before we talk about cert, we need to know how your browser contacts with web server using encrypted data while browsing.
private cert & public cert
- public cert
when the url in browsing websites starts with
https://, you will get the web server’s public cert, it has a security key calledpublic key, it’s used to generaterandom sercret keysto contact with the server. - private cert
it’s another cert which is generated on the web server,there’s another secret key on this cert as well(
private key),to insure it’s safe from anyone who tries to decrypt the data, it’s not public, only ran on the server
encrypt && decrypt
when you browsing an HTTPS website, no matter browser or server, they send data with encryption.
if server uses private key to encrypt data, it can be decrypted using the public key, and the other way around, this process is called Asymmetric encryption
now that we know the browser can get the public key, it could be understood that the browser can use it to generate a random secret string, before server starts receive the request,it receives the string then it will use the private key to decrypt it and and confirms receiving it by responding to browser. now the browser would start sending the request to the server, and the server uses the random secret string to decrypt data, and for giving browser the response the same random string is used for encryption.this process is called Symmetric encryption.
thereafter even if a hacker could gain access to your data on its way to the browser or server, they cannot decrypt it since they don’t know the random secret or the private key. therefore it’s a more secure way than unencrypted transmission.
cert
cert is issued by CA(Certificate Authority), it’s one to one with the domain name, it uses digital signature to ensure the legitimacy of the server.
cert chain
the problem is, when a hacker builds a fake server and catches your data package and sends you their public cert, how to come over these kind of situation
to do so, System or Browser have every legal CA public key, so when hacker builds a fake website, browser will use corresponding CA’s public cert to make sure the server is legal. but hacker does not have a legal cert, he could’ve built a CA and used it to issue server cert, but your browser or system couldn’t find the corresponding cert, because your system or browser doesn’t have his CA Root Cert, so it wanrs you your connection is not private.
just like that 
其实这类文章如果介绍一些简单易懂的非对称加密算法/密钥协商算法就更好了。
因为似乎许多人最不解的是为什么能有两个密钥(公钥-私钥)。ECDH不易理解,但DH/RSA还是比较容易理解的。
一看英文就头大,看了几个关键词大体上知道是什么事了
学着玩
文章不错非常喜欢
谢谢