HTTPS & SSL
What it is, how it works, and how to configure this godforsaken technology
Encryption
Symmetric Encryption
- Message:
- Key:
- Ciphertext:
The key is shared between all parties.
Encryption and decryption is very fast.
Asymmetric Encryption
- Public Certificate
- Encrypts data
- Private Key
- Decrypts data
Anyone can have the public certificate. Only the private key can decrypt data.
I am not going into the math on this one.
So, how does it work?
HTTPS Handshake
Secure HTTPS request made
Sends Certificate
Client autnenticates certificate against trusted certificates
Acknowledge Certificate, provide encrypted shared key
Data continues being sent, using the symmetric key for encryptions
Vocabulary
| Certificate | Used for encryption and identity verification |
| Private Key | Used to decrypt values encrypted using the matching public certificate. Generated by the requesting entity. |
| Certificate Signing Request (CSR) | Used to request a signed certificate from a Certificate Authority (CA) |
| Certificate Authority | A trusted vendor that issues digital certificates. |
| Self-signed Certificate | A certificate not signed by a Certificate Authority. Used mostly for development. |
Certificate Formats
PEM
-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgIHTqhITt5W5TANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
...
85sKysdk4OjNmeXGIauzQ60f0vUHNrTDToz3lOrybHcgOKPiguCJV4IVpKAr7vCq
5QyvPlRodJUCajhZISW3RmoFcBOQQInFv2qFXDpRIGmQUFIHiRBC0r2f5UP5a48=
-----END CERTIFICATE-----
DER
Binary formatted data
Certificate File Extensions
CRT
Encoding for public certificates. Can be either DER or PEM format. Most commonly seen in *nix systems.
CER
Practically synonymous with CER. Most commonly seen in Windows systems.
KEY
Typically used for private keys (PKCS#8). Can be either DER or PEM.
Tools
openssl
- Used to generate certificates, keys, CSR
- Details at http://www.openssl.org
- Windows binaries can be found at http://slproweb.com/products/Win32OpenSSL.html
keytool
- Used to work with Java Keystores
- Distributed as part of the Java Runtime Environment
- Available in \bridgegate\java\bin
Let's take a look
Cheat Sheet
Convert from DER to PEM
openssl x509 -in <file> -inform DER -out <target> -outform PEMImport a certificate to a keystore
keytool -importcert -keystore <filename> -file <public cert filename> \
[-alias <alias>]Import a public/private key pair to a keystore
openssl pkcs12 -in <certificate> -inkey <key> -export -out <keystore.p12>
keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype pkcs12 \
-destkeystore <keystore.jks> -srcalias <p12 alias> \
-destalias <jks alias>
Cheat Sheet
Generate a self-signed certificate
keytool -keysize 2048 -genkey -alias <alias> -keyalg RSA -keystore <keystore.jks>
Generate a self-signed certificate with v3 extensions
openssl -genrsa -des3 -out <keyfile> 2048
openssl req -new -key <keyfile> -out <csrfile>
openssl x509 -req -days 3650 -in <csrfile> -inkey <keyfile> -out bg.crt \
[-extfile <extensions]
Extensions file (valid values described at https://www.openssl.org/docs/apps/x509v3_config.html):
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyCertSign
extendedKeyUsage=serverAuth,clientAuth
authorityKeyIdentifier=keyid,issuer
subjectAltName=URI:bridgegatetest.com,URI:*.bridgegatetest.com