SSL certificate intro

From wikinotes

Intro

What Certificates Do

Certificates do two things:

  • inform the user that a trusted third-party has verified that you received information from the IP address you requested
  • it contains a cryptographic public-key, that is used to encrypt data sent to the server.

What is Certificate Signing?

A CSR (Certificate-Signing-Request) is a request for your Certificate Authority to validate that the domains mentioned in your certificate are really yours.

During a CSR , your Certificate-Authority will often ask you to place a file on your webserver, or add a DNS record to your domain. It uses this information to verify that the website it reaches is valid, signs your certificate, and returns it to you.

SSL Handshake

A transaction over HTTPs looks like this: 

           
  +-------+  1 request public key                +----------+
  | User  | -------------------------------->>>  | Web      |
  |       |                                      |  Server  | 
  |       |  2- return public key (cert)         |          |
  |       |    with additional info certifying   |          |
  |       |    web server is who you think it is |          |
  |       |  <<<-------------------------------  |          |
  |       |                                      |          |
  |       |  3- User Decides whether to trust    |          |
  |       |     contents based on cert           |          |
  |       |                                      |          |
  |       |                                      |          |
  |       |  4- User Accepts Cert, uses public   |          |
  |       |     key to encrypt data sent to      |          |
  |       |     server, also sends server it's   |          |
  |       |     own public key so server can     |          |
  |       |     encrypt info for user only.      |          |
  |       |  <<<----------------------------->>> |          |
  +-------+                                      +----------+

Rules

  • you can issue an SSL certificate to one or more domains (ex: mydomain.com). An SSL certificate that is valid for multiple domains is a SAN certificate.
  • you can also issue SSL certificates for subdomains (ex: subdomain.mydomain.com)
  • you can also issue wildcard certificates - which are valid for all subdomains of a domain (ex: *.mydomain.com)
  • one SSL certificate may be shared by any number of servers hosted at a domain mentioned in the certificate (the certificate has already been validated)

Redirecting traffic while using SSL is possible.

  • The original route should return a 301-Domain-has-permanently-moved (or at least 300-series HTTP error)
  • the certificate used at your final-destination should be valid for all domains it passes through
    • (ex: example.com -> a.example.com -> b.example.com)
    • certificate must be valid for: example.com, a.example.com, b.example.com
Retrieved from "http://willpittman.net:8080/index.php?title=SSL_certificate_intro&oldid=23348"