Digital certificates are ID cards in the online world. Digital certificates provide electronic authentication for secure communication between both parties. The digital certificate contains the identification information of the key pair owner, and the identity of the certificate holder is authenticated by verifying the authenticity of the identification information. Digital certificates can establish a safe and reliable trust relationship for users who do not meet each other in the online world. The establishment of this trust relationship originates from the PKI/CA certification center. Therefore, it is crucial to build a secure PKI/CA certification center. .
All various concepts and technologies related to digital certificates are collectively called PKI (Public Key Infrastructure). By introducing CA, digital certificate, LDAP, CRL, OCSP and other technologies and formulating corresponding standards, PKI effectively solves problems such as public key and user mapping relationship, centralized service performance bottlenecks, and offline status query. At the same time, in order to promote and improve the standardization of certificate application, many standards related to certificate application have been formulated.
At the heart of PKI is the trust established between clients, servers, and certification authorities (CAs). This trust is established and propagated through the generation, exchange, and verification of certificates.
The following illustration illustrates the difference between Authentication and Certification (the difference between two parties and three parties).
Overview
An SSL certificate is a type of digital certificate, similar to electronic copies of driver’s licenses, passports, and business licenses. Because it is configured on the server, it is also called a server certificate.
Only when the SSL certificate is correctly installed on the web server can https communication between the client and the server be achieved. Since it involves the configuration of different types of web servers, it is necessary to install the certificate according to the actual server environment after the certificate is issued.
CA is an e-commerce certification authority, also known as e-commerce certification center. It is an authoritative organization responsible for issuing and managing digital certificates. As a trusted third party in e-commerce transactions, it is responsible for the legality of public keys in the public key system. Responsibility for sex testing. The certificate it issues is the CA certificate.
The relationship between SSL certificates and CA certificates can be considered from the following two perspectives.
CA certificate contains SSL certificate
In addition to issuing SSL certificates, CA authorities can also issue other digital certificates, such as code signing certificates and email certificates, etc. From this perspective, an SSL certificate is a CA certificate.
CA certificate equals SSL certificate
The certificate authority, referred to as CA in English, is responsible for issuing, invalidating, and saving certificates. The certificate issued by the CA is called a CA certificate. The essence of the CA certificate is to use the SSL/TLS protocol to protect the security of transmitted data, so it is also called an SSL certificate.
What is SSL/TSL
SSL (Secure Socket Layer, Secure Socket Layer)
A protocol layer located between reliable connection-oriented network layer protocols and application layer protocols. SSL enables secure communication between clients and servers by authenticating each other, using digital signatures to ensure integrity, and using encryption to ensure privacy. The protocol consists of two layers: the SSL record protocol and the SSL handshake protocol.
TLS (Transport Layer Security, Transport Layer Security Protocol)
Used to provide confidentiality and data integrity between two applications. The protocol consists of two layers: TLS record protocol and TLS handshake protocol.
The relationship between the two
There is no difference in the connection process between TLS and SSL. It can be understood that SSL is the past life of TLS, and TLS is the present life of SSL. And the two protocols of TLS and SSL (record protocol and handshake protocol) work together in the same way.
However, the algorithms used by SSL and TLS are different, and TLS adds many new alarm codes. Because of these differences, we can think of TLS as an incompatible enhancement of SSL. TLS must exchange certificates with TLS and SSL must exchange certificates with SSL when authenticating certificates.
Issuance of certificate
Certificate format
In terms of classification standards, the SSL certificate formats mainly include
- PEM and DER defined in the public key certificate format standard X.509
- PKCS#7 and PKCS#12 as defined in the public key cryptography standard PKCS
- JKS for Java environment
In terms of file format, the main SSL certificate formats are:
- One is a Base64 (ASCII) encoded text format. This kind of certificate file can be opened and even edited through a text editor. The common PEM certificate format has extensions including PEM, CRT and KEY.
- The other one is Binary binary file. The common DER certificate format has extensions including DER and CER.
Linux systems use CRT and Windows systems use CER.
Noun | Meaning |
---|---|
X.509 | A common certificate format, including the certificate holder’s public key, encryption algorithm and other information |
pkcs1 ~pkcs12 | Public key encryption (Asymmetric encryption) (Public Key Cryptography Standards), generally stored as .pN, .p12 is an encapsulation format containing certificates and keys |
*.der | Binary storage format of certificate (not commonly used) |
*.pem | Certificate or password The Base64 text storage format of the key, which can store the certificate or key separately, or both at the same time |
*.key | Stored separately Keys in pem format are generally saved as *.key |
*.cer *.crt | Both refer to certificates, which are called under Linux crt, called cer under Windows; the storage format can be pem, or der |
*.csr | Certificate signing request, Contains certificate holder information, such as: country, email, domain name and other information |
*.pfx | Implementation of Microsoft IIS |
*.jks | Certificate format implemented by Java’s keytool |
Issuance process
Generate the private key of the CA (the suffix can be .pem or .key)
openssl genrsa -out ca.key 2048
Generate a CA certificate request file and ask for a series of basic information after the meeting.
openssl req -new -key ca.key -out ca.csr
Generate a certificate (the public key is included in the certificate). Under normal circumstances, you need to take the private key and request file to a recognized CA agency for certificate application and issuance. Here we choose to use openssl to simulate a CA authority to issue a certificate.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
After completing the above three steps, you will get three files in the folder:
ca.key ca.csr ca.crt
The generated certificate file can be regarded as the root certificate to assist in the subsequent discussion of the certificate trust chain.
The generated certificate format is generally in the universal X509 format, which contains the certificate holder’s public key, encryption algorithm and other information.
X.509 Certificate
Certificates based on the X.509 V3 standard ensure authentication and data security (consistency, confidentiality) by binding an identity to a pair of electronic keys that can be used to encrypt, sign, and decrypt digital information.
Each X.509 certificate is constructed based on a key pair consisting of a public key and a private key, which can be used for encryption and decryption, identity verification, and information security confirmation. The format and verification method of certificates generally follow the X.509 international standard.
The X.509 standard uses an interface description language called Abstract Syntax Notation One (ASN.1) to define, encode and decode certificate requests and certificates transmitted between clients and certification authorities.
The following is the certificate representation syntax using ASN.1.
SignedContent ::= SEQUENCE {certificate CertificateToBeSigned,algorithm Object Identifier,signature BITSTRING }CertificateToBeSigned ::= SEQUENCE {version [0] CertificateVersion DEFAULT v1,serialNumber CertificateSerialNumber,signature AlgorithmIdentifier,issuer Namevalidity Validity,subject NamesubjectPublicKeyInfo SubjectPublicKeyInfo,issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,extensions [3] Extensions OPTIONAL }
Both public and private keys are composed of a long string of random numbers. The public key is public and the length determines the strength of the protection, but the information is encrypted using the public key. The private key is stored secretly only at the recipient, and the recipient can decrypt and read the information by using the private key associated with the public key.
Use openssl to view the public key certificate in text mode: openssl x509 -in ca.crt -noout -text
. The following figure is its main content.
The certificate contains the following information: the applicant’s public key, the applicant’s organizational information and personal information, the information of the issuing authority CA, the validity time, the certificate serial number and other information in plain text, and also contains a signature;
The following are common operations for certificate operations:
# View certificate serial number openssl x509 -in ca.crt -noout -serial #Print certificate name Prints the owner name of the certificate in the format specified by RFC2253 openssl x509 -in ca.crt -noout -subject # Print out the MD5 characteristic parameters of the certificate openssl x509 -in ca.crt -noout -fingerprint # Print out the SHA characteristic parameters of the certificate openssl x509 -sha1 -in ca.crt -noout -fingerprint
Format conversion
The conversion of certificate format is actually the conversion of encoding format, such as the conversion of der and pem.
PEM to DER format:
openssl x509 -inform pem -in certificate.pem -outform der -out certificate.der
DER to PEM format:
openssl x509 -inform der -in certificate.der -outform pem -out certificate.pem
Important Note
Note 1: Certificate = public key + applicant and issuer information + signature.
Note 2: The suffix of the certificate file cannot be used as a basis for judging which encoding the certificate is. For the file suffix of private key/public key, sometimes key/crt is used, and sometimes pem is used. In fact, this is not important. What is important is the content format in the file.
Issuance and trust chain
Trust Chain
The CA system is a tree structure. Each CA can have one or more sub-CAs. The top-level CA is called the root CA. Except for the root CA, the issuer of other CA certificates is its superior CA. This hierarchical relationship forms a trust chain.
Taking a practical example, such as baidu, when viewing the certificate, you can see that its root is GlobalSign, the intermediate certificate is Validation CA-SHA256-G2, and finally it is baidu.com.
Certificates are divided into two types (no essential difference):
- CA Certificate
- End Entity Certificate: The end entity that accepts CA certificates.
Authentication Example
Use the ca.crt generated above as the root certificate to issue a new certificate.
Generate a private key for a certificate
openssl genrsa -out server.key 1024
Generate certificate request file
openssl req -new -key server.key -out server.csr
Or simulate openssl as a CA authority and use the ca.crt root certificate generated above to issue a new certificate.
openssl x509 -req -days 3000 -sha1 -extensions v3_req -CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.crt
- -CA: Specify the path to the CA certificate
- -CAkey: Specify the private key path of the CA certificate
- -CAserial: Specifies the path to the certificate serial number file
- -CAcreateserial: Indicates creating a certificate serial number file (the serial file mentioned above). The default name of the created serial number file is -CA, and the .srl suffix is added to the specified certificate name.
Certificate verification, use the following command to verify whether the issuance is successful.
openssl verify -CAfile ca.crt server.crt # server.crt: OK
Reference documentation
[1] The difference between SSL certificate and CA certificate https://baijiahao.baidu.com/s?id=1653402538679672349 & amp;wfr=spider & amp;for=pc
[2] The difference and connection between SSL and TSL, and how HTTPS encrypts and decrypts https://www.cnblogs.com/hanzhengjie/p/13920581.html
[3] The difference between ssl and tsl https://blog.csdn.net/M_0307/article/details/73543591
[4] CA certificate literacy, https explanation https://www.cnblogs.com/handsomeBoys/p/6556336.html
[5] PKI/CA and digital certificate https://blog.csdn.net/u013066292/article/details/79538069
[6] What are the differences between SSL certificate formats? https://www.gworg.com/problems/1194.html
[7] How to convert .pem to .crt and .key? https://vimsky.com/article/3608.html
[8] Tool: openssl to view pem format certificate details https://blog.csdn.net/du_lijun/article/details/115367633
[9] http series-OpenSSL generates root certificate CA and issues sub-certificates https://blog.csdn.net/lipviolet/article/details/109456104
[10] Detailed explanation of CA certificate https://zhuanlan.zhihu.com/p/267047441
[11] Let’s Encrypt introduction https://www.jianshu.com/p/449047437697
[12] Kubernetes Certificate Management Series (1) https://mp.weixin.qq.com/s?__biz=MzI2ODAwMzUwNA== & amp;mid=2649298078 & amp;idx=1 & amp;sn=24d17a25ccf1c97337e0ed7bc951a8a2 & amp; chksm=f2eb8541c59c0c576b3dbbc0fc32bbb0874955a6a83d852b8aa6f35685220d1eb8a135253b47 & amp;token=972017317 & amp;lang=zh_CN & amp;scene=21#wechat_redirect
[13] Introduction to CA digital certificate https://zhuanlan.zhihu.com/p/413401722
[14] In SSL, what are the suffixes of public keys, private keys, and certificates (pem, crt, cer, key, csr)? https://blog.csdn.net/HD243608836/article/details/127441701