Palai

Palai

程序员 | 开源爱好者 | 喜欢交友
HomeArchives

Digital Certificates and CA - A Beginner's Guide

170
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
A digital certificate is a document that verifies the authenticity of a public key used to encrypt online assets such as emails, documents, websites, or software applications. It contains the public key, owner information, Certificate Authority (CA) information, digital signature, algorithm used, and other information. The purpose of a digital certificate is to authenticate the identity of the public key holder to prevent third-party impersonation. A CA is a third-party organization responsible for managing and issuing certificates, and a CA certificate is a certificate issued by a CA. The trust chain of certificates can be nested, and the root certificate is the foundation of the entire certificate system. HTTPS is a secure protocol that uses SSL/TLS encryption to protect data transmission, and it requires a digital certificate from a trusted CA to ensure the server's identity. The certificate issuance and verification process involves hashing, encryption, and comparison of hash values.

What is a digital certificate?#

A digital certificate is a digital document that verifies the authenticity of the public key used for encrypting online assets (such as email communications, documents, websites, or software applications).

A digital certificate typically includes:

  • Public key
  • Owner information
  • Certificate Authority (CA) information
  • CA's digital signature on the document and the algorithm used
  • Certificate validity period
  • Other additional information

Purpose of digital certificates#

The purpose of digital certificates is to authenticate the identity of the public key holder and prevent third-party impersonation. In simpler terms, a certificate is used to inform the client whether the server is legitimate, as only a valid certificate represents a trustworthy server identity.

What is a CA?#

CA stands for "Certificate Authority," also known as a "Certificate Authorization Center." It is a third-party organization responsible for managing and issuing certificates, similar to the intermediary company mentioned in the example as Company C. Generally, a CA must be trusted and recognized by all industries and the general public. Therefore, it must have sufficient authority. For example, both Company A and Company B must trust Company C to act as an intermediary for their official seals.

What is a CA certificate?#

As the name suggests, a CA certificate is a certificate issued by a CA.

Anyone can create a certificate using tools. However, a certificate created by an individual without authority is not useful. This is because you are not an authoritative CA agency, and your self-made certificate does not have authority.

What is a certificate trust chain?#

In reality, there can be a nested trust relationship between certificates. For example, C trusts A1, A1 trusts A2, A2 trusts A3... This is called a certificate trust chain. As long as you trust the first certificate in the trust chain, the subsequent certificates can also be trusted.

What is a root certificate?#

Assuming C trusts A and B; then A trusts A1 and A2; B trusts B1 and B2. They form a tree-like relationship (an inverted tree) as follows:

image

The certificate at the top of the tree, in the root position, is called the "root certificate." Apart from the root certificate, all other certificates rely on the certificate of the previous level to prove themselves. The root certificate does not need to be proven and serves as the foundation of the entire certificate system's security. Therefore, if the root certificate in a certificate system has a problem (no longer trustworthy), all other certificates trusted by the root certificate will also become untrustworthy. This consequence is quite severe.

Purpose of CA certificates?#

  • Verify the trustworthiness of websites (for HTTPS)
  • Verify the trustworthiness of files (whether they have been tampered with)

This brings us to HTTPS. We all know the difference between HTTP and HTTPS:

  1. HTTP transmits data in plain text, posing security risks. HTTPS adds the SSL/TLS security protocol between HTTP and TCP to ensure secure transmission of data.
  2. After the three-way handshake of TCP, HTTP can start transmitting, while HTTPS requires an additional SSL/TLS handshake after the TCP three-way handshake to start transmitting.
  3. HTTP defaults to port 80, while HTTPS defaults to port 443.
  4. HTTPS requires applying for a digital certificate from a CA to ensure the server's reliable identity.

HTTPS is an encryption protocol that ensures your transmission process is not eavesdropped on. But is HTTPS always secure? Suppose a fake base station acts as a relay for all information, then it can obtain all the information, right?

To prevent such actions, HTTPS not only has an encryption mechanism but also a certificate mechanism. Certificates are used to ensure that a certain site is indeed that site.
Once you have a certificate, when your browser accesses an HTTPS website, it will verify the CA certificate on that site (similar to verifying the official seal on an introduction letter). If the browser finds no issues with the certificate (the certificate is trusted by a root certificate, the domain name bound to the certificate matches the website's domain name, and the certificate is not expired), the page will open directly. Otherwise, the browser will display a warning, informing you of certain issues with the website's certificate and asking if you want to continue accessing the site.

Certificate issuance and verification process#

image

The process of CA issuing a certificate, as shown in the left part of the above image:

  • First, the CA packages the public key, purpose, issuer, validity period, and other information of the holder into a package and calculates the hash value of this information using a hash algorithm.
  • Then, the CA encrypts the hash value using its private key to generate the Certificate Signature, which is the CA's signature on the certificate.
  • Finally, the Certificate Signature is added to the file certificate, forming a digital certificate.

The process of the client verifying the server's digital certificate, as shown in the right part of the above image:

  • First, the client uses the same hash algorithm to obtain the hash value H1 of the certificate.
  • Typically, browsers and operating systems integrate the public key information of CAs. After receiving the certificate, the browser can use the CA's public key to decrypt the content of the Certificate Signature, obtaining another hash value H2.
  • Finally, H1 and H2 are compared. If they are the same, the certificate is considered trustworthy; otherwise, it is considered untrustworthy.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.