SSL Certificate
Secure Socket Protocol (SSL) is the way to send information securely from a client to server and vice-versa over the internet.
For a SSL connection to happen between a client (web application running in the web browser) and server (where your application is hosted), a precursor handshake happens between the client and server using the SSL certs.
Contents
- What is a SSL cert?
- Why would we need a SSL cert?
- What else does it provide?
- Steps to get a SSL ready
- Simulating the steps in local
So first of all what is a SSL cert?
It is a public key file along with other information such as issuer, subject, validity, extensions, fingerprints, etc.
Why would we need a SSL cert?
Let’s consider taking a car mortgage from a bank.
The bank checks for the credit score before issuing you the quote.
Here, the Bank is like your Client Web Browser. You are the web application holding your personal info like a Private Key, the Credit bureau provides you with a Credit score like a Public key certificate.
Here the Credit bureau’s certificate would help the BANK to trust YOU since the bank already trusts the Credit provider.
In a typical web application, a web certificate is issued by a chain of middle men suggesting browser to trust the web application.
Now here is a example of github’s certificate chain. DigiCert trusts the DigiCert TLS which in turn trusts certificate generated by github
What else does it provide?
Yes, a SSL certificate has a Public Key, providing a way to cipher and decipher the data flowing between the client web browser and the server where the web app is hosted which hold the Private Key.
Check this post to know more about keys,
Steps to get a SSL ready
- Server Admin creates a Domain Primary Key
- Server Admin uses the Domain Primary Key to generate a CSR
- Server Admin sends them to a Certificate Authority with other required information as per CA’s documentation or requirements.
- CA receives the CSR, Payment and other required details from the Server Admin
- CA uses their own Private Key and Public Key Certificate to sign the CSR and builds the CA Signed Certificate
- CA sends the CA Signed Certificate to the Server Admin
- Server Admin installs the CA Signed Certificate along with the Domain Private Key that he/she generated in the Step 1 into the server.
Let’s Encrypt provides free SSL certificate if you want to check it out.
Check this for sigining without CA for development purpose,
Simulating the steps in local
For a Certificate Authority to provide a SSL certificate, it would need a Certificate Signing Request (CSR), Certificate extension details (DNS, IP, etc) to sign the certificate from the client (Server Admin).
So, as a Server Admin generating the Domain Private Key and its CSR.
- Generating Secure Private Key and a Certificate
Use this step to generate only the PrivateKey DomainKey.pem
- Generate a Certificate Signing Request
The following command will output a DomainCSR.csr
openssl req -new -sha256 -key DomainKey.pem -out DomainCSR.csr
Simulating Private Certificate Authority’s certificate generation
Note — Assuming, that the Server Admin has provided the information to the CA
To sign a certificate, CA would need its own Private Key and a Public Key certificate. So, generating them here,
The following will spit out a Private key CAKey.pem file, and prompts for a CA_PASSPHRASE, which we might me using in the upcoming steps.
This might be the key a CA might use for signing multiple certificates.
openssl genrsa -aes256 -out CAKey.pem 4096
Now we need to create a public cert CA.pem from the above generated private key CAKey.pem
openssl req -new -x509 -sha256 -days 1000 -key CAKey.pem -out CACert.pem
Now we got our CAKey.pem and CACert.pem generated.
Simulate CA signing the request
The CA would issue the final SSL certificate by signing the DomainCSR.csr using CAKey.pem, CACert.pem and other requried info,
Create the extfile.cnf with the following info,
subjectAltName=DNS:*.suriya.com,IP:172.24.0.1
Issue the following command to generate the SSL signed certificate.
openssl x509 -req -sha256 -days 1000 -in DomainCSR.csr -CA CACert.pem -CAkey CAKey.pem -out DomainCert.pem -extfile extfile.cnf -CAcreateserial
Verifying the CA Signed Certificate
In the end, we would see the following files generated in our local
- DomainKey.pem — Server Admin’s Private Key
- DomainCSR.pem — Server Admin’s Cert signing request
- CAKey.pem — Certifcate Authority’s Private Key
- CACert.pem — Certificate Authority’s Public Key Certificate
- extfile.cnf — extension file configuration for signing the certificate
- DomainCert.pem — Server Admin’s Public Key Cert issued by CA
Here, verify the DomainCert.pem, the issuer should be the CA issuing the certificate and the subject should incorporate the information that’s been sent to the CA by the Server Admin
Happy localhost-ing!