A common use for public-key cryptography is encrypting application traffic using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) connection. For example, configuring Apache to provide HTTPS, the HTTP protocol over SSL. This allows a way to encrypt traffic using a protocol that does not itself provide encryption.
A Certificate is a method used to distribute a public key and other information about a server and the organization who is responsible for it. Certificates can be digitally signed by a Certificate Authority or CA. A CA is a trusted third party that has confirmed that the information contained in the certificate is accurate.
Browsers (usually) automatically recognize the certificate
and allow a secure connection to be made without prompting
When a CA issues a signed certificate, it is
guaranteeing the identity of the organization that is
providing the web pages to the browser.
The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
Create a private and public encryption key pair.
Create a certificate request based on the public key. The
certificate request contains information about your server and the
company hosting it.
Send the certificate request, along with documents proving your
identity, to a CA. We cannot tell you which certificate authority to
choose. Your decision may be based on your past experiences, or on the
experiences of your friends or colleagues, or purely on monetary
Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them.
When the CA is satisfied that you are indeed who you claim to be,
they send you a digital certificate.
Install this certificate on your secure server, and configure the appropriate applications
to use the certificate.
To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus .....................++++++ .................++++++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for server.key:You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive.
Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in the
You can also run your secure service without a passphrase.
This is convenient because you will not need to enter the
passphrase every time you start your secure service. But it
is highly insecure and a compromise of the key means a
compromise of the server as well.
openssl rsa -in server.key -out server.key.insecureOnce you run the above command, the insecure key will be stored in the
server.key.insecurefile. You can use this file to generate the CSR without passphrase.
To create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csrIt will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Once you enter all these details, your CSR will be created and it will be stored in the
server.csrfile. Site Name, Email Id, etc.
You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtThe above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the
If your secure server is to be used in a production environment, you
probably need a CA-signed certificate. It is not
recommended to use self-signed certificate.
server.keyand certificate file
server.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:
sudo cp server.crt /etc/ssl/certs sudo cp server.key /etc/ssl/privateNow simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.