SSL Certificate Explained
Hi there, you must have heard the term HTTPS which validates that a website is safe and secure to visit. But ever wondered what makes it secure. And how would you implement it in your own website or in exposed API service. Let’s deep dive into it.
- SSL: Secure Socket Layer, a cryptographic protocol that enables secure communications over the Internet.
- TLS: Transport Layer Security, actually is the successor to SSL protocol.
- HTTPS: Hypertext Transfer Protocol Secure is an application-specific implementation which is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS.
The TLS/SSL is a public/private key infrastructure(PKI). Certificates are public keys that correspond to a private key, and that are digitally signed either by a Certificate Authority or by the owner of the private key (such certificates are referred to as “self-signed”).
Obtaining a certificate, the first step to obtaining a certificate is to create a Certificate Signing Request (CSR) file, which one needs to share with CA and get it signed. But here we are going to generate a self-signed certificate.
- Generating self-signed certificate, for detail info please refer here
certificate git:(master) ✗ openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out client-cert.pem -days 365
Next step is to import it into our web server. Here we are creating a simple web server using node.js.
2. Starting a HTTPS node web server:
All done, but once we access
https://localhost:8000/ in browser or in POSTMAN it will throw some error:
Reason being that the certificate we used was not signed by an authentic CA. Thus, in cases where you want to access a self-signed website or API you need to import the self-signed certificate in your trust store or click advance to unsafe site in chrome. In postman you can simply disable SSL certificate verification to access it, under settings.
But what if you need to consume it from a client app. Consuming the exposed endpoint via request with throw an error as NODE does not allow to connect with unauthorized certificate APIs. Thus we need to add a flag :
process.env[‘NODE_TLS_REJECT_UNAUTHORIZED’] = 0;
So, till now you must have got an idea of how to implement HTTPS using SSL certificate. And same methodology can be used to create a HTTPS website or expose an HTTPS API.
But there’s a thing more. You see HTTPS only secure your data during transmission by encrypting it when it is in flow. Thus, while accessing websites all our data is encrypted during transmission and that works. But what if we need to confirm the source of data be transmitted from too. For example in case of exposed payment API endpoint to client, server needs to also be sure that client . For that we can ask for client certificate too.
Lets try to consume our server exposed API from our previous client. This time it will throw some Handshake failure Error. Reason being the server needs certificate from client to authenticate it’s source.
One needs to follow the same process here and generate a certificate for client too. And it has to shared with the sever to that it can incorporate it. You can see in the code below that now client also sends it’s certificate along with request.
If you notice we have added private key also along with client certificate, this is because the client encrypts certificate(client-cert.pem) with private key(client-key.pem) and sends to server. Where server decrypts the certificate using public key and checks it’s validity.
This way only we can also verify proof of origin. Along with data being encrypted during transmission.
To access the endpoint from postman you need to add the private key and certificate in postman or in your trust store or key chain(mac).
Next article we will discuss other ways to secure API transmission and to verify authenticity of client.