Dec 17, 2022
Why my servers are DOWN every year? What the h*** is SSL/TLS Certificate? How does it work? It’s so confusing!!! — Hands-on Activity 😉
Disclaimer: This article is intended for beginners and people with no knowledge of SSL/TLS certificates. If you’re a pro or looking for some advanced topics within SSL/TLS, refer to the bottom section of this article that should help you or follow for more.
OK, I’m going to talk to you about SSL/TLS certificates in more layman’s terms and not going to confuse or bore you with it. We’ll just take one step at a time! Before going ahead, if you’re looking/aspiring to be a Linux/Cloud Engineer, make sure you understand this concept because this plays a crucial part in handling your data between the clients and servers securely.
Before getting to know what is SSL/TLS certificates or their basics, we’ll talk about the terms in separate.
What are SSL and TLS? Which one do I need?
Yes, this is the most confusing part at the start because I had the same confusion when I started to work on networks and connecting them successfully. I was confused enough that I even forgot to have my lunch/dinner if I start working on these.
All that said, just remember this — SSL(Secure Sockets Layer) is an older protocol that was developed in the 1990s. TLS(Transport Layer Security) is a newer protocol that was developed as a successor to SSL in the late 1990s. Now, most of the websites have migrated to TLS v1.3 from TLS v1.2 and are in the process of migration. SSL is no longer considered secure or widely utilized and has been deprecated in favor of TLS. Most modern websites and servers use TLS to secure their connections.
The above image shows the history/timeline of the evolution of the protocols and their version. You must be wondering, why there is no SSL v1.0, as the SSL v1 was under testing and got major upgrades/fixes the Netscape directly released SSL v2.0, as there was more traction in adopting this protocol, later it was taken control by a centralized organization called the IETF -Internet Engineering Task Force .
Now, let’s talk about the nuances of SSL/TLS certificates. An SSL/TLS certificate is a digital certificate that is used to establish a secure, encrypted connection between a web server and a web client (usually a web browser). The SSL certificate is issued by a certificate authority (CA) like DigiCert, Let’s Encrypt, GoDaddy, and many more. They contain information about the identity of the web server and the domain it is used for.
Let me give you a quick example that you must have seen a lot, the moment you open an insecure website, your chrome browser prompts that the site is not secured and there is a risk involved in opening it. This purely revolves around the trust of the site. If a site needs to be trusted by the search engine or the browser i.e. the client, it should obtain an SSL/TLS certificate from one of the major certificate authorities or from the known CAs. You can also generate your own certificate authorities but, you should export/import them often to get trusted by other servers and clients. Mostly, it’s a pain in the back because you’ll end up in frustration. I’ve done it before and then, finally landed on using the popular certificate authorities(CA) that should cover you for good. As far as I know, you can get free SSL certificates from Let’s Encrypt and GoDaddy if you purchase any domain or hosting services from them.
The SSL/TLS certificates are required to ensure secure communication over the internet. When a web client i.e. your browser establishes a connection to a web server using SSL/TLS, the client and server exchange keys to establish an encrypted channel to communicate. Any data transmitted over this channel is encrypted and cannot be intercepted or read by anyone else. How cool is it, right? It’s like you and your mama having chat in codewords so your dad/brother won’t recognize it.
The SSL/TLS certificates are used to protect sensitive data, such as credit card numbers, login credentials, and personal information. As mentioned earlier, they are also used to establish trust between the web server and the web client. When a user sees the green padlock icon in their web browser, they know that the connection to the website is secure and that their data is being transmitted over an encrypted channel. The moment you get the green padlock, you can add an HTTP(s) to the domain URL which means it’s secured. HTTP and HTTPS is a whole new chapter but just keep in mind, your connection is secured when you click on HTTPS links/URLs.
🏃 [Activity] 🏃
There is an activity for you to check the certificate of this Medium URL. As mentioned in the previous section, always start with the padlock at the start of the URL.
Checklists 👇
[x] Check the padlock is it secured or Not Secure?
[x] Click on the padlock to view the site information.
[x] Drill down the Connection Details.
[x] Can you see a sign that the certificate is valid?
[x] You can go ahead and click on Show Certificate Details to check the detailed information of the certificate.
[x] Also, you can export the certificate in different formats based on your requirements. But for this activity, you can export it to .cerformat and rename the file extension from .cer to .crt so it should be like certificate.crt.
Here come’s the OpenSSL tool for help. To view the exported SSL/TLS certificate, you use the below OpenSSL commands.
#Enter this OpenSSL Command in the Terminal
openssl x509 -in filepath/to/<certificate>.crt -text
#Example
openssl x509 -in /downloads/ssl_folder/certificate.crt -textOnce, you notice the certificate details, all that you can see is the below properties:
Subject: The subject of the SSL/TLS certificate is the entity that the certificate is issued to. It typically includes the common name (CN) of the web server and the domain it is used for, as well as the organization (O) and the organizational unit (OU) of the entity.
Issuer: The issuer of the SSL/TLS certificate is the certificate authority (CA) that issued the certificate. It typically includes the common name (CN) of the CA, as well as the organization (O) and thecountry of the CA.
Validity period: The validity period of the SSL/TLS certificate is the length of time that the certificate is valid. It typically includes the start date and the end date of the period. It is a very important property. Most of the web servers or organizations will set a validity of less than 365 days to have a routine check and keep them secured/updated for audit.
Public key: The public key of the SSL/TLS certificate is the key that is used to encrypt data transmitted over the secure connection. It is paired with a private key that is used to decrypt the data. This is the first and crucial set of information shared by the web server to the client to authenticate along with the certificate authority(CA).
Signature algorithm: The signature algorithm of the SSL/TLS certificate is the algorithm that is used to sign the certificate and ensure its authenticity. Common signature algorithms include SHA-1 and SHA-256.
Key usage: The key usage of the SSL/TLS certificate specifies how the certificate can be used. It typically includes the purposes for which the certificate can be used, such as encryption, digital signatures, and certificate signing.
Now that, you have successfully exported and viewed the certificate. There is a lot to cover on the OpenSSL tool because it plays a major part in generating and converting SSL/TLS certificates locally. However, for today, this is more than enough to get you started with the SSL/TLS certificates.
Post this article, if you’re interested to dive deeper — you can start googling about Root CA, Intermediary CA, and the chain of trust. What are the different types of SSL/TLS certificates and the most used certificates?
In addition to the above, there are a number of books that can help you learn the basics of SSL/TLS certificates. Some options include:
“SSL and TLS: Designing and Building Secure Systems” by Eric Rescorla: This book provides a comprehensive overview of SSL and TLS protocols and covers the key concepts and design principles involved in building secure systems.
“SSL and TLS Essentials: Securing the Web” by Stephen A. Thomas: This book is a practical guide to SSL and TLS, providing an introduction to the technologies and covering key concepts such as certificate authorities, certificate chains, and key exchange algorithms.
“SSL and TLS: Theory and Practice” by Rolf Oppliger: This book provides a detailed technical overview of SSL and TLS, including an in-depth examination of the protocols and their underlying cryptographic foundations.
“Web Security: A Step-by-Step Reference Guide” by Lincoln D. Stein: This book provides an introduction to web security, including a chapter on SSL and TLS that covers the basics of how the technologies work and how to use them to secure web communications.
Any of these books should provide a good foundation for learning about SSL/TLS certificates and the role they play in securing web communications.
To conclude, the SSL/TLS is a very interesting topic to discuss with. I believe you must taken something back from this article. And, there is a lot to explore. Moreover, I’m continuing my writing on articles related to SSL/TLS certificates with OpenSSL Commands and how is it useful.
For now, thanks for reading!! If you enjoyed this article, please follow and subscribe for the latest updates. Looking for more? Check out the other articles below:
