CA provides certificate to ensure the security of transmitted information. Of course, individuals can also play the role of CA, but the client is not trusted at this time, and the CA certificate, i.e. CA public key, needs to be integrated into the client.
The security issues that need to be ensured during information transmission are: confidentiality of information, security of information, and identification of both parties.
Two key pairs are needed, asymmetric encryption key pair A and symmetric encryption key B. The client uses A’s public key to encrypt B’s key to generate C. Then C is transmitted to the server, which uses A’s private key to decrypt C to get B’s key. Then the key of B exists in both the client and the server, then the message can be encrypted and decrypted by the asymmetric encryption key B before transmitting the message. the role of A is to secure the transmission of B and the role of B is to secure the transmission of the message.
Asymmetric encryption key pair B is required. The client uses a hash algorithm to calculate the hash value of the transmitted content, which is the digest H1. The client then encrypts the digest with B’s public key to generate the encrypted digest C. The server transmits C to the server, which decrypts C with B’s private key to obtain the digest H1. The server then uses the same hash algorithm as the client to calculate the hash value of the transmitted content, which is the digest H2, and compares the values of H1 and H2 to ensure the integrity of the message.
Identification of both parties
Asymmetric encryption key pair B. The server sends B’s public key to the client, and the server encrypts its identity content with B’s private key and sends it to the client. The client can authenticate the identity of the server by decrypting it with B’s public key. Of course, this situation can be hijacked by a third party. Third-party hijacking means that the server sends the information and B’s public key to the client, but the middle is hijacked by the third party to B’s public key. Then the third party creates its own asymmetric encryption key pair C, which is used to interact with the client for encryption and decryption. Then the server sends B’s private key to encrypt the content, and the three parties hijack it and use B’s public key to decrypt it, and then send the information and C’s public key to the client. Then the client encrypts the message with C’s public key and the three-party hijacking decrypts it with C’s private key.
The digital certificate itself solves the problem of identification/authentication of both parties, and is issued by CA itself, which can be an authoritative vendor or a personal issuer. The difference is that the CA public key of the authoritative vendor is integrated into the client by default, while the CA public key needs to be manually integrated into the client for personal issuance, and the CA only serves to issue the server-side certificate or the subordinate CA certificate. The server-side certificate is used in the encryption process of real information transmission.
The digital certificate is mainly divided into three parts:
- Certificate content (i.e. identity information, such as information about the issuing authority) C
- Hash algorithm A
- encrypted ciphertext S
The main process of digital certificate authentication is :
- The server calculates hash, i.e. digest, from certificate content C by hashing algorithm A. Then the encryption is performed by the private key of CA, which generates the encrypted ciphertext S.
- When the client initiates a request, the server sends the digital certificate to the client. The client decrypts the S of the digital certificate with the public key of CA to get the digest H1.
- The client calculates hash of certificate content by hashing algorithm A, i.e. digest H2.
- Compare whether the digest H1 and H2 are equal, and if they are equal, the client authenticates the identity of the server.
Self-issued Certificate Generation
Step1 Self-issued CA
Generate CA private key.
Create the openssl configuration file
openssl.conf , note that the CA value of
TRUE, indicating that it is used for CA certificate issuance, and the CA value is
TRUE no matter how many levels of CA certificates.
Generate self-signed CA certificate with
openssl.conf configuration file and private key, i.e. public key of CA. It is used as a client to decrypt the ciphertext S of the server.
View the details of the generated CA certificate.
Step2 Use self-issuing CA to issue server-side certificate
Generate the server-side private key.
Generate a server-side identity CSR file.
Generate server-side certificates.
Step3 Client Integration CA Public Key
The CA public key here is the CA’s certificate.