Download - SSL Certificates and Operations
![Page 1: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/1.jpg)
SSLCertificates&OperationsNisheedMeethal
7Nov’16
![Page 2: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/2.jpg)
Chapters
• PurposeofSSLcertificates• Request,sign,installandverify
• CASignedvs.Selfsigned
• SSLCertificatetypes• DV(basic),OV(enhanced)&EV(complete)
• OpenSSL• CertificateStructure• Chainoftrust• TrustStores• Certificatepinning• Freecertificates
![Page 3: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/3.jpg)
PurposeofSSLcertificates• Server[/Client]authenticationforsource[/dest]validationandtrust.
• Securedatatransferusingencryption
SSLCommunicationProcess1. Serverauthentication(Handshake)2. KeyExchange3. Encrypteddatatransfer(Record)
Highest SSL Version, Ciphers Supported, Data Compression Methods, Session Id = 0, Random Data
Selected SSL Version, Selected Cipher,Selected Data Compression Method, Assigned Session Id, Random Data, Server Certificate
(Client Certificate Request)Server Hello Done
Indicates that further communication to server will be encrypted
Digest of all SSL handshake commands for integrity check
Indicates that further communication to client will be encrypted
Digest of all SSL handshake commands for integrity check
![Page 4: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/4.jpg)
Request,sign,installandverify
3.GetitsignedbyCA,saymysite.crt
Certverificationbybrowser
▶ openssl genrsa -out mysite.key 4096▶ openssl req -new -key mysite.key -out mysite.csr
2.Sendmysite.csr totheCAofyourchoice.
1.Generatetheprivatekeyandcertificatesigningrequestforyoursite.
4.Installthecertificate
▶ openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365
CASigned
SelfSigned
1.Generatetheprivatekeyandselfsigned certificatefor365days.
2.Installthecertificate
![Page 5: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/5.jpg)
SSLCertificatetypes(DV,OV,EV)
• DV– DomainValidated(Basic)• Smallormedium levelwebsiteownerswhoonlywishtoencrypttheirdomaincanissueDVSSLcertificate.(https://www.ycombinator.com/,https://www.nisheed.com)
• Features• Greenpadlock• Lowerprice• Quickissuancewithinminutes• Nopaperworkordocumentationrequiredforvalidation.Validatedagainestthe
domain. Itdoesnotguaranteetheidentityofthewebsite'sownernortheactualexistenceoftheorganization
• 99.9%mobileandwebbrowsercompatibility• ComesupwithWildcardandMultiDomainfeatures• Reissueasmanytimesasneededduringthevalidityperiod
• Validationprocess(email,file,registrar)• https://aboutssl.org/domain-validated-ssl-validation-process
![Page 6: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/6.jpg)
SSLCertificatetypes(DV,OV,EV)
• OV– OrganizationValidated(Enhanced)• Businessidentityleveltrust.Organizationnameprinted inthecertificate.
(https://www.intuit.com/,https://www.icicbank.com,https://www.reddit.com/ )
• Features• Greenpadlock• 1-3daysforissuance• MoretrustedthanDV• Organizationnameisvalidatedandpartofthecertificate.(IssuetoOrganizationand
Subjectarefilledup)
• https://aboutssl.org/document-require-for-ov-ssl-code-signing-certificate
![Page 7: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/7.jpg)
SSLCertificatetypes(DV,OV,EV)
• EV– ExtendedValidated(Complete)• Fortrustedandhighsecuritysites(https://www.godaddy.com,https://www.actalis.it/,
https://www.geotrust.com/,https://www.online.citibank.co.in/ )• Features
• GreenAddress Bar+OrganizationName+TrustSeal
• Upto10business daysforissuance&VeryStrictValidation Process• OVbydefault+High256-bitencryptionwith2048-bitKeyLength• MultidomainwithSANonly.
• https://aboutssl.org/document-require-for-ev-ssl-certificate
![Page 8: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/8.jpg)
OpenSSLReadcert(online)openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/nullopenssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null
Readthecert- x509decoded (online)openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text
Checkexpiry[startdate,fingerpring,…]openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]
Verifythekeyandcert(offline)openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasumopenssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum
PublickeyextractionfromPrivatekeyopenssl rsa -in mysite.key -pubout > mysite.pub.key openssl req -noout -in mysite.csr –pubkey > mysite.pub.key
Removepassphrasefromprivaekeyopenssl rsa -in mysite.key -out nopassphrase_mysite.key
![Page 9: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/9.jpg)
CertificateStructure
x509- PKIX(PublicKeyInfrastructure) certificate- rfc6818
Encoding
DER=>BinaryDERencoded certs.(appearas.cer/.crtfiles)
PEM=>ASCII(Base64)armoreddataprefixedwitha“—– BEGIN…”line.(appearsas.cer/.crt/.pemfiles)
Fileextensions
.crt=>*nixconventionofbinaryDERorBase64PEM
.cer=>MicrosoftcoventionofbinaryDERorBase64PEM
.key=>public/private PKCS#8 keys.DERorPEM.
#Viewcertcontent▶ openssl x509 -in ServerCertificate.pem -text -noout▶ openssl x509 -in ServerCertificate.der -inform der -text -noout
#Encodingconversion▶ openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der▶ openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem
![Page 10: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/10.jpg)
CertificateStructure▶ openssl s_client-connectqbo.intuit.com:443</dev/null 2>/dev/null |openssl x509-in/dev/stdin –text
![Page 11: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/11.jpg)
▶ openssl s_client–connectgoogle.com:443 -showcerts</dev/null2>/dev/null
Google.com(EE/Leaf)
GIA(ICA)
Geotrust(ICA)
Equifax(rootCA)
ChainofTrust
![Page 12: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/12.jpg)
TrustStores
• Application truststores• Browser
• Public keysofallmajorCAscomewithrelease• Java (tomcat,coldfusionetc.)
• Mostlytherebutlessfrequently updated.• Youneedtotakecareifcustomized.
▶ /usr/local/java/jre/bin/keytool -import -v -alias SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file /$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore /application/conf/jssecacerts -storepass changeit –noprompt
▶ /usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts -storepass changeit –noprompt
▶ /usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 -file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit
▶ /usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit
Whenshouldyouupdatetheapplicationtruststore?
![Page 13: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/13.jpg)
CertificatepinningHTTPPublicKeyPinning,orHPKP (rfc7469).
ThisstandardallowswebsitestosendanHTTPheaderinstructingthebrowsertoremember(or"pin")partsofitsSSLcertificatechain.Thebrowserwillthenrefusesubsequent connectionsthatdon'tmatchthepinsthatithaspreviouslyreceived.Here'sanexampleofanHPKPheader:
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; max-age=259200
Public-Key-Pins-Report-Only: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
report-uri="https://example.net/pkp-report"
#Generateprivatekeyandcsr.▶ openssl genrsa -out mysite.key 4096▶ openssl req -new -key mysite.key -out mysite.csr
#GetthecrtfromCA▶ openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out mysite.pub.key▶ openssl dgst -sha256 -binary mysite.pub.key | openssl enc -base64
#Formtheheaderandaddtowebserver(eg:- apache).Header add Public-Key-Pins "max-age=500; includeSubDomains;
pin-sha256=\"wBVXRiGdJMKG7vQhr9tZ9br9Md4l7cO69LF2a88Au/o=\";
![Page 14: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/14.jpg)
Free&Opencertificates
• Let’sEncrypt• https://letsencrypt.org/getting-started/
![Page 15: SSL Certificates and Operations](https://reader031.vdocument.in/reader031/viewer/2022021813/58732bd11a28ab596c8b5b89/html5/thumbnails/15.jpg)
Usefulresources:
https://www.ssllabs.com/ssltest/https://aboutssl.org/ssl-tools/ssl-checker.phphttps://tools.ietf.org/html/rfc6818https://certbot.eff.org/