SSL Certificate

How it works?

uses TLS protocol.

Random

Signing is done with private key and data or information is encoded with public key.

Certificate chain or hierarchy and content fc

position	ease	box	interval	due
front	2.5	0	0	2021-09-29T16:49:52Z

Certificate content

SSL certificates include:

The domain name that the certificate was issued for
Which person, organization, or device it was issued to
Which certificate authority issued it
The certificate authority’s digital signature
Associated subdomains
Issue date of the certificate
Expiration date of the certificate
The public key (the private key is kept secret)*

Chain

Certificate content and signature

Signing is done with private key

Verification chain

Purchasing

is good source to purchase cheap SSL ceritificates. I purchased ’s projects’s certificate from here.

Certificates will be emailed by on after purchase

sends certificate zip file that contains both bundle certificate(root + intermediate CA certificates) + leaf certificate.

Adding SSL certificate

To

ref

<VirtualHost 192.168.0.1:443>
  DocumentRoot /var/www/html2
  ServerName www.yourdomain.com
      SSLEngine on
      SSLCertificateFile /path/to/your_domain_name.crt
      SSLCertificateKeyFile /path/to/your_private.key
      SSLCertificateChainFile /path/to/cabundle.crt # bundle.crt
  </VirtualHost>

To

ref ref gist

Create ssl_certificate

config details ssl_certificate For the client to recognize the certificate, the complete chain should be bundled in and `ssl_certificate` should point to the that bundle.

Lesson learned

In project, “ssl_certificate” was pointing to just root or intermediate CA, this was causing following issues
1. The ssl certificate on “ksaflyer.com” domain was getting displayed as invalid.
2. In the app of the project, the images were not getting rendered because of the SSL issue: Image component was throwing SSL, java, invalidpath? issue. Bundling the SSL certificate as describe in the example below worked

Bundling the SSL certificate

cat your_domain.crt your_domain.ca-bundle >> ssl-bundle.crt

server {
       listen 443;
       ssl on; #**
       ssl_certificate /etc/ssl/ssl-bundle.crt; #**
       ssl_certificate_key /etc/ssl/ssl-tutorials.key;#**
       server_name ssl-tutorials.com;
       access_log /var/log/nginx/nginx.vhost.access.log;
       error_log /var/log/nginx/nginx.vhost.error.log;

location / {
         root /var/www/;
         index index.html;

}
}

Debugging SSL issues?

ref

openssl s_client -connect ksaflyer.com:443 -showcerts

Start Time: 1632912777
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes

Tools to verify SSL certificates

https://www.sslshopper.com/certificate-decoder.html

Glossary

CA Bundle

ref CA bundle is a file that contains root and intermediate certificates.

Certificate chain

The end-entity certificate along with a CA bundle constitutes the certificate chain.

Certificate Authority(CA)

ref A third party organization which is used to confirm the relationship between a party to the HTTPS transaction and that party’s public key. Certification authorities may be widely known and trusted institutions for internet based transactions. Though where HTTPS is used on a company’s internal networks, an internal department within the company may fulfill the role of a CA.

The certificates of major CAs such as GeoTrust and VerifSign are bundled with operating systems distribution.

CA authorities charges some amount to sign and verify your SSL Certificate getting issue.

Digital Signature

ref A digital signature (not to be confused with a digital certificate) is electronic. It can be used with any kind of message, whether it is encrypted or not, so that the receiver can be sure of the sender’s identity and that the message arrived intact.

A digital certificate is an electronic certificate file which contains a digital signature. SSL Certificates are a type of digital certificate. SSL certificates contain the digital signature of the Certificate Authority (CA) that issued it. CAs are companies authorized to create SSL certificates. Browsers can check an SSL certificate’s digital signature to verify that the certificate is real.

Additional benefits to the use of a digital signature are that it is easily transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be automatically time-stamped.

Encryption

Symmetric

Encryption is the process of changing readable data (also referred to as “plaintext”) into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key. In traditional encryption schemes, the sender and the receiver use the same key to encrypt and decrypt data – this is a type of encryption known as symmetric encryption.

Asymmetric or Public-key encryption

SSL uses a more advanced form of encryption called Public-Key encryption. In Public-key systems, there are two keys: a public key, which anyone may use, and a corresponding private key, which is possessed only by the person who created it – which in this case is the webserver’s administrator. With this method, anyone may send a message encrypted with the owner’s public key, but only the owner has the private key necessary to decrypt it. This allows secure encryption over the Internet. Public-key encryption is a type of encryption called asymmetric encryption because different keys are used for encryption and decryption.

Root Certificate

An SSL certificate issued from Certificate Authority (CA). These certificates are distributed to millions of computers so that they can successfully use SSL certificates from those CAs. Devices such as desktops, laptops, smartphones, and printers contain Root Certificates.

SSL Key

The Private Key is sometimes referred to as the SSL Key. Your server must have a Private Key to function properly and you should always keep it secure and not share it with outside parties. With this key your secure communications can be decrypted. See Private Key for more

SSL Handshake

The SSL handshake is the term given to the process of the browser and web server setting up an SSL session. The SSL handshake involves the browser receiving the SSL certificate and then sending “challenge” data to the web server in order to cryptographically prove whether the web server holds the SSL key associated with the SSL certificate. If the cryptographic challenge is successful then the SSL handshake has completed and the web server will hold an SSL session with the web browser. During an SSL session the data transmitted between the web server and web browser will be encrypted. The SSL handshake takes only a fraction of a second to complete.

How it works?#

Random#

Certificate chain or hierarchy and content fc#

Certificate content#

Chain#

Certificate content and signature#

Verification chain#

Purchasing#

Certificates will be emailed by on after purchase#

Adding SSL certificate#

To #

To #

Create ssl_certificate#

Debugging SSL issues?#

Tools to verify SSL certificates#

Glossary#

CA Bundle#

Certificate chain#

Certificate Authority(CA)#

Digital Signature#

Encryption#

Symmetric#

Asymmetric or Public-key encryption#

Root Certificate#

SSL Key#

SSL Handshake#

Misc#