HTTPS & SSL

What it is, how it works, and how to configure this godforsaken technology

Encryption

Symmetric Encryption

Message:
HELLO
Key:
AUJTK
Ciphertext:
IZVFZ

The key is shared between all parties.

Encryption and decryption is very fast.

Asymmetric Encryption

Public Certificate
Encrypts data
Private Key
Decrypts data

Anyone can have the public certificate. Only the private key can decrypt data.

I am not going into the math on this one.

So, how does it work?

HTTPS Handshake

Web User

Secure HTTPS request made

Sends Certificate

Client autnenticates certificate against trusted certificates

Acknowledge Certificate, provide encrypted shared key

Data continues being sent, using the symmetric key for encryptions

Web User

Vocabulary

Certificate Used for encryption and identity verification
Private Key Used to decrypt values encrypted using the matching public certificate. Generated by the requesting entity.
Certificate Signing Request (CSR) Used to request a signed certificate from a Certificate Authority (CA)
Certificate Authority A trusted vendor that issues digital certificates.
Self-signed Certificate A certificate not signed by a Certificate Authority. Used mostly for development.

Certificate Formats

PEM

-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgIHTqhITt5W5TANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
...
85sKysdk4OjNmeXGIauzQ60f0vUHNrTDToz3lOrybHcgOKPiguCJV4IVpKAr7vCq
5QyvPlRodJUCajhZISW3RmoFcBOQQInFv2qFXDpRIGmQUFIHiRBC0r2f5UP5a48=
-----END CERTIFICATE-----
                            
DER

Binary formatted data

Certificate File Extensions

CRT

Encoding for public certificates. Can be either DER or PEM format. Most commonly seen in *nix systems.

CER

Practically synonymous with CER. Most commonly seen in Windows systems.

KEY

Typically used for private keys (PKCS#8). Can be either DER or PEM.

Tools

openssl

keytool

  • Used to work with Java Keystores
  • Distributed as part of the Java Runtime Environment
  • Available in \bridgegate\java\bin

Let's take a look

Cheat Sheet

Convert from DER to PEM

openssl x509 -in <file> -inform DER -out <target> -outform PEM

Import a certificate to a keystore

keytool -importcert -keystore <filename> -file <public cert filename> \
    [-alias <alias>]

Import a public/private key pair to a keystore


openssl pkcs12 -in <certificate> -inkey <key> -export -out <keystore.p12>

keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype pkcs12 \
    -destkeystore <keystore.jks> -srcalias <p12 alias> \
    -destalias <jks alias>

Cheat Sheet

Generate a self-signed certificate

keytool -keysize 2048 -genkey -alias <alias> -keyalg RSA -keystore <keystore.jks>

Generate a self-signed certificate with v3 extensions


openssl -genrsa -des3 -out <keyfile> 2048
openssl req -new -key <keyfile> -out <csrfile>
openssl x509 -req -days 3650 -in <csrfile> -inkey <keyfile> -out bg.crt \
        [-extfile <extensions]
            

Extensions file (valid values described at https://www.openssl.org/docs/apps/x509v3_config.html):

basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyCertSign
extendedKeyUsage=serverAuth,clientAuth
authorityKeyIdentifier=keyid,issuer
subjectAltName=URI:bridgegatetest.com,URI:*.bridgegatetest.com

?