what is Digital Cert used to?

before we talk about cert, we need to know how your browser contacts with web server using encrypted data while browsing.

private cert & public cert

• public cert

  when the url in browsing websites starts with https://, you will get the web server’s public cert, it has a security key called public key, it’s used to generate random sercret keys to contact with the server.

• private cert

  it’s another cert which is generated on the web server,there’s another secret key on this cert as well(private key),to insure it’s safe from anyone who tries to decrypt the data, it’s not public, only ran on the server

encrypt && decrypt

when you browsing an HTTPS website, no matter browser or server, they send data with encryption.

if server uses private key to encrypt data, it can be decrypted using the public key, and the other way around, this process is called Asymmetric encryption

now that we know the browser can get the public key, it could be understood that the browser can use it to generate a random secret string, before server starts receive the request,it receives the string then it will use the private key to decrypt it and and confirms receiving it by responding to browser. now the browser would start sending the request to the server, and the server uses the random secret string to decrypt data, and for giving browser the response the same random string is used for encryption.this process is called Symmetric encryption.

thereafter even if a hacker could gain access to your data on its way to the browser or server, they cannot decrypt it since they don’t know the random secret or the private key. therefore it’s a more secure way than unencrypted transmission.

cert

cert is issued by CA（Certificate Authority）, it’s one to one with the domain name, it uses digital signature to ensure the legitimacy of the server.

cert chain

the problem is, when a hacker builds a fake server and catches your data package and sends you their public cert, how to come over these kind of situation

to do so, System or Browser have every legal CA public key, so when hacker builds a fake website, browser will use corresponding CA’s public cert to make sure the server is legal. but hacker does not have a legal cert, he could’ve built a CA and used it to issue server cert, but your browser or system couldn’t find the corresponding cert, because your system or browser doesn’t have his CA Root Cert, so it wanrs you your connection is not private.

just like that

数字签名和数字证书究竟是什么？

科普-HTTPS背后的那些事儿