Thursday, April 29, 2021

SSL Certificates Overview and FAQs

What is SSL?


- Stands for Secure Sockets Layer
- It provides encrypted communciation between two systems

What are SSL certificates?


- This serves as an your website'ss ID
- You can get this from a CA (E.g Verisign, GLobal Sign, etc.)
- In order for the CA to give you an SSL certificate, they will conduct a series
  of checks
  to make sure that you are a legitimate website owner and not an attacker/hacker
- Once given by CA, you need to install this on your web server
- The CA will not give that certificate to anybody except you
- SSL certificates usually is in the form of .crt file (e.g mycompany.crt)

What is public and private keys?


- You can generate your own public and public key (or key pair)
- Your public key can be sent to anyone whose going to relay information to you
- That anyone will encrypt his/her message using the public key you sent
- You can decrypt that message by using your private key
- Private key must be only kept to you
- See "public and private keys.jpg" as an example

What is a CSR?


- It stands for Certificate Signing Request
- It is the one you are going to send to an SSL provider (or CA)
- It is a block of encrypted text that is generated on the server that an SSL
  certificate will be used on
- It contains information that will be included in your certificate such as your
  organization name,
  common name (domain name), locality, and country
- It also contains the public key that will be included in your certificate
- A private key is usually created at the same time that you create the CSR
- The CA will use the CSR you sent to create your SSL certificate
- The certificate created with a particular CSR will only work with the private
  key that was generated with it
- So if you lose the private key, the certificate will no longer work

All about CA trust


Certificate trust works by having a list of trusted CAs inside the client's
device. This device might be a smartphone but usually its a browser like Google
Chrome or Mozilla Firefox.

When you enter a secure website (URL starting in https://), your browser will
check if the website's certificate is signed by one of the trusted CAs on his
list. If yes, then your browser will open the site for you without any warnings.

If no, then it will check if the certificate of the  

source: https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html

How to create a cerficate chain?

Create a certificate.pem with the following content.

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----
Then make sure that if you hit "openssl x509 -in certificate.pem -text"
it will show your domain at the first part instead of the root CA. If
not, try to do the order in reverse.

No comments:

Post a Comment