SSL 如何使用对称和非对称加密?以及如何在一台主机上管理多个站点的认证? [英] How does SSL use symmetric and asymmetric encryption? And how do I manage certificated for multiple sites on one host?
问题描述
首先,引用 Microsoft TechNet 的 管理 Microsoft 证书服务和 SSL:
First, some quotation from Microsoft TechNet's Managing Microsoft Certificate Services and SSL:
概括地说,安全 SSL 会话是使用以下技术建立的:
To recap, secure SSL sessions are established using the following technique:
用户的 Web 浏览器使用安全 URL 联系服务器.
The user's Web browser contacts the server using a secure URL.
IIS 服务器向浏览器发送其公钥和服务器证书.
The IIS server sends the browser its public key and server certificate.
客户端和服务器协商加密级别以用于安全通信.
The client and server negotiate the level of encryption to use for the secure communications.
客户端浏览器使用服务器的公共加密会话密钥密钥并将加密的数据发回到服务器.
The client browser encrypts a session key with the server's public key and sends the encrypted data back to the server.
IIS 服务器使用自己的私有信息对客户端发送的消息进行解密.键,会话建立.
The IIS Server decrypts the message sent by the client using its private key, and the session is established.
客户端和服务器都使用会话密钥进行加密和解密传输数据.
Both the client and the server use the session key to encrypt and decrypt transmitted data.
所以,基本上来说,SSL使用非对称加密(公钥/私钥对)来传递共享会话密钥,最终实现了与对称的通信方式加密.
So, basically speaking, the SSL use the asymmetric encryption (public/private key pair) to deliver the shared session key, and finally achieved a communication way with symmetric encryption.
是这样吗?
我正在使用 IIS 来托管我的网站.假设我的单台机器上有多个站点,并且我希望客户端浏览器使用 SSL URL 连接我的站点.我需要多少证书?我应该采取以下哪种方法?
I am using IIS to host my websites. Suppose I have multiple sites on my single machine, and I want the client brower to use SSL URL to connect my sites. How many certificates do I need? Which of the following approach should I take?
1 - 申请一个证书并将其与我的托管多个站点的单个服务器计算机相关联.
1 - Apply for a single certicate and associate it to my single server machine which hosts mutiple sites.
2 - 申请多个证书并将我的每个站点与自己的证书相关联.
2 - Apply for several certificates and associate each of my sites with its own certificate.
在 IIS7 中,我似乎只能做方法 1.
In IIS7, it seems I could only do approach 1.
我想通了.我可以在我的服务器机器上安装多个证书,并根据需要绑定每个站点与单独的证书.
I figure it out. I could install mutiple certificates on my server machine and bind each site with seperate certificate as necessary.
推荐答案
是的,没错.非对称加密是验证他人身份所必需的,然后使用对称加密,因为它更快.
Yes, that's right. Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets used because it's faster.
这篇关于SSL 如何使用对称和非对称加密?以及如何在一台主机上管理多个站点的认证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
