blocks|key|1359102|text|CA签署Web服务器证书。由于浏览器已拥有CA公钥(在根证书中)，因此无需访问CA即可验证其真实性。唯一需要CA访问权限的是检查证书是否被吊销。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1359103|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

CA signs the Web server certificate. Since the browser already has the CA public key (in root certificates), it can validate the authenticity of it without accessing CA. The only thing that requires CA access is to check if the certificate is revoked.

blocks|key|1574426|text|这取决于您的浏览器/OS配置。基本上，浏览器或操作系统都有一个受信任的根授权列表(Mozilla有自己的列表，IE使用Windows的列表)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1574427|当SSL握手发生时，将检查站点证书以查看它是否由受信任的机构之一签名，以及服务器名称是否与证书中的名称匹配。|1574428|接下来会发生什么取决于浏览器或操作系统配置。CA有一个吊销列表功能(它可以是一个大列表，也可以是一个单独的服务(OCSP)，您可以在其中询问证书是否仍然有效)。如果你的浏览器/操作系统被配置为检查这个，那么这个额外的步骤就会发生。|1574429|如果OCSP服务可用，Firefox和Windows将默认检查OCSP服务，默认情况下也不检查CRL列表。|1574430|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|K|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|L|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|M|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|I|$]]

It depends on your browser/OS configuration. Basically a browser or an OS has a list of trusted root authorities (Mozilla has it's own list, IE uses the Windows one).

When the SSL handshake takes place the site certificate is examined to see if it is signed by one of the trusted authorities, and if the server name matches the one in the certificate.

What happens next depends on the browser or OS configuration. CAs have a revocation list function (its either a big list or a separate service (OCSP) where you can ask if a certificate is still good). If your browser/OS is configured to check this then this extra step will happen.

Firefox and Windows will check OCSP services by default if they are available, neither check CRL lists by default.

blocks|key|1359367|text|web浏览器具有它信任的根证书列表。这些是CA的公钥。浏览器说，您可以相信这些CA的私钥实际上是私有的，并且由这些私钥之一加密的任何东西--包括所谓的web服务器的证书--实际上都来自CA。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1359368|证书包含web服务器的公钥和web服务器的地址(以及公司名称等)，由CA的私钥加密。此加密在网站所有者从CA购买证书时执行一次。在此之后，网站所有者会将证书保留在手边，以便在您发出https请求时发送给您。由于您的浏览器能够使用CA的公钥(已在您的计算机上)来解密web服务器发送的证书，并且在解密的证书中看到证书包含与https服务主机匹配的主机地址，因此浏览器会得出结论，认为主机的公钥(使用CA的公钥解密)是可信的。通常由web主机发出的证书可能仍然来自某个随机的人欺骗主机，但至少您可以确信它包含您要与之通信的https服务主机的可信公钥。|1359369|然后，您可以发送用主机的公钥加密的数据(如您的信用卡号码)，只有主机的私钥才能解密您的数据。在交易过程中，不需要与CA通信。|1359370|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

The web browser has list of root certificates it trusts. These are public keys of CAs. The browser is saying you can trust that the private keys of these CAs are in fact private, and that anything that has been encrypted by one of those private keys -- including the alleged web server's certificate -- really came from the CA. 

The certificate contains the public key of the web server and the web server's address (and company name etc.), encrypted by the private key of the CA. This encryption is done once, when the web site owner bought the certificate from the CA. After that, the web site owner keeps the certificate on hand to send you when you make an https request. Since your browser is able to use the CA's public key (which was already on your machine) to decrypt the certificate sent by the web server, and sees in the decrypted certificate that the certificate contains a host address that matches the https-serving host, the browser concludes that the host's public key (decrypted using the CA's public key) is authentic. The certificate routinely given out by the web host might still be coming from some random person spoofing the host, but at least you can be confident that it contains the authentic public key of the https-serving host you are aiming to communicate with. 

You can then send data (like your credit card number) encrypted with the host's public key, and only the host's private key will be able to decrypt your data. No communication with the CA was necessary during the transaction.

Please help me understand how the process goes. I understand that web browsers contain root certificates for certificate authorities (CAs) like verisign, Entrust, Comodo .. etc, but what exactly happens when a user accesses a secure page? Does the web browser send a request to the server of the CA to verify the ceriticate or it just uses the CA's root certificate (in the browser) to verify the certificate?

I used some HTTP sniffer and logged on to gmail (the login page is secure) but didn't see requests going to any websites other than google, does that mean it only uses the CA's root certificate?

How do digital certificates work when used for securing websites (using SSL)?

服务器

Windows

请帮助我了解这个过程是如何进行的。我知道web浏览器包含证书颁发机构(CA)的根证书，如verisign、Entrust、Comodo。等等，但是当用户访问安全页面时到底会发生什么呢？web浏览器是向CA的服务器发送验证证书的请求，还是仅使用CA的根证书(在浏览器中)来验证证书？我使用了一些HTTP嗅探器，并登录到gm...

问使用数字证书保护网站(使用SSL)时，数字证书是如何工作的？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用数字证书保护网站(使用SSL)时，数字证书是如何工作的？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用数字证书保护网站(使用SSL)时，数字证书是如何工作的？
EN