HTTPS加密与证书完全指南(上)
1. 什么是HTTPS
HTTPS = HTTP + TLS(传输层安全协议)
HTTP本身是明文传输,HTTPS通过TLS层对HTTP内容进行加密,保证数据在传输过程中不被窃听和篡改。
#mermaid-svg-PDw8UGwP3qjs9xFY{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-PDw8UGwP3qjs9xFY .error-icon{fill:#552222;}#mermaid-svg-PDw8UGwP3qjs9xFY .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-PDw8UGwP3qjs9xFY .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-PDw8UGwP3qjs9xFY .marker{fill:#333333;stroke:#333333;}#mermaid-svg-PDw8UGwP3qjs9xFY .marker.cross{stroke:#333333;}#mermaid-svg-PDw8UGwP3qjs9xFY svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-PDw8UGwP3qjs9xFY p{margin:0;}#mermaid-svg-PDw8UGwP3qjs9xFY .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY .cluster-label text{fill:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY .cluster-label span{color:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY .cluster-label span p{background-color:transparent;}#mermaid-svg-PDw8UGwP3qjs9xFY .label text,#mermaid-svg-PDw8UGwP3qjs9xFY span{fill:#333;color:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY .node rect,#mermaid-svg-PDw8UGwP3qjs9xFY .node circle,#mermaid-svg-PDw8UGwP3qjs9xFY .node ellipse,#mermaid-svg-PDw8UGwP3qjs9xFY .node polygon,#mermaid-svg-PDw8UGwP3qjs9xFY .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-PDw8UGwP3qjs9xFY .rough-node .label text,#mermaid-svg-PDw8UGwP3qjs9xFY .node .label text,#mermaid-svg-PDw8UGwP3qjs9xFY .image-shape .label,#mermaid-svg-PDw8UGwP3qjs9xFY .icon-shape .label{text-anchor:middle;}#mermaid-svg-PDw8UGwP3qjs9xFY .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-PDw8UGwP3qjs9xFY .rough-node .label,#mermaid-svg-PDw8UGwP3qjs9xFY .node .label,#mermaid-svg-PDw8UGwP3qjs9xFY .image-shape .label,#mermaid-svg-PDw8UGwP3qjs9xFY .icon-shape .label{text-align:center;}#mermaid-svg-PDw8UGwP3qjs9xFY .node.clickable{cursor:pointer;}#mermaid-svg-PDw8UGwP3qjs9xFY .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-PDw8UGwP3qjs9xFY .arrowheadPath{fill:#333333;}#mermaid-svg-PDw8UGwP3qjs9xFY .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-PDw8UGwP3qjs9xFY .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-PDw8UGwP3qjs9xFY .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-PDw8UGwP3qjs9xFY .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-PDw8UGwP3qjs9xFY .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-PDw8UGwP3qjs9xFY .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-PDw8UGwP3qjs9xFY .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-PDw8UGwP3qjs9xFY .cluster text{fill:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY .cluster span{color:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-PDw8UGwP3qjs9xFY .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-PDw8UGwP3qjs9xFY rect.text{fill:none;stroke-width:0;}#mermaid-svg-PDw8UGwP3qjs9xFY .icon-shape,#mermaid-svg-PDw8UGwP3qjs9xFY .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-PDw8UGwP3qjs9xFY .icon-shape p,#mermaid-svg-PDw8UGwP3qjs9xFY .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-PDw8UGwP3qjs9xFY .icon-shape .label rect,#mermaid-svg-PDw8UGwP3qjs9xFY .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-PDw8UGwP3qjs9xFY .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-PDw8UGwP3qjs9xFY .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-PDw8UGwP3qjs9xFY :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 加上TLS
HTTPS(加密)
TLS加密
TLS加密
客户端
服务器
HTTP(明文)
明文请求
明文响应
客户端
服务器
形象类比:
- HTTP = 明信片,邮递员、邻居都能看到内容
- HTTPS = 把明信片装进保险箱再寄,只有收件人能打开
- HTTP是"内容",TLS是"包装"。HTTP负责说什么,TLS负责加密
2. TLS握手流程
TLS握手分为两个阶段:非对称加密用于密钥交换/签名验证,对称加密用于后续通信。
形象类比: TLS握手 = 两个人第一次见面要秘密通信
- 见面打招呼(TCP握手)
- 互相介绍自己支持什么语言(Client/Server Hello)
- 出示身份证证明自己是谁(服务器证书)
- 协商出一把只有双方知道的会话密钥
- 以后都用会话密钥加密通信
重要说明(两种密钥交换方式)
密钥交换有两种方式,区别决定了"前向保密(PFS)"这一安全特性:
RSA 密钥交换 无 PFS --- TLS 1.2 起不推荐,TLS 1.3 已移除
服务器 网络 客户端 服务器 网络 客户端 #mermaid-svg-1uMg3scx3VfjZoj4{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-1uMg3scx3VfjZoj4 .error-icon{fill:#552222;}#mermaid-svg-1uMg3scx3VfjZoj4 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-1uMg3scx3VfjZoj4 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-1uMg3scx3VfjZoj4 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-1uMg3scx3VfjZoj4 .marker.cross{stroke:#333333;}#mermaid-svg-1uMg3scx3VfjZoj4 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-1uMg3scx3VfjZoj4 p{margin:0;}#mermaid-svg-1uMg3scx3VfjZoj4 .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-1uMg3scx3VfjZoj4 text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-1uMg3scx3VfjZoj4 .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-1uMg3scx3VfjZoj4 .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-1uMg3scx3VfjZoj4 #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-1uMg3scx3VfjZoj4 .sequenceNumber{fill:white;}#mermaid-svg-1uMg3scx3VfjZoj4 #sequencenumber{fill:#333;}#mermaid-svg-1uMg3scx3VfjZoj4 #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-1uMg3scx3VfjZoj4 .messageText{fill:#333;stroke:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-1uMg3scx3VfjZoj4 .labelText,#mermaid-svg-1uMg3scx3VfjZoj4 .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .loopText,#mermaid-svg-1uMg3scx3VfjZoj4 .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-1uMg3scx3VfjZoj4 .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-1uMg3scx3VfjZoj4 .noteText,#mermaid-svg-1uMg3scx3VfjZoj4 .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-1uMg3scx3VfjZoj4 .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-1uMg3scx3VfjZoj4 .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-1uMg3scx3VfjZoj4 .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-1uMg3scx3VfjZoj4 .actorPopupMenu{position:absolute;}#mermaid-svg-1uMg3scx3VfjZoj4 .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-1uMg3scx3VfjZoj4 .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-1uMg3scx3VfjZoj4 .actor-man circle,#mermaid-svg-1uMg3scx3VfjZoj4 line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-1uMg3scx3VfjZoj4 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 生成 pre-master secret(随机数) 用私钥解密,得到 pre-master 双方用 pre-master 生成相同的对称密钥 pre-master 经过了网络 → 私钥泄露 = 历史流量全暴露 用服务器公钥加密 pre-master密文在网络上传输一趟
什么是 pre-master secret(预主密钥)?
- 客户端生成的一个随机数,用来推导出主密钥(master secret),再由主密钥生成实际的会话密钥。
- 密钥推导链:
pre-master secret→master secret→session keys(加密密钥 + MAC 密钥) - RSA 方式下,这个随机数需要"穿过网络"发给服务器,一旦私钥泄露,攻击者就能解密这段密文,拿到 pre-master,进而推算出所有会话密钥。
ECDHE 密钥交换 有 PFS --- TLS 1.3 强制使用,现代主流
服务器 网络 客户端 服务器 网络 客户端 #mermaid-svg-2EA32HCUtZQbwCqf{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-2EA32HCUtZQbwCqf .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-2EA32HCUtZQbwCqf .error-icon{fill:#552222;}#mermaid-svg-2EA32HCUtZQbwCqf .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-2EA32HCUtZQbwCqf .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-2EA32HCUtZQbwCqf .marker{fill:#333333;stroke:#333333;}#mermaid-svg-2EA32HCUtZQbwCqf .marker.cross{stroke:#333333;}#mermaid-svg-2EA32HCUtZQbwCqf svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-2EA32HCUtZQbwCqf p{margin:0;}#mermaid-svg-2EA32HCUtZQbwCqf .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-2EA32HCUtZQbwCqf text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-2EA32HCUtZQbwCqf .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-2EA32HCUtZQbwCqf .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-2EA32HCUtZQbwCqf .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-2EA32HCUtZQbwCqf .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-2EA32HCUtZQbwCqf #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-2EA32HCUtZQbwCqf .sequenceNumber{fill:white;}#mermaid-svg-2EA32HCUtZQbwCqf #sequencenumber{fill:#333;}#mermaid-svg-2EA32HCUtZQbwCqf #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-2EA32HCUtZQbwCqf .messageText{fill:#333;stroke:none;}#mermaid-svg-2EA32HCUtZQbwCqf .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-2EA32HCUtZQbwCqf .labelText,#mermaid-svg-2EA32HCUtZQbwCqf .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-2EA32HCUtZQbwCqf .loopText,#mermaid-svg-2EA32HCUtZQbwCqf .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-2EA32HCUtZQbwCqf .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-2EA32HCUtZQbwCqf .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-2EA32HCUtZQbwCqf .noteText,#mermaid-svg-2EA32HCUtZQbwCqf .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-2EA32HCUtZQbwCqf .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-2EA32HCUtZQbwCqf .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-2EA32HCUtZQbwCqf .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-2EA32HCUtZQbwCqf .actorPopupMenu{position:absolute;}#mermaid-svg-2EA32HCUtZQbwCqf .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-2EA32HCUtZQbwCqf .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-2EA32HCUtZQbwCqf .actor-man circle,#mermaid-svg-2EA32HCUtZQbwCqf line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-2EA32HCUtZQbwCqf :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 生成 DH 私钥 a + 公钥 A 生成 DH 私钥 b + 公钥 B 只传输公钥(公开信息) 用 a + B 本地计算共享密钥 用 b + A 本地计算共享密钥 双方得到相同的共享密钥 共享密钥从未经过网络 → 私钥泄露 ≠ 历史安全 发送公钥 A发送公钥 B
什么是 DH / ECDHE?
- DH(Diffie-Hellman,迪菲-赫尔曼)是一种密钥交换算法,核心能力:双方在公开信道上协商出一个共享密钥,窃听者即使看到所有交换数据也算不出来。
- ECDHE = Elliptic Curve Diffie-Hellman Ephemeral (临时椭圆曲线迪菲-赫尔曼)
- EC(椭圆曲线):比传统 DH 更快更安全
- E(临时):每次握手都生成新的临时密钥对,用完即丢,实现前向保密
- 数学原理(简化版):双方各选一个私密数字 a、b,约定一个公开的底数 g 和模数 p,交换 g^a mod p 和 g^b mod p,各自计算 (ga)b = (gb)a = g^(ab) mod p,得到相同的共享密钥。窃听者只知道 g^a 和 g^b,无法推出 g^(ab)。
2.1 TLS 1.2(RSA 密钥交换,已不推荐)
服务器 客户端 服务器 客户端 #mermaid-svg-CR8xFjNbUctYaLVu{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-CR8xFjNbUctYaLVu .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-CR8xFjNbUctYaLVu .error-icon{fill:#552222;}#mermaid-svg-CR8xFjNbUctYaLVu .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-CR8xFjNbUctYaLVu .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-CR8xFjNbUctYaLVu .marker{fill:#333333;stroke:#333333;}#mermaid-svg-CR8xFjNbUctYaLVu .marker.cross{stroke:#333333;}#mermaid-svg-CR8xFjNbUctYaLVu svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-CR8xFjNbUctYaLVu p{margin:0;}#mermaid-svg-CR8xFjNbUctYaLVu .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-CR8xFjNbUctYaLVu text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-CR8xFjNbUctYaLVu .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-CR8xFjNbUctYaLVu .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-CR8xFjNbUctYaLVu .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-CR8xFjNbUctYaLVu .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-CR8xFjNbUctYaLVu #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-CR8xFjNbUctYaLVu .sequenceNumber{fill:white;}#mermaid-svg-CR8xFjNbUctYaLVu #sequencenumber{fill:#333;}#mermaid-svg-CR8xFjNbUctYaLVu #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-CR8xFjNbUctYaLVu .messageText{fill:#333;stroke:none;}#mermaid-svg-CR8xFjNbUctYaLVu .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-CR8xFjNbUctYaLVu .labelText,#mermaid-svg-CR8xFjNbUctYaLVu .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-CR8xFjNbUctYaLVu .loopText,#mermaid-svg-CR8xFjNbUctYaLVu .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-CR8xFjNbUctYaLVu .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-CR8xFjNbUctYaLVu .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-CR8xFjNbUctYaLVu .noteText,#mermaid-svg-CR8xFjNbUctYaLVu .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-CR8xFjNbUctYaLVu .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-CR8xFjNbUctYaLVu .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-CR8xFjNbUctYaLVu .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-CR8xFjNbUctYaLVu .actorPopupMenu{position:absolute;}#mermaid-svg-CR8xFjNbUctYaLVu .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-CR8xFjNbUctYaLVu .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-CR8xFjNbUctYaLVu .actor-man circle,#mermaid-svg-CR8xFjNbUctYaLVu line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-CR8xFjNbUctYaLVu :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} TLS握手(非对称加密阶段) 验证证书(CA签名、有效期、域名) 对称加密通信开始 Client Hello(TLS版本、加密套件、随机数random1)Server Hello(选定版本、加密套件、随机数random2)服务器证书(含公钥)ServerHelloDoneClientKeyExchange(用公钥加密pre-master secret)ChangeCipherSpecFinished(加密的握手消息)ChangeCipherSpecFinished
什么是 ChangeCipherSpec?
- 一个单字节的信号消息,告诉对方:"从下一条消息开始,我发的所有内容都是加密的。"
- 双方各发一次,确认"从现在起进入加密通信"。它标志着从明文握手阶段切换到密文传输阶段。
问题: 如果服务器私钥日后泄露,攻击者只要之前录制过流量,就能解密所有历史会话(无前向保密)。
2.2 TLS 1.2(ECDHE)/ TLS 1.3(现代主流,推荐)
服务器 客户端 服务器 客户端 #mermaid-svg-CTwhygHrxgicJwmt{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-CTwhygHrxgicJwmt .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-CTwhygHrxgicJwmt .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-CTwhygHrxgicJwmt .error-icon{fill:#552222;}#mermaid-svg-CTwhygHrxgicJwmt .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-CTwhygHrxgicJwmt .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-CTwhygHrxgicJwmt .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-CTwhygHrxgicJwmt .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-CTwhygHrxgicJwmt .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-CTwhygHrxgicJwmt .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-CTwhygHrxgicJwmt .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-CTwhygHrxgicJwmt .marker{fill:#333333;stroke:#333333;}#mermaid-svg-CTwhygHrxgicJwmt .marker.cross{stroke:#333333;}#mermaid-svg-CTwhygHrxgicJwmt svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-CTwhygHrxgicJwmt p{margin:0;}#mermaid-svg-CTwhygHrxgicJwmt .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-CTwhygHrxgicJwmt text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-CTwhygHrxgicJwmt .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-CTwhygHrxgicJwmt .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-CTwhygHrxgicJwmt .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-CTwhygHrxgicJwmt .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-CTwhygHrxgicJwmt #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-CTwhygHrxgicJwmt .sequenceNumber{fill:white;}#mermaid-svg-CTwhygHrxgicJwmt #sequencenumber{fill:#333;}#mermaid-svg-CTwhygHrxgicJwmt #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-CTwhygHrxgicJwmt .messageText{fill:#333;stroke:none;}#mermaid-svg-CTwhygHrxgicJwmt .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-CTwhygHrxgicJwmt .labelText,#mermaid-svg-CTwhygHrxgicJwmt .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-CTwhygHrxgicJwmt .loopText,#mermaid-svg-CTwhygHrxgicJwmt .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-CTwhygHrxgicJwmt .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-CTwhygHrxgicJwmt .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-CTwhygHrxgicJwmt .noteText,#mermaid-svg-CTwhygHrxgicJwmt .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-CTwhygHrxgicJwmt .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-CTwhygHrxgicJwmt .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-CTwhygHrxgicJwmt .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-CTwhygHrxgicJwmt .actorPopupMenu{position:absolute;}#mermaid-svg-CTwhygHrxgicJwmt .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-CTwhygHrxgicJwmt .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-CTwhygHrxgicJwmt .actor-man circle,#mermaid-svg-CTwhygHrxgicJwmt line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-CTwhygHrxgicJwmt :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} TLS握手(ECDHE 密钥交换,TLS 1.2 / 1.3) 双方各自用 ECDHE 参数计算出共享密钥 验证证书 + 验证 CertificateVerify 签名 对称加密通信开始 Client Hello(加密套件、随机数、ECDHE参数)Server Hello(选定套件、随机数、ECDHE参数)服务器证书 + CertificateVerify(用私钥对握手签名)FinishedFinished
为什么更安全? 共享密钥由双方本地计算生成,从不传输,握手后即丢弃临时参数;即使私钥泄露,历史流量也无法解密(前向保密 PFS)。
3. 非对称加密 vs 对称加密
| 特性 | 非对称加密 | 对称加密 |
|---|---|---|
| 密钥 | 公钥+私钥(一对) | 共享密钥(一个) |
| 速度 | 慢100-1000倍 | 快 |
| 用途 | 密钥交换、签名 | 数据加密 |
| 使用时机 | TLS握手阶段 | 握手后的通信阶段 |
TLS 的巧妙之处在于:用慢的非对称加密安全地交换密钥,然后切换到快的对称加密传输数据------兼顾安全与性能。
4. 证书是什么
证书(SSL/TLS Certificate)是数字身份证,由受信任的CA(证书颁发机构)签发,包含域名、公钥、CA签名和有效期。
客户端拿到证书后验证:"这个身份证是公安局(CA)发的吗?"------用自己的 CA 证书验证签名,通过就信任。
#mermaid-svg-xF4bMaJDyH0DfeFv{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-xF4bMaJDyH0DfeFv .error-icon{fill:#552222;}#mermaid-svg-xF4bMaJDyH0DfeFv .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-xF4bMaJDyH0DfeFv .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-xF4bMaJDyH0DfeFv .marker{fill:#333333;stroke:#333333;}#mermaid-svg-xF4bMaJDyH0DfeFv .marker.cross{stroke:#333333;}#mermaid-svg-xF4bMaJDyH0DfeFv svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-xF4bMaJDyH0DfeFv p{margin:0;}#mermaid-svg-xF4bMaJDyH0DfeFv .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv .cluster-label text{fill:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv .cluster-label span{color:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv .cluster-label span p{background-color:transparent;}#mermaid-svg-xF4bMaJDyH0DfeFv .label text,#mermaid-svg-xF4bMaJDyH0DfeFv span{fill:#333;color:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv .node rect,#mermaid-svg-xF4bMaJDyH0DfeFv .node circle,#mermaid-svg-xF4bMaJDyH0DfeFv .node ellipse,#mermaid-svg-xF4bMaJDyH0DfeFv .node polygon,#mermaid-svg-xF4bMaJDyH0DfeFv .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-xF4bMaJDyH0DfeFv .rough-node .label text,#mermaid-svg-xF4bMaJDyH0DfeFv .node .label text,#mermaid-svg-xF4bMaJDyH0DfeFv .image-shape .label,#mermaid-svg-xF4bMaJDyH0DfeFv .icon-shape .label{text-anchor:middle;}#mermaid-svg-xF4bMaJDyH0DfeFv .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-xF4bMaJDyH0DfeFv .rough-node .label,#mermaid-svg-xF4bMaJDyH0DfeFv .node .label,#mermaid-svg-xF4bMaJDyH0DfeFv .image-shape .label,#mermaid-svg-xF4bMaJDyH0DfeFv .icon-shape .label{text-align:center;}#mermaid-svg-xF4bMaJDyH0DfeFv .node.clickable{cursor:pointer;}#mermaid-svg-xF4bMaJDyH0DfeFv .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-xF4bMaJDyH0DfeFv .arrowheadPath{fill:#333333;}#mermaid-svg-xF4bMaJDyH0DfeFv .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-xF4bMaJDyH0DfeFv .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-xF4bMaJDyH0DfeFv .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-xF4bMaJDyH0DfeFv .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-xF4bMaJDyH0DfeFv .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-xF4bMaJDyH0DfeFv .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-xF4bMaJDyH0DfeFv .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-xF4bMaJDyH0DfeFv .cluster text{fill:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv .cluster span{color:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-xF4bMaJDyH0DfeFv .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-xF4bMaJDyH0DfeFv rect.text{fill:none;stroke-width:0;}#mermaid-svg-xF4bMaJDyH0DfeFv .icon-shape,#mermaid-svg-xF4bMaJDyH0DfeFv .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-xF4bMaJDyH0DfeFv .icon-shape p,#mermaid-svg-xF4bMaJDyH0DfeFv .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-xF4bMaJDyH0DfeFv .icon-shape .label rect,#mermaid-svg-xF4bMaJDyH0DfeFv .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-xF4bMaJDyH0DfeFv .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-xF4bMaJDyH0DfeFv .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-xF4bMaJDyH0DfeFv :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 签发
签发
根CA证书
自签名,离线保存
中间CA证书
在线签发
服务器证书
部署在服务器
包含:域名/IP + 公钥 + CA签名 + 有效期
5. 证书文件详解
以自建CA为例,生成5个文件:
| 文件 | 作用 | 类比 |
|---|---|---|
ca.crt |
CA根证书,放在客户端信任 | 政府公章 |
ca.key |
CA私钥,签发证书用 | 政府印章本体 |
server.crt |
服务器证书,发给客户端验证 | 身份证 |
server.key |
服务器私钥,TLS解密用 | 银行卡密码 |
server.csr |
签名请求,申请证书时的申请表 | 办证申请表 |
实际使用:
- 你只需要把
server.crt和server.key放到服务器上 - 把
ca.crt放到客户端 ca.key存好别泄露,以后要签新证书还得用它
6. 证书生成方式
6.1 自签名证书(内网推荐)
形象类比: 自签名证书 = 公司内部工牌
- 公共CA = 公安局发的身份证(全社会认可)
- 自签名CA = 公司HR发的工牌(只在公司内部有效)
内网环境用自签名证书就够了,不需要花钱买公共CA证书
自签名证书生成流程:
#mermaid-svg-LNDy1DPgfXemNywI{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-LNDy1DPgfXemNywI .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-LNDy1DPgfXemNywI .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-LNDy1DPgfXemNywI .error-icon{fill:#552222;}#mermaid-svg-LNDy1DPgfXemNywI .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-LNDy1DPgfXemNywI .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-LNDy1DPgfXemNywI .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-LNDy1DPgfXemNywI .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-LNDy1DPgfXemNywI .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-LNDy1DPgfXemNywI .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-LNDy1DPgfXemNywI .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-LNDy1DPgfXemNywI .marker{fill:#333333;stroke:#333333;}#mermaid-svg-LNDy1DPgfXemNywI .marker.cross{stroke:#333333;}#mermaid-svg-LNDy1DPgfXemNywI svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-LNDy1DPgfXemNywI p{margin:0;}#mermaid-svg-LNDy1DPgfXemNywI .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-LNDy1DPgfXemNywI .cluster-label text{fill:#333;}#mermaid-svg-LNDy1DPgfXemNywI .cluster-label span{color:#333;}#mermaid-svg-LNDy1DPgfXemNywI .cluster-label span p{background-color:transparent;}#mermaid-svg-LNDy1DPgfXemNywI .label text,#mermaid-svg-LNDy1DPgfXemNywI span{fill:#333;color:#333;}#mermaid-svg-LNDy1DPgfXemNywI .node rect,#mermaid-svg-LNDy1DPgfXemNywI .node circle,#mermaid-svg-LNDy1DPgfXemNywI .node ellipse,#mermaid-svg-LNDy1DPgfXemNywI .node polygon,#mermaid-svg-LNDy1DPgfXemNywI .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-LNDy1DPgfXemNywI .rough-node .label text,#mermaid-svg-LNDy1DPgfXemNywI .node .label text,#mermaid-svg-LNDy1DPgfXemNywI .image-shape .label,#mermaid-svg-LNDy1DPgfXemNywI .icon-shape .label{text-anchor:middle;}#mermaid-svg-LNDy1DPgfXemNywI .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-LNDy1DPgfXemNywI .rough-node .label,#mermaid-svg-LNDy1DPgfXemNywI .node .label,#mermaid-svg-LNDy1DPgfXemNywI .image-shape .label,#mermaid-svg-LNDy1DPgfXemNywI .icon-shape .label{text-align:center;}#mermaid-svg-LNDy1DPgfXemNywI .node.clickable{cursor:pointer;}#mermaid-svg-LNDy1DPgfXemNywI .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-LNDy1DPgfXemNywI .arrowheadPath{fill:#333333;}#mermaid-svg-LNDy1DPgfXemNywI .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-LNDy1DPgfXemNywI .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-LNDy1DPgfXemNywI .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-LNDy1DPgfXemNywI .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-LNDy1DPgfXemNywI .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-LNDy1DPgfXemNywI .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-LNDy1DPgfXemNywI .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-LNDy1DPgfXemNywI .cluster text{fill:#333;}#mermaid-svg-LNDy1DPgfXemNywI .cluster span{color:#333;}#mermaid-svg-LNDy1DPgfXemNywI div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-LNDy1DPgfXemNywI .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-LNDy1DPgfXemNywI rect.text{fill:none;stroke-width:0;}#mermaid-svg-LNDy1DPgfXemNywI .icon-shape,#mermaid-svg-LNDy1DPgfXemNywI .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-LNDy1DPgfXemNywI .icon-shape p,#mermaid-svg-LNDy1DPgfXemNywI .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-LNDy1DPgfXemNywI .icon-shape .label rect,#mermaid-svg-LNDy1DPgfXemNywI .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-LNDy1DPgfXemNywI .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-LNDy1DPgfXemNywI .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-LNDy1DPgfXemNywI :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 1 准备 san.cnf
配置域名 + SAN 扩展
2 生成 CA 私钥 + 根证书
openssl genrsa + req -x509
3 生成服务器私钥 + CSR
openssl genrsa + req
4 CA 签发服务器证书
openssl x509 -req
得到 ca.crt / server.crt / server.key
现代浏览器必须配 SAN(Subject Alternative Name)
Chrome 58+ / Firefox / Safari 等现代浏览器已不再校验 CN 字段 ,只认证书中的 SAN 扩展。
如果不配置 SAN,浏览器会报 NET::ERR_CERT_COMMON_NAME_INVALID,即使 CN 填对了也没用。
因此下方命令必须带上 v3_ext 配置和 -extfile 参数。
第 1 步:准备配置文件 san.cnf(包含 SAN 和 CA 属性)
ini
# san.cnf ------ CA 与服务器证书共用,按需修改 [alt_names]
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = cloud.example.com
[v3_req]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = cloud.example.com
DNS.2 = *.internal.example.com
IP.1 = 192.168.1.10第 2 步:生成 CA 私钥与根证书
bash
# 生成 CA 私钥(推荐 4096 位,CA 是信任根,强度更高)
openssl genrsa -out ca.key 4096
# 生成 CA 根证书(自签名,显式声明 sha256 与 CA:TRUE)
openssl req -new -x509 -days 3650 -sha256 -key ca.key -out ca.crt \
-subj "/CN=My Private CA" \
-addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign,cRLSign"第 3 步:生成服务器密钥与 CSR
bash
# 生成服务器私钥
openssl genrsa -out server.key 2048
# 生成证书签名请求(使用 san.cnf 注入 SAN 扩展请求)
openssl req -new -key server.key -out server.csr -config san.cnf第 4 步:用 CA 签发服务器证书(带上 SAN 扩展)
bash
# 用 CA 签发,显式 sha256,并将 san.cnf 中的 v3_req 扩展写入证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 825 -sha256 \
-extfile san.cnf -extensions v3_req关于 -days 有效期
- 公共 CA 受 CA/B Forum 规则限制,单域名证书最长有效期现为 397 天(约 13 个月)。
- 自建 CA 不受此限制,但建议设置为 825 天(浏览器旧版 DV 证书上限)或更短,配合自动轮换。
验证生成的证书:
bash
# 查看证书详情,确认 SAN 已写入
openssl x509 -in server.crt -text -noout | grep -A 1 "Subject Alternative Name"6.2 免费公共CA(Let's Encrypt)
形象类比: Let's Encrypt = 免费的自动办证机
- 传统CA(如DigiCert)= 去公安局排队办证(收费、审核慢)
- Let's Encrypt = 自助办证机(免费、秒级签发、自动续期)
- 适合个人网站、开发测试环境
Let's Encrypt CA certbot 用户 Let's Encrypt CA certbot 用户 #mermaid-svg-UFVB0xH6PfZC1Pi9{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .error-icon{fill:#552222;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .marker.cross{stroke:#333333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-UFVB0xH6PfZC1Pi9 p{margin:0;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-UFVB0xH6PfZC1Pi9 text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-UFVB0xH6PfZC1Pi9 .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .sequenceNumber{fill:white;}#mermaid-svg-UFVB0xH6PfZC1Pi9 #sequencenumber{fill:#333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .messageText{fill:#333;stroke:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .labelText,#mermaid-svg-UFVB0xH6PfZC1Pi9 .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .loopText,#mermaid-svg-UFVB0xH6PfZC1Pi9 .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-UFVB0xH6PfZC1Pi9 .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .noteText,#mermaid-svg-UFVB0xH6PfZC1Pi9 .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .actorPopupMenu{position:absolute;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-UFVB0xH6PfZC1Pi9 .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-UFVB0xH6PfZC1Pi9 .actor-man circle,#mermaid-svg-UFVB0xH6PfZC1Pi9 line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-UFVB0xH6PfZC1Pi9 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 完成挑战(放文件/加TXT记录) certbot certonly -d example.com申请证书(CSR)挑战验证(HTTP-01 / DNS-01)验证通过签发证书证书保存到 /etc/letsencrypt/
6.3 Wildcard 通配符证书与 SAN 多域名证书
一台服务器往往要同时服务多个域名,常见有三种处理方式:
| 方式 | 示例 | 覆盖范围 | 适用场景 |
|---|---|---|---|
| 单域名证书 | cloud.example.com |
仅一个域名 | 单一服务 |
| Wildcard 通配符 | *.example.com |
同级所有子域名 | 子域名数量多、频繁变动 |
| SAN 多域名(UCC) | a.com + b.com + x.a.com |
任意多个指定域名 | 多个不相关域名共用一张证 |
三种证书覆盖范围对比:
#mermaid-svg-wIJzLfj3lRPAwxsF{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-wIJzLfj3lRPAwxsF .error-icon{fill:#552222;}#mermaid-svg-wIJzLfj3lRPAwxsF .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-wIJzLfj3lRPAwxsF .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-wIJzLfj3lRPAwxsF .marker{fill:#333333;stroke:#333333;}#mermaid-svg-wIJzLfj3lRPAwxsF .marker.cross{stroke:#333333;}#mermaid-svg-wIJzLfj3lRPAwxsF svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-wIJzLfj3lRPAwxsF p{margin:0;}#mermaid-svg-wIJzLfj3lRPAwxsF .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF .cluster-label text{fill:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF .cluster-label span{color:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF .cluster-label span p{background-color:transparent;}#mermaid-svg-wIJzLfj3lRPAwxsF .label text,#mermaid-svg-wIJzLfj3lRPAwxsF span{fill:#333;color:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF .node rect,#mermaid-svg-wIJzLfj3lRPAwxsF .node circle,#mermaid-svg-wIJzLfj3lRPAwxsF .node ellipse,#mermaid-svg-wIJzLfj3lRPAwxsF .node polygon,#mermaid-svg-wIJzLfj3lRPAwxsF .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-wIJzLfj3lRPAwxsF .rough-node .label text,#mermaid-svg-wIJzLfj3lRPAwxsF .node .label text,#mermaid-svg-wIJzLfj3lRPAwxsF .image-shape .label,#mermaid-svg-wIJzLfj3lRPAwxsF .icon-shape .label{text-anchor:middle;}#mermaid-svg-wIJzLfj3lRPAwxsF .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-wIJzLfj3lRPAwxsF .rough-node .label,#mermaid-svg-wIJzLfj3lRPAwxsF .node .label,#mermaid-svg-wIJzLfj3lRPAwxsF .image-shape .label,#mermaid-svg-wIJzLfj3lRPAwxsF .icon-shape .label{text-align:center;}#mermaid-svg-wIJzLfj3lRPAwxsF .node.clickable{cursor:pointer;}#mermaid-svg-wIJzLfj3lRPAwxsF .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-wIJzLfj3lRPAwxsF .arrowheadPath{fill:#333333;}#mermaid-svg-wIJzLfj3lRPAwxsF .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-wIJzLfj3lRPAwxsF .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-wIJzLfj3lRPAwxsF .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-wIJzLfj3lRPAwxsF .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-wIJzLfj3lRPAwxsF .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-wIJzLfj3lRPAwxsF .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-wIJzLfj3lRPAwxsF .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-wIJzLfj3lRPAwxsF .cluster text{fill:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF .cluster span{color:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-wIJzLfj3lRPAwxsF .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-wIJzLfj3lRPAwxsF rect.text{fill:none;stroke-width:0;}#mermaid-svg-wIJzLfj3lRPAwxsF .icon-shape,#mermaid-svg-wIJzLfj3lRPAwxsF .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-wIJzLfj3lRPAwxsF .icon-shape p,#mermaid-svg-wIJzLfj3lRPAwxsF .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-wIJzLfj3lRPAwxsF .icon-shape .label rect,#mermaid-svg-wIJzLfj3lRPAwxsF .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-wIJzLfj3lRPAwxsF .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-wIJzLfj3lRPAwxsF .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-wIJzLfj3lRPAwxsF :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} SAN 多域名 a.com + b.com + x.a.com
覆盖
覆盖
覆盖
不覆盖
a.com
b.com
x.a.com
c.com
Wildcard 通配符 *.example.com
覆盖
覆盖
不覆盖
不覆盖
a.example.com
b.example.com
example.com 裸域
a.b.example.com 多级
单域名证书
覆盖
不覆盖
不覆盖
cloud.example.com
api.example.com
example.com
形象类比:
- Wildcard = 一张"全家福工牌":张三家所有人(
*.zhang.com)都能用,但只认这一级 ,孙子辈(a.b.zhang.com)不认 - SAN = 一张"联名工牌":正面是 A 公司,背面还能印 B 公司、C 公司(一张证书里写多个域名)
注意 Wildcard 的限制:
*.example.com只匹配a.example.com、b.example.com,不匹配example.com(裸域)和a.b.example.com(多级)- 若裸域也要覆盖,需在 SAN 里同时加上
example.com
Let's Encrypt 申请通配符证书(必须用 DNS-01 验证):
bash
# 通配符证书需要 DNS TXT 记录验证,不能用 HTTP-01
certbot certonly --manual --preferred-challenges dns \
-d "*.example.com" -d example.com6.4 证书有效期与自动续期
2020 年后,证书有效期大幅缩短
- CA/B Forum 已将 DV 单域名证书最长有效期从原本的数年压缩到 397 天
- Let's Encrypt 证书有效期仅 90 天
- 苹果于 2025 年宣布将进一步推动缩短至 47 天,未来证书轮换必须自动化
为什么缩短? 降低"证书+私钥泄露后可被长期利用"的窗口期,推动自动化运维。
Let's Encrypt 自动续期(certbot 自带):
bash
# 测试续期流程(不真正续期,推荐上线前先跑)
certbot renew --dry-run
# 续期命令可加入 cron / systemd timer,certbot 安装时通常会自动配置
certbot renew --quiet
# 续期后重启依赖证书的服务(在 /etc/letsencrypt/renewal-hooks/deploy/ 放脚本)
#!/bin/bash
systemctl reload nginx
systemctl reload dovecot自建 CA 场景的轮换建议:
- 把生成命令写成脚本,证书文件用版本号或日期命名(如
server-202606.csr) - 建立到期监控(Prometheus blackbox_exporter、Nagios check_cert 等都可检查证书剩余天数)
- 在到期前 30 天自动触发重新签发与分发
7. 客户端如何获取CA证书
形象类比: 安装CA证书 = 小区门禁录入
你家门口小区的门禁系统,物业要先把你家人的信息录进去,你刷脸才能进。
ca.crt就是"录入信息"这一步。
公网场景:
#mermaid-svg-CbkDC2pLD60Zggr6{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-CbkDC2pLD60Zggr6 .error-icon{fill:#552222;}#mermaid-svg-CbkDC2pLD60Zggr6 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-CbkDC2pLD60Zggr6 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-CbkDC2pLD60Zggr6 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-CbkDC2pLD60Zggr6 .marker.cross{stroke:#333333;}#mermaid-svg-CbkDC2pLD60Zggr6 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-CbkDC2pLD60Zggr6 p{margin:0;}#mermaid-svg-CbkDC2pLD60Zggr6 .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 .cluster-label text{fill:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 .cluster-label span{color:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 .cluster-label span p{background-color:transparent;}#mermaid-svg-CbkDC2pLD60Zggr6 .label text,#mermaid-svg-CbkDC2pLD60Zggr6 span{fill:#333;color:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 .node rect,#mermaid-svg-CbkDC2pLD60Zggr6 .node circle,#mermaid-svg-CbkDC2pLD60Zggr6 .node ellipse,#mermaid-svg-CbkDC2pLD60Zggr6 .node polygon,#mermaid-svg-CbkDC2pLD60Zggr6 .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-CbkDC2pLD60Zggr6 .rough-node .label text,#mermaid-svg-CbkDC2pLD60Zggr6 .node .label text,#mermaid-svg-CbkDC2pLD60Zggr6 .image-shape .label,#mermaid-svg-CbkDC2pLD60Zggr6 .icon-shape .label{text-anchor:middle;}#mermaid-svg-CbkDC2pLD60Zggr6 .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-CbkDC2pLD60Zggr6 .rough-node .label,#mermaid-svg-CbkDC2pLD60Zggr6 .node .label,#mermaid-svg-CbkDC2pLD60Zggr6 .image-shape .label,#mermaid-svg-CbkDC2pLD60Zggr6 .icon-shape .label{text-align:center;}#mermaid-svg-CbkDC2pLD60Zggr6 .node.clickable{cursor:pointer;}#mermaid-svg-CbkDC2pLD60Zggr6 .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-CbkDC2pLD60Zggr6 .arrowheadPath{fill:#333333;}#mermaid-svg-CbkDC2pLD60Zggr6 .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-CbkDC2pLD60Zggr6 .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-CbkDC2pLD60Zggr6 .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-CbkDC2pLD60Zggr6 .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-CbkDC2pLD60Zggr6 .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-CbkDC2pLD60Zggr6 .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-CbkDC2pLD60Zggr6 .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-CbkDC2pLD60Zggr6 .cluster text{fill:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 .cluster span{color:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-CbkDC2pLD60Zggr6 .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-CbkDC2pLD60Zggr6 rect.text{fill:none;stroke-width:0;}#mermaid-svg-CbkDC2pLD60Zggr6 .icon-shape,#mermaid-svg-CbkDC2pLD60Zggr6 .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-CbkDC2pLD60Zggr6 .icon-shape p,#mermaid-svg-CbkDC2pLD60Zggr6 .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-CbkDC2pLD60Zggr6 .icon-shape .label rect,#mermaid-svg-CbkDC2pLD60Zggr6 .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-CbkDC2pLD60Zggr6 .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-CbkDC2pLD60Zggr6 .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-CbkDC2pLD60Zggr6 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 预装
操作系统/浏览器
公共CA证书
自动验证,无需手动安装
内网场景:
#mermaid-svg-pMJmOYWDtmuBpXB3{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-pMJmOYWDtmuBpXB3 .error-icon{fill:#552222;}#mermaid-svg-pMJmOYWDtmuBpXB3 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-pMJmOYWDtmuBpXB3 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .marker.cross{stroke:#333333;}#mermaid-svg-pMJmOYWDtmuBpXB3 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-pMJmOYWDtmuBpXB3 p{margin:0;}#mermaid-svg-pMJmOYWDtmuBpXB3 .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .cluster-label text{fill:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .cluster-label span{color:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .cluster-label span p{background-color:transparent;}#mermaid-svg-pMJmOYWDtmuBpXB3 .label text,#mermaid-svg-pMJmOYWDtmuBpXB3 span{fill:#333;color:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .node rect,#mermaid-svg-pMJmOYWDtmuBpXB3 .node circle,#mermaid-svg-pMJmOYWDtmuBpXB3 .node ellipse,#mermaid-svg-pMJmOYWDtmuBpXB3 .node polygon,#mermaid-svg-pMJmOYWDtmuBpXB3 .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .rough-node .label text,#mermaid-svg-pMJmOYWDtmuBpXB3 .node .label text,#mermaid-svg-pMJmOYWDtmuBpXB3 .image-shape .label,#mermaid-svg-pMJmOYWDtmuBpXB3 .icon-shape .label{text-anchor:middle;}#mermaid-svg-pMJmOYWDtmuBpXB3 .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .rough-node .label,#mermaid-svg-pMJmOYWDtmuBpXB3 .node .label,#mermaid-svg-pMJmOYWDtmuBpXB3 .image-shape .label,#mermaid-svg-pMJmOYWDtmuBpXB3 .icon-shape .label{text-align:center;}#mermaid-svg-pMJmOYWDtmuBpXB3 .node.clickable{cursor:pointer;}#mermaid-svg-pMJmOYWDtmuBpXB3 .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .arrowheadPath{fill:#333333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-pMJmOYWDtmuBpXB3 .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-pMJmOYWDtmuBpXB3 .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-pMJmOYWDtmuBpXB3 .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-pMJmOYWDtmuBpXB3 .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .cluster text{fill:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 .cluster span{color:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-pMJmOYWDtmuBpXB3 .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-pMJmOYWDtmuBpXB3 rect.text{fill:none;stroke-width:0;}#mermaid-svg-pMJmOYWDtmuBpXB3 .icon-shape,#mermaid-svg-pMJmOYWDtmuBpXB3 .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-pMJmOYWDtmuBpXB3 .icon-shape p,#mermaid-svg-pMJmOYWDtmuBpXB3 .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-pMJmOYWDtmuBpXB3 .icon-shape .label rect,#mermaid-svg-pMJmOYWDtmuBpXB3 .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-pMJmOYWDtmuBpXB3 .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-pMJmOYWDtmuBpXB3 .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-pMJmOYWDtmuBpXB3 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} ca.crt
自建CA
手动安装到客户端
安装到系统信任存储
连接时自动验证
7.1 安装方式
| 平台 | 安装位置 |
|---|---|
| Windows | 受信任的根证书颁发机构 |
| macOS | 钥匙串 → 系统 → 添加到信任 |
| Android | 安全 → 加密与凭据 → 安装证书 |
| iOS | 描述文件 → 安装 → 设置信任 |
8. SSL vs TLS
形象类比: SSL vs TLS = "拨号上网"这个词
"拨号上网"这个说法已经不用了,但"上网"这个词还留着。
SSL已经废弃,但"SSL证书"这个叫法深入人心,实际用的都是TLS。
#mermaid-svg-VAxBjPRnSW3IBjxi{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-VAxBjPRnSW3IBjxi .error-icon{fill:#552222;}#mermaid-svg-VAxBjPRnSW3IBjxi .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-VAxBjPRnSW3IBjxi .marker{fill:#333333;stroke:#333333;}#mermaid-svg-VAxBjPRnSW3IBjxi .marker.cross{stroke:#333333;}#mermaid-svg-VAxBjPRnSW3IBjxi svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-VAxBjPRnSW3IBjxi p{margin:0;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge{stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .section--1 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section--1 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section--1 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section--1 path{fill:hsl(240, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section--1 text{fill:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon--1{font-size:40px;color:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge--1{stroke:hsl(240, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth--1{stroke-width:17;}#mermaid-svg-VAxBjPRnSW3IBjxi .section--1 line{stroke:hsl(60, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-0 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-0 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-0 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-0 path{fill:hsl(60, 100%, 73.5294117647%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-0 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-0{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-0{stroke:hsl(60, 100%, 73.5294117647%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-0{stroke-width:14;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-0 line{stroke:hsl(240, 100%, 83.5294117647%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-1 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-1 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-1 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-1 path{fill:hsl(80, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-1 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-1{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-1{stroke:hsl(80, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-1{stroke-width:11;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-1 line{stroke:hsl(260, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-2 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-2 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-2 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-2 path{fill:hsl(270, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-2 text{fill:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-2{font-size:40px;color:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-2{stroke:hsl(270, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-2{stroke-width:8;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-2 line{stroke:hsl(90, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-3 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-3 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-3 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-3 path{fill:hsl(300, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-3 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-3{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-3{stroke:hsl(300, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-3{stroke-width:5;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-3 line{stroke:hsl(120, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-4 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-4 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-4 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-4 path{fill:hsl(330, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-4 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-4{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-4{stroke:hsl(330, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-4{stroke-width:2;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-4 line{stroke:hsl(150, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-5 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-5 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-5 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-5 path{fill:hsl(0, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-5 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-5{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-5{stroke:hsl(0, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-5{stroke-width:-1;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-5 line{stroke:hsl(180, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-6 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-6 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-6 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-6 path{fill:hsl(30, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-6 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-6{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-6{stroke:hsl(30, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-6{stroke-width:-4;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-6 line{stroke:hsl(210, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-7 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-7 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-7 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-7 path{fill:hsl(90, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-7 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-7{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-7{stroke:hsl(90, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-7{stroke-width:-7;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-7 line{stroke:hsl(270, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-8 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-8 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-8 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-8 path{fill:hsl(150, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-8 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-8{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-8{stroke:hsl(150, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-8{stroke-width:-10;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-8 line{stroke:hsl(330, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-9 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-9 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-9 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-9 path{fill:hsl(180, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-9 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-9{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-9{stroke:hsl(180, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-9{stroke-width:-13;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-9 line{stroke:hsl(0, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-10 rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-10 path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-10 circle,#mermaid-svg-VAxBjPRnSW3IBjxi .section-10 path{fill:hsl(210, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-10 text{fill:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .node-icon-10{font-size:40px;color:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-edge-10{stroke:hsl(210, 100%, 76.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .edge-depth-10{stroke-width:-16;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-10 line{stroke:hsl(30, 100%, 86.2745098039%);stroke-width:3;}#mermaid-svg-VAxBjPRnSW3IBjxi .lineWrapper line{stroke:black;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled circle,#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:lightgray;}#mermaid-svg-VAxBjPRnSW3IBjxi .disabled text{fill:#efefef;}#mermaid-svg-VAxBjPRnSW3IBjxi .section-root rect,#mermaid-svg-VAxBjPRnSW3IBjxi .section-root path,#mermaid-svg-VAxBjPRnSW3IBjxi .section-root circle{fill:hsl(240, 100%, 46.2745098039%);}#mermaid-svg-VAxBjPRnSW3IBjxi .section-root text{fill:#ffffff;}#mermaid-svg-VAxBjPRnSW3IBjxi .icon-container{height:100%;display:flex;justify-content:center;align-items:center;}#mermaid-svg-VAxBjPRnSW3IBjxi .edge{fill:none;}#mermaid-svg-VAxBjPRnSW3IBjxi .eventWrapper{filter:brightness(120%);}#mermaid-svg-VAxBjPRnSW3IBjxi :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 废弃 SSL 2.0 1995年 已废弃 SSL 3.0 1996年 已废弃 TLS 1.0 1999年 已废弃 TLS 1.1 2006年 已废弃 现行 TLS 1.2 2008年 兼容主流 TLS 1.3 2018年 推荐主流 SSL/TLS 协议演进
| 版本 | 状态 | 特点 |
|---|---|---|
| SSL 2.0/3.0 | 废弃 | 有严重漏洞(POODLE 等) |
| TLS 1.0/1.1 | 废弃 | 2020 年起被主流浏览器/CA 全面停用 |
| TLS 1.2 | 兼容主流 | 仍在广泛使用,作为老客户端兼容方案 |
| TLS 1.3 | 推荐主流 | 更快(1-RTT)、更安全(强制 PFS),现已占全网 HTTPS 流量 70% 以上 |
9. 企业内网TLS部署场景
典型架构采用反向代理+内网转发:
形象类比: 反向代理架构 = 公司前台
- 外部用户 = 访客
- Nginx 反向代理 = 前台(接待访客、验证身份、转发工单)
- 后端微服务 = 各部门(只处理前台转来的业务)
Nginx就是前台的分拣规则:"这个请求是给订单服务的,转过去"
#mermaid-svg-IyMekykLGpWivTFC{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-IyMekykLGpWivTFC .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-IyMekykLGpWivTFC .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-IyMekykLGpWivTFC .error-icon{fill:#552222;}#mermaid-svg-IyMekykLGpWivTFC .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-IyMekykLGpWivTFC .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-IyMekykLGpWivTFC .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-IyMekykLGpWivTFC .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-IyMekykLGpWivTFC .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-IyMekykLGpWivTFC .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-IyMekykLGpWivTFC .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-IyMekykLGpWivTFC .marker{fill:#333333;stroke:#333333;}#mermaid-svg-IyMekykLGpWivTFC .marker.cross{stroke:#333333;}#mermaid-svg-IyMekykLGpWivTFC svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-IyMekykLGpWivTFC p{margin:0;}#mermaid-svg-IyMekykLGpWivTFC .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-IyMekykLGpWivTFC .cluster-label text{fill:#333;}#mermaid-svg-IyMekykLGpWivTFC .cluster-label span{color:#333;}#mermaid-svg-IyMekykLGpWivTFC .cluster-label span p{background-color:transparent;}#mermaid-svg-IyMekykLGpWivTFC .label text,#mermaid-svg-IyMekykLGpWivTFC span{fill:#333;color:#333;}#mermaid-svg-IyMekykLGpWivTFC .node rect,#mermaid-svg-IyMekykLGpWivTFC .node circle,#mermaid-svg-IyMekykLGpWivTFC .node ellipse,#mermaid-svg-IyMekykLGpWivTFC .node polygon,#mermaid-svg-IyMekykLGpWivTFC .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-IyMekykLGpWivTFC .rough-node .label text,#mermaid-svg-IyMekykLGpWivTFC .node .label text,#mermaid-svg-IyMekykLGpWivTFC .image-shape .label,#mermaid-svg-IyMekykLGpWivTFC .icon-shape .label{text-anchor:middle;}#mermaid-svg-IyMekykLGpWivTFC .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-IyMekykLGpWivTFC .rough-node .label,#mermaid-svg-IyMekykLGpWivTFC .node .label,#mermaid-svg-IyMekykLGpWivTFC .image-shape .label,#mermaid-svg-IyMekykLGpWivTFC .icon-shape .label{text-align:center;}#mermaid-svg-IyMekykLGpWivTFC .node.clickable{cursor:pointer;}#mermaid-svg-IyMekykLGpWivTFC .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-IyMekykLGpWivTFC .arrowheadPath{fill:#333333;}#mermaid-svg-IyMekykLGpWivTFC .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-IyMekykLGpWivTFC .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-IyMekykLGpWivTFC .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-IyMekykLGpWivTFC .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-IyMekykLGpWivTFC .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-IyMekykLGpWivTFC .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-IyMekykLGpWivTFC .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-IyMekykLGpWivTFC .cluster text{fill:#333;}#mermaid-svg-IyMekykLGpWivTFC .cluster span{color:#333;}#mermaid-svg-IyMekykLGpWivTFC div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-IyMekykLGpWivTFC .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-IyMekykLGpWivTFC rect.text{fill:none;stroke-width:0;}#mermaid-svg-IyMekykLGpWivTFC .icon-shape,#mermaid-svg-IyMekykLGpWivTFC .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-IyMekykLGpWivTFC .icon-shape p,#mermaid-svg-IyMekykLGpWivTFC .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-IyMekykLGpWivTFC .icon-shape .label rect,#mermaid-svg-IyMekykLGpWivTFC .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-IyMekykLGpWivTFC .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-IyMekykLGpWivTFC .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-IyMekykLGpWivTFC :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} TLS
内网转发
加密范围
TLS在Nginx终止
证书部署在Nginx上
外部用户
Nginx 反向代理
后端微服务
9.1 多个服务共用证书
证书(一张)
├── 域名:api.example.com
├── 公钥 + 私钥
└── 部署在Nginx反向代理上优点: 实现简单,客户端只需信任一个CA
缺点: 证书泄露影响所有后端服务
!info 下一篇
中篇:\[HTTPS-TLS加密与证书完全指南(中)] --- 证书链、证书吊销、CT、HSTS、mTLS、PFS、常见TLS攻击