https://yy-tech.online/tags/ca/ Recent content in CA on H&W Hugo en Thu, 28 May 2026 00:53:02 +0800 https://yy-tech.online/post/https-self-signed-certificate/ Tue, 07 Apr 2020 12:20:45 +0800 https://yy-tech.online/post/https-self-signed-certificate/ <h2 id="motivation">Motivation</h2> <p>We wanted to set up a lightweight HTTPS server on an internal company network without purchasing a certificate from a public CA. The solution: build our own private Certificate Authority (CA) and issue a self-signed certificate.</p> <hr> <h2 id="tls-handshake-overview">TLS Handshake Overview</h2> <p><img alt="TLS handshake" loading="lazy" src="https://yy-tech.online/images/ssl.png"></p> <ol> <li>The browser connects to <code>https://demowebsite.com</code>.</li> <li>The server returns its certificate (containing the server&rsquo;s public key).</li> <li>The browser verifies the certificate against a trusted CA.</li> <li>The browser generates a random symmetric key <strong>K</strong> and encrypts it with the server&rsquo;s public key.</li> <li>The server decrypts <strong>K</strong> using its private key — both sides now share <strong>K</strong>.</li> <li>All subsequent traffic is encrypted with <strong>K</strong>.</li> </ol> <hr> <h2 id="setting-up-a-root-ca">Setting Up a Root CA</h2> <p>Best practice: the root CA <strong>never signs end-entity certificates directly</strong>. Instead it signs an intermediate CA, whose key is used for day-to-day issuance. The root key can then be kept offline.</p>