SSL
Secured Socket Layer (SSL) uses an asymmetric cryptography, also known as public key cryptography to encrypt traffic. Asymmetric cryptography is made up of a public and private key. These keys are mathematically linked in a way that data encrypted by a public key can only be deciphered by the linked private-public key (vice versa).
SSL protects HTTP data transferred between the client (browser) and server. Browsers have the ability to inherently encrypt outgoing data and decrypt incoming data of servers.
Certificates
The combination of the public and private key make up a certificate. A certificate is a special file containing either a public key (public only key) or both public and private key (public/private key).
Certificates can be either be self-signed or signed. Certificates that are self-signed certificate are not trusted by a Certificate Authority (CA). Signed certificates are special files whereby a CA will verify the authenticity of the certificate file. Websites that use SSL for secure HTTP communication use certificates. A difference between a self-signed certificate and a CA-signed certificate is that web browsers have built-in ability to verify signed certificates. Websites that use self-signed certificates will present a security warning.
Creating self-signed a certificate
This example uses openSSL.exe
Step 1: Generate a RSA Private Key.
To create a certificate or a certificate request we need to create a private RSA key.
- Download openssl.exe
- Navigate to the C:…\openssl-0.9.8k_X64\bin
openssl genrsa -out sweetrecipes.pem 2048Step 2: Generate a CSR (Certificate Signing Request)
To create a certificate, we need to start with a certificate request. Note that this is also what a CA uses to generate a signed certificate.
openssl req -new -x509 -key sweetrecipes.pem -out sweetrecipes.cer -days 3650 -config C:_LocalHosting\OpenSsl\openssl.cnfStep 3: Generate a PKCS#12 file
openssl pkcs12 -export -out sweetrecipes.pfx -inkey sweetrecipes.pem -in sweetrecipes.cerAnother way to generate public/private key using openssl.exe and a public key certificate (without private key):
openssl genrsa -des3 -out taskboard.key 2048
openssl req -new -key taskboard.key -out taskboard.csr -config ..\openssl.cnf
openssl x509 -req -days 3650 -in taskboard.csr -signkey taskboard.key -out taskboard.crt
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in taskboard.crt -inkey taskboard.key -out taskboard.pfx -name taskboard.pfxOutput of all the files from openssl.exe:
