Secured Socket Layer (SSL) uses an asymmetric cryptography, also known as public key cryptography to encrypt traffic. Asymmetric cryptography is made up of a public and private key. These keys are mathematically linked in a way that data encrypted by a public key can only be deciphered by the linked private-public key (vice versa).
SSL protects HTTP data transferred between the client (browser) and server. Browsers have the ability to inherently encrypt outgoing data and decrypt incoming data of servers.
The combination of the public and private key make up a certificate. A certificate is a special file containing either a public key (public only key) or both public and private key (public/private key).
Certificates can be either be self-signed or signed. Certificates that are self-signed certificate are not trusted by a Certificate Authority (CA). Signed certificates are special files whereby a CA will verify the authenticity of the certificate file. Websites that use SSL for secure HTTP communication use certificates. A difference between a self-signed certificate and a CA-signed certificate is that web browsers have built-in ability to verify signed certificates. Websites that use self-signed certificates will present a security warning.
Creating self-signed a certificate
This example uses openSSL.exe
Step 1: Generate a RSA Private Key.
To create a certificate or a certificate request we need to create a private RSA key.
- Download openssl.exe
- Navigate to the C:…\openssl-0.9.8k_X64\bin
openssl genrsa -out sweetrecipes.pem 2048
Step 2: Generate a CSR (Certificate Signing Request)
To create a certificate, we need to start with a certificate request. Note that this is also what a CA uses to generate a signed certificate.
openssl req -new -x509 -key sweetrecipes.pem -out sweetrecipes.cer -days 3650 -config C:_LocalHosting\OpenSsl\openssl.cnf
Step 3: Generate a PKCS#12 file
openssl pkcs12 -export -out sweetrecipes.pfx -inkey sweetrecipes.pem -in sweetrecipes.cer
Another way to generate public/private key using openssl.exe and a public key certificate (without private key):
openssl genrsa -des3 -out taskboard.key 2048 openssl req -new -key taskboard.key -out taskboard.csr -config ..\openssl.cnf openssl x509 -req -days 3650 -in taskboard.csr -signkey taskboard.key -out taskboard.crt openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in taskboard.crt -inkey taskboard.key -out taskboard.pfx -name taskboard.pfx
Output of all the files from openssl.exe: