Open in app

Sign in

Write

Sign in

SSL Certificate

Suriya
Javarevisited
Published in
5 min readOct 26, 2022

Secure Socket Protocol (SSL) is the way to send information securely from a client to server and vice-versa over the internet.

SSL over HTTPS

For a SSL connection to happen between a client (web application running in the web browser) and server (where your application is hosted), a precursor handshake happens between the client and server using the SSL certs.

Contents

  1. What is a SSL cert?
  2. Why would we need a SSL cert?
  3. What else does it provide?
  4. Steps to get a SSL ready
  5. Simulating the steps in local

So first of all what is a SSL cert?

It is a public key file along with other information such as issuer, subject, validity, extensions, fingerprints, etc.

Github public key cert

Why would we need a SSL cert?

Let’s consider taking a car mortgage from a bank.

The bank checks for the credit score before issuing you the quote.

Here, the Bank is like your Client Web Browser. You are the web application holding your personal info like a Private Key, the Credit bureau provides you with a Credit score like a Public key certificate.

Here the Credit bureau’s certificate would help the BANK to trust YOU since the bank already trusts the Credit provider.

In a typical web application, a web certificate is issued by a chain of middle men suggesting browser to trust the web application.

Now here is a example of github’s certificate chain. DigiCert trusts the DigiCert TLS which in turn trusts certificate generated by github

Certificate provided for github
Chrome trusts DigiCert Global Root CA

What else does it provide?

Yes, a SSL certificate has a Public Key, providing a way to cipher and decipher the data flowing between the client web browser and the server where the web app is hosted which hold the Private Key.

Check this post to know more about keys,

Exploring Java KeyStore & Keys

Via code

suriyaprakhash.medium.com

Steps to get a SSL ready

  1. Server Admin creates a Domain Primary Key
  2. Server Admin uses the Domain Primary Key to generate a CSR
  3. Server Admin sends them to a Certificate Authority with other required information as per CA’s documentation or requirements.
  4. CA receives the CSR, Payment and other required details from the Server Admin
  5. CA uses their own Private Key and Public Key Certificate to sign the CSR and builds the CA Signed Certificate
  6. CA sends the CA Signed Certificate to the Server Admin
  7. Server Admin installs the CA Signed Certificate along with the Domain Private Key that he/she generated in the Step 1 into the server.

Let’s Encrypt provides free SSL certificate if you want to check it out.

Check this for sigining without CA for development purpose,

Self-signed certificate

localhost-ing

suriyaprakhash.medium.com

Simulating the steps in local

For a Certificate Authority to provide a SSL certificate, it would need a Certificate Signing Request (CSR), Certificate extension details (DNS, IP, etc) to sign the certificate from the client (Server Admin).

So, as a Server Admin generating the Domain Private Key and its CSR.

  • Generating Secure Private Key and a Certificate

Use this step to generate only the PrivateKey DomainKey.pem

  • Generate a Certificate Signing Request

The following command will output a DomainCSR.csr

openssl req -new -sha256 -key DomainKey.pem -out DomainCSR.csr
Prompts for Attributes
A typical CSR and its PEM

Simulating Private Certificate Authority’s certificate generation

Note — Assuming, that the Server Admin has provided the information to the CA

To sign a certificate, CA would need its own Private Key and a Public Key certificate. So, generating them here,

The following will spit out a Private key CAKey.pem file, and prompts for a CA_PASSPHRASE, which we might me using in the upcoming steps.

This might be the key a CA might use for signing multiple certificates.

openssl genrsa -aes256 -out CAKey.pem 4096
Prompts for Pass phrase

Now we need to create a public cert CA.pem from the above generated private key CAKey.pem

openssl req -new -x509 -sha256 -days 1000 -key CAKey.pem -out CACert.pem
Prompts for attributes

Now we got our CAKey.pem and CACert.pem generated.

Simulate CA signing the request

The CA would issue the final SSL certificate by signing the DomainCSR.csr using CAKey.pem, CACert.pem and other requried info,

Create the extfile.cnf with the following info,

subjectAltName=DNS:*.suriya.com,IP:172.24.0.1

Issue the following command to generate the SSL signed certificate.

openssl x509 -req -sha256 -days 1000 -in DomainCSR.csr -CA CACert.pem -CAkey CAKey.pem -out DomainCert.pem -extfile extfile.cnf -CAcreateserial
Prompts for CA pass phrase

Verifying the CA Signed Certificate

In the end, we would see the following files generated in our local

  • DomainKey.pem — Server Admin’s Private Key
  • DomainCSR.pem — Server Admin’s Cert signing request
  • CAKey.pem — Certifcate Authority’s Private Key
  • CACert.pem — Certificate Authority’s Public Key Certificate
  • extfile.cnf — extension file configuration for signing the certificate
  • DomainCert.pem — Server Admin’s Public Key Cert issued by CA

Here, verify the DomainCert.pem, the issuer should be the CA issuing the certificate and the subject should incorporate the information that’s been sent to the CA by the Server Admin

This cert is issued to Suriya by SuriyaCA

Happy localhost-ing!

Ssl
Https
Certificate
Cryptography
Keys

--

--

Suriya
Javarevisited

Written by Suriya

66 Followers
Writer for

I am a full-time Software Engineer and a passionate Landscape Photographer. For more info visit https://suriyaprakhash.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams