An SSL certificate (Secure Sockets Layer certificate) is a digital certificate used to establish a secure, encrypted connection between a web server and a web browser. It ensures that data transferred between the two parties is secure and can't be intercepted by attackers.
Key Concepts
Wildcard Certificate
It is a type of SSL/TLS certificate that secures a domain and all its subdomains at one level.
**.example.com*
Subject Alternative Name (SAN)/ Multi-Domain Certificate
It is a type of SSL/TLS certificate that secures multiple domain names and subdomains explicitly listed in the certificate.
(e.g., www.example.com, example.com, blog.example.com, etc.)
Can a single domain have multiple SSL Certificates?
Yes, a website might be hosted across multiple servers, each with its own SSL/TLS certificate for the same domain. To maintain security without downtime, organizations often issue a new certificate before the old one expires
A domain may use both wildcard certificates (e.g., *.example.com) and Subject Alternative Name (SAN) certificates (e.g., example.com, shop.example.com, blog.example.com). Each covers different needs within the same domain.
Working:
How to generate SSL Certificate?
Openssl is used to create and manage ssl/tls/digital certificates, which are used for secure connections over the web. It provides tools to encrypt and decrypt data using encryption algorithms like vpn
It is used for generating private and public key pairs.
Step 1:
(Key value pairs generation)
openssl genrsa -out name.key 2048 //generate a private key
openssl rsa -in name.key -pubout -out name_public.key //generate a public key
openssl req -new -key name.key -out name.csr
//generate Certificate Signing Request (CSR) using your private key
country name: <country_name>
state: <state_name>
locality: ISB
organization name: <company_name>
common name: <common_name>
email: <email>
Step 2:
(Certificate Signing Request)
CSR is handed out CA(certification autority). They sign on our behalf and provide the certificate or we can also self sign but it can only be used for testing process.
Step 3:
(Certificate Verification)
openssl req -text -in tutorials.key -noout -verify
Step 4:
(Self signed)
openssl x509 -in tutorials.csr -out tutorials.crt
-req -signkey tutorials.key -days 365
Flow of SSL/TLS Certificate Generation and Verification Key Generation:
CSR Submission:
You submit the CSR to a Certificate Authority (CA) for signing.
Certificate Issuance:
The CA verifies your identity and signs the CSR, issuing you an SSL certificate that includes your public key and other information.
Server Configuration:
You store your private key (daksh.key) and the signed SSL certificate (e.g., daksh.crt) on your server.
User Connection:
When a user connects to your website, your server sends the SSL certificate (which contains the public key) to the user's browser.
Certificate Verification by Browser:
The browser performs several checks:
Certificate Chain: It verifies that the certificate is signed by a trusted CA.
Signature Verification: It uses the CA's public key to verify the signature on your certificate.
Validity Period: It checks if the certificate is expired.
Revocation Status: It checks if the certificate has been revoked (using CRL or OCSP).
Domain Name Match: It ensures that the domain name in the certificate matches the accessed domain.
Secure Connection:
If all checks are passed, the browser establishes a secure connection (SSL/TLS) using the public key from the certificate to encrypt data.
Doubt addressed:
When you submit the CSR to the CA, the CSR contains your public key. The CA uses this public key to create the SSL certificate. Therefore, when the server sends the certificate to the browser, the public key is included within the certificate itself.
Stay Connected!
If you enjoyed this post, don’t forget to follow me on social media for more updates and insights:
Twitter: madhavganesan
Instagram: madhavganesan
LinkedIn: madhavganesan
Top comments (0)