Sunday, June 2, 2013

SSL and certificates

Terms:

  • SSL (Secure Socket Layer) - a security protocol that ensures secure transaction/connection between a server and a client
  • https - beginning of an SSL-secured website/URL
  • SSL Certificate - a small data file that establishes encrypted connection. It contains a key pair, a public and private key, and the subject identifying the certificate. Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate.
  • Certificate Authority or CA - the SSL Certificate issuer. It researches companies, checks references, assures identity and encrypts data to and from servers. 
  • certificate chain - a series of intermediate certificates
  • public, private, and session keys - anything encrypted with the public key can only be decrypted with the private key, and vice versa. After the secure connection is made, the session key is used to encrypt all transmitted data. 

Server Setup: (http://www.lwithers.me.uk/articles/cacert.html)

  1. In order for a server to handle SSL connections, it must activate SSL.
  2. Server will be prompted several question about identity of website or organization.
  3. Server generates the CSR (Certificate Signing Request). It contains the private key and a CSR data file.
  4. The CA uses the CSR data file to create a public key to match the private key.
  5. CA sends the SSL certificate.
  6. Server installs the SSL certificate. (http://www.digicert.com/ssl-certificate-installation.htm)

How it works:
  1. Browser connects to a web server secured with SSL (https). Browser requests that the server identify itself.
  2. Server sends a copy of its SSL Certificate (including the server’s public key), to assure the client that it can be trusted. The SSL Certficate was purchased from CA.
  3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key. --- "SSL handshake"  
  4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
  5. Server and Browser now encrypt all transmitted data with the session key.

Commands:

  • the default password is changeit
  • list certificates
    keytool -list -v -keystore [cacert location], ex. keytool -list -v -keystore cacerts.jks
  • list certificates to a text file
    keytool -list -v -keystore [cacert location] > [text file path]
    keytool -list -v -keystore "C:/Program Files (x86)/Java/jre6/lib/security/cacerts" > java_cacerts.txt
  • delete certificate (used when certificate is expired)
    keytool -delete -v -alias [alias] -keystore [cacert location], ex. keytool -delete -v -alias [alias] -keystore cacerts.jks
  • add certificate to cacert
    keytool -import -alias [alias name] -keystore  [cacert location] -file [cert to add path]
    keytool -import -alias Verisign -keystore  "C:/Program Files (x86)/Java/jre6/lib/security/cacerts" -file C:/bel/docs/certs/Verisign.cer


Source:
http://www.digicert.com/ssl.htm
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)