Why do we need SSL/TLS?
- Server [/Client] authentication for source [/dest] validation and trust.
- Secure data transfer using encryption
SSL Communication Process
- Server authentication (Handshake)
- Key Exchange
- Encrypted data transfer (Record)
Request, sign, install and verify
CA Signed
- Generate the private key and certificate signing request for your site.
openssl genrsa -out mysite.key 4096 openssl req -new -key mysite.key -out mysite.csr
- Send mysite.csr to the CA of your choice.
- Get it signed by CA, say mysite.crt
Self Signed
- Generate the private key and self signed certificate for 365days.
openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365
- Install the certificate
SSL Certificate types (DV, OV, EV)
DV – Domain Validated (Basic)
- Small or medium level website owners who only wish to encrypt their domain can issue DV SSL certificate. (https://www.ycombinator.com/, https://www.nisheed.com)
- Features
- Green padlock. But no validation for the organization.
- Lower price
- Quick issuance within minutes
- No paper work or documentation required for validation. Validated against the domain. It does not guarantee the identity of the website’s owner nor the actual existence of the organization
- 99.9% mobile and web browser compatibility
- Comes up with Wildcard and Multi Domain features
- Reissue as many times as needed during the validity period
- Green padlock. But no validation for the organization.
- Validation process (email,file,registrar)
- https://aboutssl.org/domain-validated-ssl-validation-process
OV – Organization Validated (Enhanced)
- Business identity level trust. Organization name printed in the certificate. (https://www.intuit.com/, https://www.icicbank.com, https://www.reddit.com/ )
- Features
- Green padlock with Organization name
- 1-3 days for issuance
- More trusted than DV
- Organization name is validated and part of the certificate. (Issue to Organization and Subject are filled up)
- https://aboutssl.org/document-require-for-ov-ssl-code-signing-certificate
EV – Extended Validated (Complete)
- For trusted and high security sites (https://www.godaddy.com, https://www.actalis.it/, https://www.geotrust.com/, https://www.online.citibank.co.in/ )
- Features
- Green Address Bar + Organization Name + Trust Seal
- Up to 10 business days for issuance & Very Strict Validation Process
- OV by default + High 256-bit encryption with 2048-bit Key Length
- Multi domain with SAN only.
- Green Address Bar + Organization Name + Trust Seal
- https://aboutssl.org/document-require-for-ev-ssl-certificate
OpenSSL
Read cert (online)
openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/null openssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null
Read the cert – x509 decoded (online)
openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text
Check expiry [startdate, fingerpring, …]
openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]
Verify the key and cert (offline)
openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasum openssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum
Public key extraction from Private key
openssl rsa -in mysite.key -pubout > mysite.pub.key openssl req -noout -in mysite.csr –pubkey > mysite.pub.key
Remove passphrase from privae key
openssl rsa -in mysite.key -out nopassphrase_mysite.key
Certificate Standard & Structure
x509 – PKIX (Public Key Infrastructure) certificate – rfc6818
Encoding
DER => Binary DER encoded certs. (appear as .cer/.crt files)
PEM => ASCII (Base64) armored data prefixed with a “—– BEGIN …” line. (appears as .cer/.crt/.pem files)
File extensions
.crt => *nix convention of binary DER or Base64 PEM
.cer => Microsoft covention of binary DER or Base64 PEM
.key => public/private PKCS#8 keys. DER or PEM.
View certificate content
openssl x509 -in ServerCertificate.pem -text -noout openssl x509 -in ServerCertificate.der -inform der -text -noout
Encoding conversion
openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem
Chain of Trust
openssl s_client –connect google.com:443 -showcerts < /dev/null 2>/dev/null
Trust Stores
- Application trust stores
- Browser
- Public keys of all major CAs come with release
- Applications (JDK/Tomcat, ColdFusion etc)
- Mostly there but less frequently updated.
- You need to take care if stored in custom location.
- Browser
JDK
/usr/local/java/jre/bin/keytool -import -v -alias SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file /$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore /application/conf/jssecacerts -storepass changeit –noprompt /usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts -storepass changeit –noprompt
ColdFusion
/usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 -file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit /usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit
Certificate pinning
HTTP Public Key Pinning, or HPKP (rfc7469).
This standard allows websites to send an HTTP header instructing the browser to remember (or “pin”) parts of its SSL certificate chain. The browser will then refuse subsequent connections that don’t match the pins that it has previously received. Here’s an example of an HPKP header:
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; max-age=259200
Public-Key-Pins-Report-Only: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; report-uri="https://example.net/pkp-report"
# Generate private key and csr.
openssl genrsa -out mysite.key 4096 openssl req -new -key mysite.key -out mysite.csr
# Get the crt from CA
openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out mysite.pub.key openssl dgst -sha256 -binary mysite.pub.key | openssl enc -base64
# Form the header and add to web server (eg:- apache).
Header add Public-Key-Pins "max-age=500; includeSubDomains; pin-sha256=\"wBVXRiGdJMKG7vQhr9tZ9br9Md4l7cO69LF2a88Au/o=\";