SSL certificate intro
From wikinotes
Intro
What Certificates Do
Certificates do two things:
- inform the user that a trusted third-party has verified that you received information from the IP address you requested
- it contains a cryptographic public-key, that is used to encrypt data sent to the server.
What is Certificate Signing?
A CSR (Certificate-Signing-Request) is a request for your Certificate Authority to validate that the domains mentioned in your certificate are really yours.
During a CSR , your Certificate-Authority will often ask you to place a file on your webserver, or add a DNS record to your domain. It uses this information to verify that the website it reaches is valid, signs your certificate, and returns it to you.
SSL Handshake
A transaction over HTTPs looks like this:
+-------+ 1 request public key +----------+ | User | -------------------------------->>> | Web | | | | Server | | | 2- return public key (cert) | | | | with additional info certifying | | | | web server is who you think it is | | | | <<<------------------------------- | | | | | | | | 3- User Decides whether to trust | | | | contents based on cert | | | | | | | | | | | | 4- User Accepts Cert, uses public | | | | key to encrypt data sent to | | | | server, also sends server it's | | | | own public key so server can | | | | encrypt info for user only. | | | | <<<----------------------------->>> | | +-------+ +----------+
Rules
- you can issue an SSL certificate to one or more domains (ex:
mydomain.com
). An SSL certificate that is valid for multiple domains is a SAN certificate.- you can also issue SSL certificates for subdomains (ex:
subdomain.mydomain.com
)- you can also issue wildcard certificates - which are valid for all subdomains of a domain (ex:
*.mydomain.com
)- one SSL certificate may be shared by any number of servers hosted at a domain mentioned in the certificate (the certificate has already been validated)
Redirecting traffic while using SSL is possible.
- The original route should return a 301-Domain-has-permanently-moved (or at least 300-series HTTP error)
- the certificate used at your final-destination should be valid for all domains it passes through
- (ex: example.com -> a.example.com -> b.example.com)
- certificate must be valid for: example.com, a.example.com, b.example.com