什么是 CA 证书，我们为什么需要它? [英] What is CA certificate, and why do we need it?

问题描述

我刚刚阅读了关于什么是 HTTPS 服务的这篇文章，了解https的基础.

I've just read this article about what is HTTPS service, and understand the basic of https.

在请求https内容时，服务器会向浏览器发送一个公钥，这样浏览器每次收到的数据都会用公钥解密.

When requesting https content, the server will send a public key to browser, so that every time, the browser receive data will decrypted with the public key.

我的问题是CA证书有什么用?为什么我们需要它?

My question is what is CA certificate for? Why do we need it?

推荐答案

CA 证书是由证书颁发机构 (CA) 颁发的数字证书，因此 SSL 客户端(例如 Web 浏览器)可以使用它来验证 SSL 证书由该 CA 签名.

A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA.

例如，stackoverflow.com 使用 Let's Encrypt 对其服务器进行签名，stackoverflow.com 发送的 SSL 证书提到它们由 Let's Encrypt 签名.您的浏览器包含来自 Let's Encrypt 的 CA 证书，因此浏览器可以使用该 CA 证书来验证 stackoverflow 的 SSL 证书，并确保您确实在与真实服务器对话，而不是中间人.

For example, stackoverflow.com uses Let's Encrypt to sign its servers, and SSL certificates send by stackoverflow.com mention they are signed by Let's Encrypt. Your browser contains the CA certificate from Let's Encrypt and so the browser can use that CA certificate to verify the stackoverflow's SSL certificate and make sure you are indeed talking to real server, not man-in-the-middle.

https://security.stackexchange.com/a/20833/233126 提供了关于TLS/SSL 证书的工作原理.

https://security.stackexchange.com/a/20833/233126 provides a more detail explanation about how TLS/SSL certificates work.

这篇关于什么是 CA 证书，我们为什么需要它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！