SSL Certificates and Operations
1 like689 views
This document discusses SSL certificates, including their purpose for server/client authentication and secure data transfer. It covers the process of requesting, signing, installing and verifying certificates from both Certificate Authorities (CAs) and self-signing. The different types of SSL certificates - DV, OV and EV - are explained along with OpenSSL tools, certificate structure, chain of trust, trust stores, certificate pinning and free certificate options like Let's Encrypt.
![Purpose of SSL certificates
• Server [/Client] authentication for
source [/dest] validation and trust.
• Secure data transfer using encryption
SSL Communication Process
1. Server authentication (Handshake)
2. Key Exchange
3. Encrypted data transfer (Record)
Highest SSL Version, Ciphers Supported,
Data Compression Methods,
Session Id = 0,
Random Data
Selected SSL Version, Selected Cipher,
Selected Data Compression Method, Assigned
Session Id, Random Data, Server Certificate
(Client Certificate Request)
Server Hello Done
Indicates that further communication to server will be encrypted
Digest of all SSL handshake commands for integrity check
Indicates that further communication to client will be encrypted
Digest of all SSL handshake commands for integrity check](https://image.slidesharecdn.com/ssloperations-161107142327/85/SSL-Certificates-and-Operations-3-320.jpg)
![OpenSSL
Read cert (online)
openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/null
openssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null
Read the cert - x509 decoded (online)
openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in
/dev/stdin –text
Check expiry [startdate, fingerpring, …]
openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in
/dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]
Verify the key and cert (offline)
openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasum
openssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum
Public key extraction from Private key
openssl rsa -in mysite.key -pubout > mysite.pub.key
openssl req -noout -in mysite.csr –pubkey > mysite.pub.key
Remove passphrase from privae key
openssl rsa -in mysite.key -out nopassphrase_mysite.key](https://image.slidesharecdn.com/ssloperations-161107142327/85/SSL-Certificates-and-Operations-8-320.jpg)
SSL Certificates and Operations
- 2. Chapters • Purpose of SSL certificates • Request, sign, install and verify • CA Signed vs. Self signed • SSL Certificate types • DV (basic), OV (enhanced) & EV (complete) • OpenSSL • Certificate Structure • Chain of trust • Trust Stores • Certificate pinning • Free certificates
- 3. Purpose of SSL certificates • Server [/Client] authentication for source [/dest] validation and trust. • Secure data transfer using encryption SSL Communication Process 1. Server authentication (Handshake) 2. Key Exchange 3. Encrypted data transfer (Record) Highest SSL Version, Ciphers Supported, Data Compression Methods, Session Id = 0, Random Data Selected SSL Version, Selected Cipher, Selected Data Compression Method, Assigned Session Id, Random Data, Server Certificate (Client Certificate Request) Server Hello Done Indicates that further communication to server will be encrypted Digest of all SSL handshake commands for integrity check Indicates that further communication to client will be encrypted Digest of all SSL handshake commands for integrity check
- 4. Request, sign, install and verify 3. Get it signed by CA, say mysite.crt Cert verification by browser ▶ openssl genrsa -out mysite.key 4096 ▶ openssl req -new -key mysite.key -out mysite.csr 2. Send mysite.csr to the CA of your choice. 1. Generate the private key and certificate signing request for your site. 4. Install the certificate ▶ openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365 CA Signed Self Signed 1. Generate the private key and self signed certificate for 365days. 2. Install the certificate
- 5. SSL Certificate types (DV,OV,EV) • DV – Domain Validated (Basic) • Small or medium level website owners who only wish to encrypt their domain can issue DV SSL certificate. (https://www.ycombinator.com/, https://www.nisheed.com) • Features • Green padlock • Lower price • Quick issuance within minutes • No paper work or documentation required for validation. Validated againest the domain. It does not guarantee the identity of the website's owner nor the actual existence of the organization • 99.9% mobile and web browser compatibility • Comes up with Wildcard and Multi Domain features • Reissue as many times as needed during the validity period • Validation process (email,file,registrar) • https://aboutssl.org/domain-validated-ssl-validation-process
- 6. SSL Certificate types (DV,OV,EV) • OV – Organization Validated (Enhanced) • Business identity level trust. Organization name printed in the certificate. (https://www.intuit.com/, https://www.icicbank.com, https://www.reddit.com/ ) • Features • Green padlock • 1-3 days for issuance • More trusted than DV • Organization name is validated and part of the certificate. (Issue to Organization and Subject are filled up) • https://aboutssl.org/document-require-for-ov-ssl-code-signing-certificate
- 7. SSL Certificate types (DV,OV,EV) • EV – Extended Validated (Complete) • For trusted and high security sites (https://www.godaddy.com, https://www.actalis.it/, https://www.geotrust.com/, https://www.online.citibank.co.in/ ) • Features • Green Address Bar + Organization Name + Trust Seal • Up to 10 business days for issuance & Very Strict Validation Process • OV by default + High 256-bit encryption with 2048-bit Key Length • Multi domain with SAN only. • https://aboutssl.org/document-require-for-ev-ssl-certificate
- 8. OpenSSL Read cert (online) openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/null openssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null Read the cert - x509 decoded (online) openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text Check expiry [startdate, fingerpring, …] openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …] Verify the key and cert (offline) openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasum openssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum Public key extraction from Private key openssl rsa -in mysite.key -pubout > mysite.pub.key openssl req -noout -in mysite.csr –pubkey > mysite.pub.key Remove passphrase from privae key openssl rsa -in mysite.key -out nopassphrase_mysite.key
- 9. Certificate Structure x509 - PKIX (Public Key Infrastructure) certificate - rfc6818 Encoding DER => Binary DER encoded certs. (appear as .cer/.crt files) PEM => ASCII (Base64) armored data prefixed with a “—– BEGIN …” line. (appears as .cer/.crt/.pem files) File extensions .crt => *nix convention of binary DER or Base64 PEM .cer => Microsoft covention of binary DER or Base64 PEM .key => public/private PKCS#8 keys. DER or PEM. # View cert content ▶ openssl x509 -in ServerCertificate.pem -text -noout ▶ openssl x509 -in ServerCertificate.der -inform der -text -noout # Encoding conversion ▶ openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der ▶ openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem
- 10. Certificate Structure ▶ openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text
- 12. Trust Stores • Application trust stores • Browser • Public keys of all major CAs come with release • Java (tomcat,coldfusion etc.) • Mostly there but less frequently updated. • You need to take care if customized. ▶ /usr/local/java/jre/bin/keytool -import -v -alias SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file /$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore /application/conf/jssecacerts -storepass changeit –noprompt ▶ /usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts -storepass changeit – noprompt ▶ /usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 - file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit ▶ /usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit When should you update the application trust store?
- 13. Certificate pinning HTTP Public Key Pinning, or HPKP (rfc7469). This standard allows websites to send an HTTP header instructing the browser to remember (or "pin") parts of its SSL certificate chain. The browser will then refuse subsequent connections that don't match the pins that it has previously received. Here's an example of an HPKP header: Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; max-age=259200 Public-Key-Pins-Report-Only: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; report-uri="https://example.net/pkp-report" # Generate private key and csr. ▶ openssl genrsa -out mysite.key 4096 ▶ openssl req -new -key mysite.key -out mysite.csr # Get the crt from CA ▶ openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out mysite.pub.key ▶ openssl dgst -sha256 -binary mysite.pub.key | openssl enc -base64 # Form the header and add to web server (eg:- apache). Header add Public-Key-Pins "max-age=500; includeSubDomains; pin-sha256="wBVXRiGdJMKG7vQhr9tZ9br9Md4l7cO69LF2a88Au/o=";