http://www.steves-internet-guide.com/ssl-certificates-explained/
In this tutorial we will look:
- TLS and SSL
- Public and Private keys
- Why we need certificates and what they do
- How to get a digital certificate and understand the different common certificate types.
What is TLS
TLS is based on SSL and was developed as a replacement in response to known vulnerabilities in SSLv3. SSL is the term commonly used, and today usually refers to TLS.
Security Provided
SSL/TLS provides
- data encryption
- data integrity
- authentication
This means that when using SSL/TLS you can be confident that
- No one has read your message
- No one has changed your message
- You are communicating with the intended person (server)
When sending a message between two parties you have two problems that you need to address.
- How do you know that no one has read the message?
- How do you know that no one has changed the message?
The solutions to these problems are to:
Encryptit.– This makes the content unreadable so that to anyone viewing the message it is just gibberish.Signit– This allows the recipient to be confident that it was you who sent the message, and that the message hasn’t been changed.
Both of these processes require the use of keys.
These keys are simply numbers (128 bit being common) that are then combined with the message using a particular method, commonly known as an algorithm- e.g. RSA, to either encrypt or sign the message.
Symmetrical Keys and Public and Private Keys
Almost all encryption methods in use today employ public and private keys.
These are considered much more secure than the old symmetrical key arrangement.
With a symmetrical key, a key is used to encrypt or sign the message, and the same key is used to decrypt the message.
This is the same as the keys (door, car keys) we deal with in everyday life.
The problem with this type of key arrangement is if you lose the key anyone who finds it can unlock your door.side-note-encryption-2
With Public and Private keys, two keys are used that are mathematically related (they belong as a key pair), but are different.
This means a message encrypted with a public key cannot be decrypted with the same public key.
To decrypt the message you require the private key.
If this type of key arrangement were used with your car. Then you could lock the car, and leave the key in the lock as the same key cannot unlock the car.
This type of key arrangement is very secure and is used in all modern encryption/signature systems.
Keys and SSL Certificates
SSL/TLS use public and private key system for data encryption and data Integrity.
Public key can be made available to anyone, hence the term public.
Because of this there is a question of trust, specifically:
How do you know that a particular public key belongs to the person/entity that it claims.
For example, you receive a key claiming to belong to your bank.
How do you know that it does belong to your bank?
The answer is to use a digital certificate.
A certificate serves the same purpose as a passport does in everyday life.
A passport established a link between a photo and a person, and that link has been verified by a trusted authority (passport office).
A digital certificate provides a link between a public key and an entity (business,domain name etc) that has been verified (signed) by a trusted third party ( A certificate authority)
A digital certificate provides a convenient way of distributing trusted public encryption keys.
Obtaining a Digital Certificate
You get a digital certificate from a recognized Certificate authority (CA). Just like you get a passport from a passport office.
In fact the procedure is very similar.
You fill out the appropriate forms add your public keys (they are just numbers) and send it/them to the certificate authority. (this is a Certificate Request)
The certificate authority does some checks ( depends on authority), and sends you back the keys enclosed in a certificate.
The certificate is signed by the Issuing Certificate authority, and this it what guarantees the keys.
Now when someone wants your public keys, you send them the certificate, they verify the signature on the certificate, and if it verifies, then they can trust your keys.
Example Usage
To illustrate we will look at a typical web browser and web server connection using SSL. (https).
This connection is used on the Internet to send email in Gmail etc and when doing online banking,shopping etc.
1. Browser connects to server Using SSL (https)
2. Server Responds with Server Certificate containing the public key of the web server.
3. Browser verifies the certificate by checking the signature of the CA.
To do this the CA certificate needs to be in the browser’s trusted store( See later)
4. Browser uses this Public Key to agree a session key with the server.
5. Web Browser and server encrypt data over the connection using the session key.
Digital Certificate Types
If you are trying to purchase a certificate for a website or to use for encrypting MQTT you will encounter two main types:
- Domain Validated Certificates (DVC)
- Extended validation Certificates (EVC)
The difference in the two types is the degree of trust in the certificate which comes with more rigorous validation.
The level of encryption they provide is identical
DVC
A domain-validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the identity of the applicant has been validated by proving some control over a DNS domain.
The validation process is normally fully automated making them the cheapest form of certificate. They are ideal for use on websites like this site that provides content, and not used for sensitive data.
EVC
An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity’s identity by a certificate authority (CA).
They are generally more expensive than domain validated certificates as they involve manual validation.
Certificate Usage Restrictions- Wildcards and SANs
Generally a certificate is valid for use on a single fully qualified domain name (FQDN).
That is a certificate purchased for use on www.mydomain.com cannot be used on mail..mydomain.com or www.otherdomain.com.
However if you need to secure multiple subdomains as well as the main domain name then you can purchase a Wildcard certificate.
A wildcard certificate covers all sub domains under a particular domain name.
For example a wildcard certificate for *.mydomain.com can be used on:
mail.mydomain.com
www.mydomain.com
ftp.mydomain.com
etc
It can not be used to secure both mydomain.com and myotherdomain.com.
To cover several different domain names in a single certificate you must purchase a certificate with SAN (Subject Alternative Name).
These generally allow you to secure 4 additional domain names in addition to the main domain name. For example you could use the same certificate on:
www.mydomain.com
www.mydomain.org
www.mydomain.net
www.mydomain.co
www.mydomain.co.uk
You can also change the domain name covered but would need have the certificate re-issued.