The Concise Guide to SSLTLS for DevOps by Alasdair Gilchrist

Author:Alasdair Gilchrist
Language: eng
Format: epub
Tags: SSL/TLS, Web Encryption, Internet security, Application security, Application authentication, ssl certificates, web privacy, internet security and privacy, HTTPS, digital certificates
Publisher: RG Consulting
Published: 2015-06-20T00:00:00+00:00

SSL Self-Signed Certificates

Up until now, we have been discussing SSL and CA signed trusted certificates, which any major web browser will recognize due to the effect of certificate chain. These trusted certificates are a necessity for secure and trusted communication over the internet and are not optional, they are a necessity for websites involved in ecommerce, email or for financial transactions. This point cannot be stressed enough SSL CA Certificates should be used for any communications over insecure media when personal or sensitive information is being transmitted. Many websites do not do this even when user credentials are being exchanged. Furthermore, SSL provides user confidence that the site they are communicating with is who or what they claim to be.

This is all very good for communicating over the web, but that if you just want to secure communications between two applications over the LAN or WAN, or where encryption is the primary driver and authentication a secondary concern. SSL CA certificates would be a very expensive solution perhaps justifiable depending on the value of the transactions but now that we have grounding in ciphers and protocols a better way is to sign our own certificates for internal system communications. To clarify though, self-signed certificates should never be used for public web servers and used with caution even with private intranet web applications. However self-signed certificates do have their uses in server to server communications such as in encrypting and securing a MySQL server for instance. To understand how self signing a certificate works we need to examine how SSL certificates work.

How do you know that you are dealing with the right person or rather the right web site? Well, someone has taken great length (if they are serious) to ensure that the web site owners are who they claim to be. This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A X.509 digital certificate, which contains information about the owner of the certificate, like their e-mail address, the owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN), which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with. As you made the choice to trust the person who signs this certificate, therefore you also trust this certificate. This is a certificate trust tree or certificate path. Usually your browser or application has already loaded the root certificate of well known Certification Authorities (CA) or root CA Certificates. The CA maintains a list of all signed certificates as well as a list of revoked certificates. A certificate is insecure until it is signed, as only a signed certificate cannot be modified. However, you can sign a certificate using itself; it is called a self-signed certificate. All root CA certificates are self-signed.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.