: Different certificate types have different 'application' scenarios, 'fees', 'approval processes', 'trust levels' and 'security' Supplement: The encryption levels of the three are the same, but the user identity verification is different
⑧Domain name type
How to choose a domain name type
Keywords: 'Single domain name', 'Multiple domain names', 'Pan domain name' Note: How to determine the 'supported' format of a domain name from the 'certificate'?
⑨ Encryption algorithms supported by Huawei Cloud certificates
Key points: Learn 'RSA' and 'ECC' well Follow-up: No longer learn from the perspective of 'principles', but understand from the perspective of 'practical combat'
Legacy: Some 'conventional' names or 'suffixes' --> der, pem, csr, crt
java certificate certificate FAQ
2. Answer questions and solve doubts
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 40125 people are learning the system