Secure Sockets Layer (SSL), is cryptographic protocol used to provide communication security over the Internet. SSL-enabled Web sites use a different URL prefix, https, to indicate that HTTP protocol request and document transfers are encrypted.

Understanding SSL and Server Certificates

SSL uses a public key encryption technique in which one key is public, accessible to everyone; the other key is private, so only the authorized person can access it. Either key can be used to encrypt or decrypt data. The public key is part of the certificate, which is how the certificate is used to verify data sent to and received from the server.

Implementation of SSL

Data encrypted with the public key can be decrypted only with the private key.

Data encrypted with one’s private key can be decrypted only by the public key.

Digital certificates work on two simple principles, encryption and trust:

  • SSL encrypts the communication between a Web server and a Web client to ensure that the data exchange has not been altered during transmission and to make it more difficult to steal sensitive data if the data exchange is intercepted. SSL ensures that data hasn’t been accidentally or deliberately altered while in transit between the server and the client.
  • Digital certificates provide a certain level of assurance, or trust, that the identities behind a Web server and a Web client are genuine, that is, that a Web server or client is not being operated by an impostor. Certificate authority (CA) verifies the identity of the organization or entity operating a Web site.

A certificate contains information :-

  • The owner’s email address
  • The owner’s name and other personal details
  • How the certificate can be used
  • How long the certificate is valid
  • The address of the Web site for which the certificate has been issued
  • The public key associated with the certificate
  • A message digest (also known as hash) to use to confirm that the certificate has not been altered since it was issued The certificate also contains the certificate ID of the person or entity that issued the certificate and that certified (signed) the information provided in the certificate.

 

A CA’s certificate is referred to as a root certificate because it forms the basis, or root, of a tree of trust: if you trust the CA’s root certificate, you trust the certificates issued and signed by that CA. (Certificates are not valid until they are signed by a CA.) Most browsers come preloaded with the root certificates of several recognized CAs.

Users can self sign the certificate but that will not be recognized by the browser as trusted, the list of CA’s which can sign the certificate and are recognized by major browsers are as follows:-

  1. Cybertrust (betrusted.com/products/ssl/shop/index.asp)
  2. Entrust (entrust.com/certificate_services/)
  3. GeoTrust (geotrust.com/web_security/index.htm)
  4. GlobalSign (globalsign.net/digital_certificate/serversign/index.cfm)
  5. GoDaddy (godaddyssl.com)
  6. Thawte Consulting (.thawte.com/ssl123)
  7. Verisign (verisign.com/products-services/securityservices/ssl/buy-ssl-certificates/index.html)

Creating a Self-Signed Certificate

The process to self-sign a certificate is as follows

  1. Change directories to /etc/pki/tls/certs:

# cd /etc/pki/tls/certs

  1. Create a key pair:

# make genkey

umask 77 ; \

/usr/bin/openssl genrsa -des3 1024 >

/etc/pki/tls/private/localhost.key

Generating RSA private key, 1024 bit long modulus

……………++++++

…….++++++

e is 65537 (0x10001)

Enter pass phrase:

Verifying – Enter pass phrase:

The key generated can be found at /etc/pki/tls/private/localhost.key.

  1. Create a certificate signing request to obtain the certificate from the Certificate authority

# make certreq

umask 77 ; \

/usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key –

out /etc/pki/tls/certs/localhost.csr

Enter pass phrase for /etc/pki/tls/private/localhost.key:

You are about to be asked to enter information that will be

incorporated

Configuring a Web Server 549

into your certificate request.

What you are about to enter is what is called a Distinguished Name or

a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:Maharastra

Locality Name (eg, city) [Newbury]:Navi Mumbai

Organization Name (eg, company) [My Company Ltd]:Epsilons Edu Tech

Organizational Unit Name (eg, section) []:Linux

Common Name (eg, your name or your server’s hostname)

[]:blahblah.foo.com

Email Address []:blahblah @foo.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:bubba

An optional company name []:

The resulting file will be created in /etc/pki/tls/certs/localhost .csr. A certificate signing request (CSR) is used to send a request to a CA to generate a CA-signed certificate  to install on the Web server.

  1. Create the self-signed certificate:

# make testcert

umask 77 ; \

/usr/bin/openssl req -new -key etc/pki/tls/private/localhost.key -out

/etc/pki/tls/certs/localhost.crt

Enter pass phrase for /etc/pki/tls/private/localhost.key:

You are about to be asked to enter information that will be

incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or

a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Enter the details here

You can find the newly created certificate in /etc/pki/tls/certs /localhost.crt. The Apache configuration looks for the certificate in this location, so there is no need to install the certificate.

One last thing to do is to restart the Apache server for the configuration to come at play.

Share:
Denish Patel

Thanks alot for such enlightening efforts you are making to help us go on professional development and be intruduced to international education.

Comments
  • Mahantesh Gurav says:
    25/10/2017

    I am glad to know about the jargons of online learning. It would be a bit of a minefield if you did not get it explained to you.

    Replay
Leave a Comment

FeaturedEmployers