When a client app (browser) makes a connection to the server (Web Server) via SSL (normally port 443), the initial communication creates the encrypted channel. This process is done as follows:
1- Server provides a certificate file (signed by a CA) to the client.
2- Client verifies the certificate file with the root CA (Certificate Authority). For external services, we can use Verisign, and for internal services we can create our own CA server.
3- Client also verifies that the lookup Name matches the CN (Common Name) f the certificate.
4- Client accepts the connection or sends a warning if the requirements are not met.
5- Client starts to encrypt traffic using the Certificate file.
6- Server decrypts the data using the Private Key.
Basically, whoever has the certificate file can encrypt data but no decrypt. The only one that can decrypt the data is the private key, so make sure you store your private key on a safe place.
Getting Certificate Files
1- First generate the Private key
#openssl genrsa -out server.key 2048
2- Generate the request for a Certificate. This file must be sent to the CA ( Verisign or Internal CA) so it can be signed.
This request does not contain the private key but it will help the CA to signed it using their own private key.
# openssl req -new -key server.key -out server.csr
Then you will be ask several questions and the most important one is the Common Name. The Common Name must match the exact name to access the server that requests the certificate (CRT file).
When you buy certificates from Verisign they have a website where you post CSR, then they will send you a certificate file. For Microsoft CA, you will have to submit the CSR file as a base64 encoded PKCS #10, then Microsoft CA will return a CER file that will need to be converted to a certificate.
Microsoft CA conversion CER to CRT file.
# openssl x509 -in server.cer -inform d -out server.crt
Finally add to your apache configuration for SSL the following configuration:
SSLCertificateFile /path/to/ssl/certificate/server.crt
SSLCertificateKeyFile /path/to/ssl/key/server.key
Note: Make sure your key file are stored in a secure location.
Enjoy it !!!!
No comments:
Post a Comment