New India’s most advanced hyper-realistic security training lab is live now. Visit PurpleSynapz for more information.

SSL CERTIFICATES – A Practical Guide

Raghu K By Raghu K in Security
22478 Views
0 Comments

Overview

1. Hyper Text Transfer Pro tocol (HTTP) is no doubt a Powerful & yet Simple pro tocol for exchanging the data between Server & Client implemented on the Web.

2. The major Security Concern with HTTP is that the information that flows between the Server & Client will be in Clear Text¸ allowing the machines through which the data passes can see the content transmitted.

3. To address this concern, Hyper Text Transfer Pro tocol Secured (HTTPS) was introduced.

4. In HTTPS, Client & Server will establish a Secure Encrypted Channel and then pass the information through it.

5. So in a nutshell, HTTPS will convert a clear text in to a scrambled message so that only the intended recipient can read it.

6. HTTPS implements the three key concepts of Information Security:

  • Confidentiality – Refers to the Privacy of information that is being shared during the communication. It can be achieved using the Encryption Methods (like AES).
  • Integrity – Refers to the Accuracy & Trustworthiness of data sent to other machine during the communication. It can be achieved using the Message Digest Algorithms (like SHA).
  • Authentication – There was a problem in identifying who the other party really is as they are physically separate devices. In order to address this issue, a Mutually Trusted Third Party – Certificate Authority (CA) will come in to picture. The CA will issue a Unique Identifier – Certificate to a domain which will guarantees that we are accessing the correct website.

7. So in order to respect Internet Users Privacy, almost all the E-commerce & Banking Websites implements HTTPS in the first place.

8. But back in 2014, Google promoted the websites to implement HTTPS by providing a minor raking boost and started giving Not Secure message just beside to the HTTP Websites URL.

9. Nowadays to give better user experience websites are implemented with HTTPS in the initial stage itself.

10. In order to implement the HTTPS, one should have a Trusted 3rd Party CA SSL Certificate.

11. While issuing an SSL Certificate, the CA will guarantee the authenticity of the website by verifying the registration of the website’s domain name & in few cases the organization behind it.

12. There are 3 Kinds of SSL Certificates based on the Validation Methods:

  • Domain Validated (DV)

    • Certificate Authority (CA) will verify that the user requesting the SSL certificate owns & administers the domain.
    • CA will perform the validation either an Email Challenge Response or File Lookup over HTTP or DNS CNAME lookup for Domain.
    • Visi tors will see a lock icon in their address bar, but no specific information about the owner.

  • Organization Validated (OV)

    • Certificate Authority (CA) will confirm the business making the request is registered and legitimate.
    • When visi tors click the green lock icon in their browser, the business name is listed.

  • Extended Validation (EV)

    • EV certificates require even more documentation for the Certificate Authority to validate the organization.
    • Visi tors will see the name of the business inside the address bar in addition to the lock icon.

13. Again, there are 3 kinds of SSL Certificates based on the Number of Domains they cover:

  • Single-Name SSL Certificates
  • Multi-Domain SSL Certificates / SAN Certificates

    • It allows us to protect up to 100 domains with the same certificate with the help of SAN Extension for the domain.
    • The pricing of the certificate here depends on how many subdomains (within 100 limit) the certificate is going to cover.
  • Wildcard SSL Certificate

14. With all the above SSL Certificate variants, there is one more kind – Self-Signed Certificate. Here the Certificate will be signed by the person creating it. Self-Signed Certificate are used in the following cases:

  • Organization’s Internal Website which has limited pages & a smaller number of Users visiting the site.
  • Testing internal websites during initial stages.

15. In order to implement the HTTPS on a Web Server we need to:

  • Generate a CSR (which contains the details of the organization, Common Name for the Domain & a public Key) and a Private Key.
  • Purchase an SSL Certificate from a Trusted 3rd Party CA.
  • Map the SSL Certificate to the Web Server’s Domain.
  • Install the SSL Certificate on the Web Server.

Requirement

Implementing HTTPS on an Apache Server running on Linux Machine.

Setup Details & Background

Server Type Domain Name Running on Port Need to Implement
Apache on Linux www.rkmillets.tk 80 (HTTP) HTTPS

1. Let’s consider the RK-Millets start-up which is known for its healthy food products in the market.

2. As the demand for their product grows in the market, RK-Millets decided to go for selling the products online parallel to the retail s tores.

3. But with the existing setup their website is running on HTTP, which means no internet user will disclose their Credit Card or Debit Card or their Personal Details to buy their products online.

4. So, the solution for better User Experience and Privacy, RK-Millets decided to implement the HTTPS on their Server. Let’s see how we can achieve this requirement.

Generating a CSR & Private Key

1. You can generate the CSR & a Private Key file in two ways:

  • Online CSR & Private Key Genera tor hosted by any Certificate Authority.
  • On the Web Server itself using OpenSSL tool.

2. If you are going with the Online Approach, you can consider any Certificate Authority in order to generate the CSR & a Private Key file by providing that it details asked for. We can consider SSL.COM CA Online CSR& Key Genera tor here:

3. Due to Security Concerns, most of the organization will go with the second method – Generating the CSR & Key on the Web Server itself using OpenSSL tool.

4. In our scenario, let’s stick to the second approach. On RKMillets Web Server, run the below command in any direc tory (say /home/admin) which will generate a CSR & Private Key.

# openssl req -new -newkey rsa:2048 -nodes -out <CSR_File.csr> -keyout <Private_Key_File.key>

In our case it is:

# openssl req -new -newkey rsa:2048 -nodes -out www_rkmillets_tk.csr -keyout www_rkmillets_tk.key

5. The outcome of the above command will be a CSR file (www_rkmillets_tk.csr) & a Private Key file (www_rkmillets_tk.key).

Generating a Self-Signed Certificate

1. Let’s Check the Web Server behaviour using a Self-Signed Certificate before purchasing an SSL Certificate.

2. Generate a Self-Signed Certificate for the Web Server using the CSR & a Private Key file generated earlier with the below command:

# openssl x509 -req -signkey <Private_Key_File.key> -days 1024 -in <CSR_File.csr> -out <Self_Signed_Cert.crt>

In our case it is:

# openssl x509 -req -signkey www_rkmillets_tk.key -days 1024 -in www_rkmillets_tk.csr -out self-sign.crt

Configuring Web Server for HTTPS Feature

1. We need the mod_ssl module for enabling the HTTPS feature on an Apache Server.

2. Install the mod_ssl package on to our Web Server.

3. Restart the Apache Server and you will be able to see the Web Server listening on port 443.

4. Check whether you can access the file ssl.conf in /etc/httpd/conf.d/ direc tory.

5. Edit the ssl.conf using any text edi tor.

6. We need a Name-based Virtual Host so that our Apache Web Server can serve the requests send by the Client based on the hostname (in our case it’s https://www.rkmillets.tk). So, under ssl.conf file add the below entry:

NameVirtualHost *:443

7. Define below lines at the end of ssl.conf file which will have details about the ServerName, DocumentRoot (where your web pages are s tored), SSL Certificate File & it’s Private Key. Here let’s consider the Self-Signed Certificate (self-sign.crt) that we have created before.

<VirtualHost *:443>

ssl Engine on

ServerName www.rkmillets.tk

ServerAdmin admin@rkmillets.tk

DocumentRoot /var/www/html/

SSLCertificateFile /home/admin/self-sign.crt

SSLCertificateKeyFile /home/admin/www_rkmillets_tk.key

</VirtualHost>

8. Save the ssl.conf file content and restart the Apache.

9. Access our Web Server now over HTTPS,

10. The reason being the Self-Signed Certificate which our Browser or Operating System won’t trust.

11. But our intention to test our Web Server on HTTPS is fulfilled.

12. If we are looking to eliminate the Certificate Warning on any browser, then go for purchasing a Trusted CA SSL Certificate & Map it to our Web Server.

Getting Trusted CA SSL Certificate

1. Here, we are considering SSL.COM Certificate Authority. Purchase an SSL Certificate from SSL.COM so that we can map this SSL Certificate to our Web Server.

2. Click on Submit CSR option,

3. An SSL Certificate Generation Wizard will start,

4. Copy the CSR file content that we have generated on the Web Server s tored in /home/admin.

5. Paste it in the CSR field of the Wizard,

6. If the CSR is valid, then it will au tomatically decode the Fully Qualified Domain Name out of it.

7. Provide the Registrant & Contact details for this SSL Certificate.

8. In order to establish ownership or authorization to acquire an SSL Certificate for a specific domain, proof of control over the domain must be established. SSL.COM CA will validate any Domain using the following methods.

  • Email Challenge Response
  • File lookup over HTTP
  • DNS CNAME lookup for domain

9. We will go with DNS CNAME Lookup for Domain validation method.

10. Here we need to add a CNAME record on our DNS Server (which is managing our domain www.rkmillets.tk) so that it can point to SSL.COM. i.e.

point a CNAME

_D92FB172F301600CB6BCB1ED50FCD186.rkmillets.tk

To

9AB6D85A2CA145A2A8B7BF7739AF823D.01697CF0249B45F22E5D0A8A1673A36D.ac563396d0
.ssl.com

11. SSL.COM CA’s Domain Validation will be passed after adding the CNAME record.

12. Download the SSL Certificate of type Apache.

13. Copy the downloaded files to our Web Server.

14. Instead of Self-Signed Certificate which was mapped earlier, add the entries in ssl.conf file so that Apache can consider our Trusted CA Domain Certificate & CA Bundled Certificate (which contains both Root & Intermediate CA Certificate) file.

Replace the Self-Signed Certificate with Domain Certificate in SSLCertificateFile line and add one more line SSLCertificateChainFile for mapping our CA Bundled Certificate.

15. Restart Apache.

16. Now, access the RK-Millets website over HTTPS,

17. Voila! We are no more getting the Certificate Warning message on the Browser, so let’s see the Certificate associated with this website.

18. The reason for not getting the Certificate Warning is quite straight forward – The Certificate Authority which issued our Domain Certificate is Trusted by our Operating System or the Browser.

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!