Friday 14 May 2010

Security 2 : certificates, CA, SSL

How browser and SSL web server connected:

1. browsers usually have the "trust root CA" already which means have those public key
2. first it will work in asymmetric method
3. Certificate of web server containing CN/domain name, digital signature CA (result of encrypting priv key CA : maybe with HASH), HASH (or fingerprint), public key of the web server.
4. Pub key in browser will decrypt the dig signature CA
5. It will get the HASH and compare with the HASH in the certificate
This verify if the CA is really the CA, example: this Cert really come form verisign.
6. After browser verify it, it use the public key web server in the certs to encrypt the req along with sessionID
7. Web server got it and decrypt using it priv key.
8. At this point, web server will do the symmetric key encryption using the sessionID as the shared code.

Note : Dont be confused, there are CA key pair and also web server key pair.
Asymmetric encrypt is slower than symmetric.

>>>>>>>>>>>>>>>>>>>>>>>>>>>

In unix use openssl command
First you generate the priv key RSA.
then from that you create a .csr file. CSR : certificate request
which need some input as domain name, etc.....
then you send the .csr to a CA
if it is commercial CZ, they may contact you for verify and to be paid
then CA will send you the .cert files/.arm files
set the cert localtion on the virtual host section of your http
also set the key file location in the same section
also set the SSLCertificateChainFile in the same section.
==> this last file is a plain text file containing the structure intermediate CA up to root CA
==> explain later on in next


>>>>>>>>>>>>>>>>>>>>>>>>>>

CA :
A. private CA
B. commercial CA

1. root CA : the root, issued to and issued by itself, and signed by it self.
2. intermediate CA : the derivatives up to several level, issued by : rootCA/above intermediate CA
issued to : itself. signed by the ROOT CA or above intermCA.

In secure case : root CA is std alone, intermediate CA is in network. You create csr in intermCA, bring it over usb to root CA. you generate the cert, and bring over usb again to intermCA, and install it. Now you have rootCA signed cert at your intermCA.
Now you can create any new certs to be used by web servers.
Remember in web servers, you need set the chain file (in order client browser can auth the intermCA upto the rootCA).

reference: http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certifica-authority-ca-using-openssl/

chain file looks like:

--BEGIN--
FDARGARGAGAGFDGFDGDCCCC
the intermCA2
DSFSDGDSFHSHSHSD%^GG#TG
--END--
--BEGIN--
the intermCA1
--END--
--BEGIN--
the rootCA
--END--


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

summary : certificate is public key with some info of your data
can be digitally signed by a CA or commercial CA
digitally sign means as written in digital signature workflow
Posted by at

1 comment:

  1. lauren8 August 2011 at 23:50

    "I would say that it is very well written blog on such a topic.Its brief post but information rich.You explained well about connectivity of browser and SSL web server.Thanks
    digital signature software"

    ReplyDelete

Subscribe to: Post Comments (Atom)