how-https-works
https://strongarm.io/blog/how-https-works/
核心问题;
取得要访问网站的非对称加密的public key
Bringing it All Together
Now we’ve talked about every step involved in HTTPS authenticating the websites you visit. Let’s put it all together, step by step, continuing to use Facebook as our example website and DigiCert as our example CA.
Facebook requests a certificate from DigiCert
DigiCert verifies that they are really talking to Facebook
Facebook sends DigiCert their public key
DigiCert uses their private key to digitally sign Facebook’s public key
DigiCert gives Facebook the signed public key
This is now Facebook’s SSL Certificate
You connect to Facebook’s website
Facebook sends you their SSL Certificate
Using the DigiCert public key in your root certificate store, you verify DigiCert’s signature on Facebook’s SSL Certificate
You generate a secret key, and use Facebook’s public key from their certificate to encrypt it.
You send the encrypted secret key to Facebook
Facebook decrypts it with their private key, and holds on to it.
You and Facebook use the shared secret key to encrypt your web traffic.
And now you’re done! We have achieved robust authentication. So long as DigiCert remains trustworthy, you can be confident that sites with their certificates are who they say they are.