互联网安全通讯简析

[diguage]

思路

1. 通讯简史
2. 明文通讯
3. 中间人攻击
4. 凯撒加密通讯
5. 对称加密
6. RSA 原理
7. Hash 算法
8. Diffie–Hellman key exchange
9. 公钥通讯
10. TLS 版本升级小记
11. 自签名证书
12. HTTPS 实战 -- Let’s Encrypt
13. OkHttp + 自签名证书 编程实战
14. Netty HTTPS 编码
15. 常见术语解析

对称加密

非对称加密

HTTPS 加密校验过程

网站开始 HTTPS

证书制作

制作根证书

制作中间证书

对证书签名

释疑

PEM

• It is the most common format used for certificates
• Most servers (Ex: Apache) expects the certificates and private key to be in a separate files
  • Usually they are Base64 encoded ASCII files
  • Extensions used for PEM certificates are .cer, .crt, .pem, .key files
  • Apache and similar server uses PEM format certificates

    DER

• The DER format is the binary form of the certificate
• All types of certificates & private keys can be encoded in DER format
• DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements
• DER formatted certificates most often use the ‘.cer’ and '.der' extensions
• DER is typically used in Java Platforms

  P7B/PKCS#7

• The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
• A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
• The most common platforms that support P7B files are Microsoft Windows and Java Tomcat

  PFX/P12/PKCS#12

• The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file
• These files usually have extensions such as .pfx and .p12
• They are typically used on Windows machines to import and export certificates and private keys

References

1. Public key certificate - Wikipedia
2. 深入浅出RSA加密算法编程实践 | "地瓜哥"博客网
3. 动手实践一下证书签名过程
4. SSL in Dot NET – Volume 1 - Hypothesis
5. Self-Signed Certificate Generator
6. Masterclass: Secure your website with SSL encryption | Linux Voice
7. Certificate Key Matcher - Check whether your private key matches your SSL certificate.
8. SSL Server Test (Powered by Qualys SSL Labs)
9. Let's Encrypt - Free SSL/TLS Certificates
10. 如何免费的让网站启用HTTPS | | 酷 壳 - CoolShell
11. Diffie–Hellman key exchange - Wikipedia
12. Key exchange - Wikipedia
13. How to convert a certificate to the correct format - Hashed Out
14. PKCS - Wikipedia
15. Public key infrastructure - Wikipedia
16. TLS profiles | IBM
17. ssl - How to create a self-signed certificate with OpenSSL - Stack Overflow
18. How to setup your own CA with OpenSSL -- 非常详细。
19. How to Create Your Own SSL Certificate Authority for Local HTTPS Development
20. Generate and install signed RBA server certificate -- 非常详细
21. OpenSSL Certificate Authority — Jamie Nguyen -- 非常详细
22. What are the differences between .P7B (PKCS#7) .PFX/.P12 (PKCS#12) .PEM, .DER, .CRT, .CER Certificates?
23. /docs/man1.1.1/man1/openssl.html -- 好多名称解释。
24. Transport Layer Security - Wikipedia
25. The TLS Handshake: Taking a closer look - Hashed Out by The SSL Store™ -- 写的非常棒
26. What Happens in a TLS Handshake? | SSL Handshake | Cloudflare
27. An overview of the SSL or TLS handshake
28. SSL Handshake explained - Kasun Dharmadasa - Medium
29. RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 -- 没有通读。
30. HTTPS - Wikipedia
31. OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs | DigitalOcean
32. Introducing CFSSL - CloudFlare's PKI toolkit -- 证书的链式认证结构。

[diguage]

Create the intermediate pair — OpenSSL Certificate Authority — Jamie Nguyen

If the intermediate key is compromised, the root CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.

How to revoke the intermediate certificate？