Sunday, December 30, 2018

Bit on certificates

In continuation to my previous blog, here I'm writing something more on SSL. As we learnt that, one of the key components of SSL protocol is certificates. Certification is nothing but just a set of files which contains information like:
  • Owner of the certificate
  • Issuer of the certificate
  • Validity of the certificate, etc. 
Below is the sample certificate:





















Before moving ahead, let’s have a look at the primary elements of certificates: 

  • Public Key:  This file with extension as .crt is installed on the server and is distributed freely to any client. 
  • Private Key: This file with extension .key is installed on the server and kept secret and secure. The file of SSL certificate contains information for encrypting data, it does not expire or have any details regarding organization or domain name. 
  • Signing Request:  This file with extension .csr is sent to certificate authority by an applicant while applying for certificate and is used to generate public key. The file contains all of the same information as the public key except for information about who has signed it.
A high-level picture - How communication happens?















Once handshaking is done, browser generates a random session key, which is used for connection hereon. This session key is sent to server in an encrypted form with the help of public key mentioned in the certificate. 

The best part is, only server has the private key to decrypt this random key. So, from that point on all the communications happening between browser and server are well secure.

How to verify that certificate is issued by valid authority?
Operating Systems typically have a list of trusted certificate authority. So, certificate sent by server is verified against this list.

What is CRL & what does it holds?
CRL stands for Certificate Revocation List. Every certificate issuer maintains a CRL which holds all the revoked certificates. Revoked certificates are those which are stolen and are blacklisted based on the certificate requester’s request.

Should we go with the paid certificate issuing authority?
Precisely yes as it is all about security and all the verification must go through a stringent verification process. A company that signs your certificate must first verify your right to the certificate in question. Then, they add stuff to the certificate that allows others to see that they indeed have verified your ownership to use this certificate. Which means, 

  • Issuing authorities check that the domain name in the certificate is actually owned by you and the people in charge of the domain approve the creation of this SSL. 
  • If there is information about your organization (i.e. company name) in the certificate, then this must also be verified.  People in charge of this company must approve the certificate.
Developer’s note - Does just adding an SSL certificate secures my web site?
Merely adding an SSL certificate to a site does not make the site secure.  Once SSL Certificate for the site is received, one needs to ensure that web pages that require security are only accessed over SSL (e.g. you need to link to them with https:// and not http:// links). One may also want to construct your site so that secure pages cannot be accessed via insecure links (e.g. http://).
Hope you like the briefing on certificates. Happy learning!

No comments:

Post a Comment