before we talk about cert, we need to know how your browser contacts with web server using encrypted data while browsing.
private cert & public cert
- public cert
when the url in browsing websites starts with
https://, you will get the web server’s public cert, it has a security key called
public key, it’s used to generate
random sercret keysto contact with the server.
- private cert
it’s another cert which is generated on the web server,there’s another secret key on this cert as well(
private key),to insure it’s safe from anyone who tries to decrypt the data, it’s not public, only ran on the server
encrypt && decrypt
when you browsing an
HTTPS website, no matter browser or server, they send data with encryption.
if server uses
private key to encrypt data, it can be decrypted using the
public key, and the other way around, this process is called
now that we know the browser can get the public key, it could be understood that the browser can use it to generate a
random secret string, before server starts receive the request,it receives the string then it will use the private key to decrypt it and and confirms receiving it by responding to browser. now the browser would start sending the request to the server, and the server uses the
random secret string to decrypt data, and for giving browser the response the same random string is used for encryption.this process is called
thereafter even if a hacker could gain access to your data on its way to the browser or server, they cannot decrypt it since they don’t know the random secret or the private key. therefore it’s a more secure way than unencrypted transmission.
cert is issued by CA（
Certificate Authority）, it’s
one to one with the domain name, it uses digital signature to ensure the legitimacy of the server.
the problem is, when a hacker builds a fake server and catches your data package and sends you their public cert, how to come over these kind of situation
to do so, System or Browser have every legal CA public key, so when hacker builds a fake website, browser will use corresponding CA’s public cert to make sure the server is legal. but hacker does not have a legal cert, he could’ve built a CA and used it to issue server cert, but your browser or system couldn’t find the corresponding cert, because your system or browser doesn’t have his CA Root Cert, so it wanrs you
your connection is not private.
just like that