SSL and SSL Certificates Explained For Beginners
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols that allow for secure communication over a computer network.
They’re often utilized in email and web browsing.
In this lesson, we’ll look at:
- TLS and SSL are two security protocols.
- Keys that are both public and private
What is TLS?
How to receive a digital certificate and what kind of certificates are available.
TLS stands for Transport Layer Security.
TLS is based on SSL and was created as a replacement for SSLv3 because of known weaknesses.
The phrase SSL is widely used, and it now frequently refers to TLS.
Data encryption, data integrity, and authentication are all provided by SSL/TLS.
This implies that when you use SSL/TLS, you can rest assured that your data is secure.
- Your message has not been read by anyone.
- Your message has not been altered by anyone.
You’re conversing with the intended recipient (server)
When transmitting communication between two parties, there are two issues to consider.
- What evidence do you have that no one has seen the message?
- How do you ensure the message hasn’t been changed?
The remedies to these issues are as follows:
- Encrypt the message. This renders the content unintelligible to anyone who sees it.
- Sign it– This ensures that the recipient knows it was you who sent the message and that it hasn’t been altered.
Both of these operations necessitate the use of keys.
These keys are essentially numbers (usually 128 bits) that are paired with the message using a specific method, typically referred to as an algorithm—for example, RSA—to encrypt or sign the message.
Symmetrical Keys and Public and Private Keys
Public and private keys are used in almost all encryption systems today.
These are thought to be far more secure than the old symmetrical key system.
An asymmetrical key encrypts or signs a message and then decrypts it with the same key.
This is similar to the keys we use daily (door, car keys).
The disadvantage of this form of key arrangement is that if you misplace it, anyone who finds it can open your door.
With Public and Private keys, two keys are utilized that are mathematically related (they form a key pair), but they are not the same.
A message encrypted with a public key cannot be decoded using the same public key.
If your vehicle had a key setup like this. Then you may lock the automobile and leave the key in the lock because the automobile cannot be opened with the same key.
This key structure is extremely secure, and it is utilized in all modern encryption and signature systems.
Keys and SSL Certificates
For data encryption and integrity, SSL/TLS employs a public and private key mechanism.
The term “public” refers to the fact that public keys can be made available to everyone.
As a result, there is a problem with trust, specifically:
For example, suppose you obtain a key that purports to be from your bank.
A digital certificate is a solution.
In ordinary life, a certificate serves the same purpose as a passport.
A passport created a relationship between a photo and a person, which was validated by a reputable body (passport office).
A digital certificate is a link between a public key and a trustworthy third-party-verified (signed) entity (company, domain name, etc). ( A certificate authority)
A digital certificate is a quick and easy way to provide trusted public encryption keys.
Obtaining a Digital Certificate
A recognized Certificate Authority issues you a digital certificate (CA). You get a passport from a passport office, just like that.
The procedure is, in fact, very similar.
You complete the necessary paperwork, including your public keys (which are simply numbers), and send/them to the certificate authority. (This is a request for a certificate)
The certificate authority performs some tests (depending on the authority) and returns the keys in a certificate to you.
The keys are guaranteed by the certificate, which is signed by the Issuing Certificate Authority.
When someone requests your public keys, you send them the certificate, which they test the signature on, and if it matches, they can trust your keys.
- To demonstrate, we’ll look at a typical SSL connection between a web browser and a web server. (HTTP://)
- This connection is used on the Internet to send email through Gmail and other services, as well as to conduct online banking, shopping, and other activities.
- SSL is used to connect the browser to the server (HTTP)
- The web server’s public key is contained in the Server Certificate returned by the server.
- The signature of the CA is checked by the browser to verify the certificate. The CA certificate must be in the browser’s trusted store to accomplish this ( See later)
- This Public Key is used by the browser to agree on a session key with the server.
- The session key is used by both the web browser and the server to encrypt data sent over the connection.
- Here’s a video that goes over everything in further depth:
Digital Certificate Types
If you’re looking to get a certificate for a website or to encrypt MQTT, there are two types to choose from:
- Certificates with Domain Validation (DVC)
- Certificates with a longer validation period (EVC)
The distinction between the two types is the certificate’s level of trust, which comes with more thorough validation.
They both provide the same amount of encryption.
A domain-validated certificate (DV) is an X.509 digital certificate used for Transport Layer Security (TLS) in which the applicant’s identity is verified by demonstrating control over a DNS domain.-WikI
Because the validation procedure is usually totally automated, they are the most cost-effective type of certificate. They’re best for websites that give content, like this one, and aren’t utilized for sensitive information.
An Extended Validation Certificate (EV) is a certificate that certifies the legal entity operating a website or software package. It is used for HTTPS websites and software. A certificate authority must verify the identification of the requesting entity before issuing an EV certificate (CA).
Because they require manual validation, they are often more expensive than domain verified certificates.
Wildcards and SANs are prohibited from being used in certificates.
Certificate Usage Restrictions- Wildcards and SANs
In most cases, a certificate is only good for one fully qualified domain name (FQDN).
That is, a certificate obtained for www.mydomain.com will not work for mail.mydomain.com or www.otherdomain.com.
A Wildcard certificate, on the other hand, can be used to secure several subdomains as well as the primary domain name.
A wildcard certificate protects all subdomains of a given domain name.
A wildcard certificate for *.mydomain.com, for example, can be used on:
It can’t be used to protect both mydomain.com and myotherdomain.com at the same time.
You must obtain a certificate with SAN to cover many domain names in a single certificate (Subject Alternative Name).
In addition to the main domain name, these usually allow you to secure four additional domain names. You might, for example, use the same certificate on:
You can also alter the domain name covered, but the certificate will need to be reissued.
Why use Commercial Certificates?
Using free software tools, you may easily build your own SSL certificates and encryption keys.
These keys and certificates are just as secure as commercial keys and certificates, and in many situations are much more so.
When you require widespread support for your certificate, you’ll need a commercial certificate.
This is because most web browsers and operating systems provide support for the major commercial certificate authority.
If I installed my own self-generated certificate on this site, you’d get a message like the one below, warning you that the site isn’t trustworthy.
Certificate Encodings and Files Extensions
Certificates can be encoded in a variety of ways, including:
- Files in binary format
- Files in ASCII (base64) format
The following are some of the most often used file extensions:
- .PEM (Portable Extensible Markup Language) (Privacy Enhanced Electron Mail)
- .CRT is an abbreviation for “Computer
Note that the file extension and encoding have no practical relationship. This means that a.crt file can be encoded in either.der or. pem format.
Because. pem files are ASCII files, they can be read with any text editor.
The crucial thing to remember is that the Begin Certificate and End Certificate lines are where they begin and end.
Certificates can be kept in separate files or bundled together in a single file.
Root CA Bundle and Hashed Certificates
Although root certificates are available as individual files, they can also be bundled together.
These root certificates, together with a file named ca-certificates. crt, are saved in the /etc/SSL/certs folder on Debian-based Linux systems.
This file contains a collection of all of the system’s root certificates.
It is created by the system and can be updated with the update-ca-certificates command if new certificates are added. See this page for further information.
Each certificate or a symbolic link to the certificate, as well as a hash, is stored in the certs folder.
The c rehash command creates hash files, which are utilized when a directory rather than a file is supplied. For example, the mosquito pub utility can be used as:
Certificate Chains and Bundles, as well as Root and Intermediate Certificates.
Subordinate certificate authorities can be established by a certificate authority to provide certificates to clients.
Root Certificates, Intermediate Certificates, and Certificate Chains and Bundles.
To validate the authenticity of a certificate, a client must be able to check the signatures of all the CAs in the chain, which means the client must have access to all of the CAs’ certificates.
As a result, certificates are frequently distributed as part of a certificate bundle.
This bundle would be a single file containing all of the CA certificates in the chain, commonly called CA-Bundle. crt.
if your certificates are supplied separately, you can put together your own bundle by following the instructions outlined here.