"Technology is like a fish. The longer it stays on the shelf, the less desirable it becomes." ~ Andrew Heller

Server Certificates

Quick overview of commands *** Using Ubuntu Karmic Koala 9.10 server

More information about certificates

One way of encrytpting data exchanged between our client and sever is by using Public-Key cryptography. This uses a public key and a private key, the data is encrypted using the Public-key and then can only be decrypted using the Private-key. Without the Private-key it will not be able to decrypt the information. This way we´ll be able to encrypt our application traffic using SSL (Secure Socket Layer) or TLS (Transport Layer Security).

The Certificate will be used to distribute a public key and other information about our server and the company which is responsible for it. The certificate can be digitally signed by a CA (Certificate Authority), a CA is a trusted third that has confirmed all the information that we provide in the certificate is accurate and legal.

Types of Certificates

For us to be able to setup a secure server using public-key cryptography, we´ll need to send a the public-key and proof of the company aswell as payment. Once the CA verifies the details they will send back a certificate. Otherwise we can create our own self-signed certificate.

Please note using a self-signed certificate is not recommended for production environments because the browser does not automatically accept the certificate and it will prompt the user with a message saying that the certificate the website is sending was not issued by a certified authority. This is fine if you are encrypting data lets say for backend logons etc but I´m sure you don´t want your customer to get that message when going to the payment page, your website would look a bit dodgy. This happens because most browsers have a list of CA that they can accept certificates for automatically, if for some reason the CA that provided the Certificate is not listed in there (for example when you self-sign a certificate) it will prompt the user with the message. When using a certificate provided by a Certified Authority they are guaranteeing the identity of the company providing the pages to the end users browser.

Generating a Certificate Signing Request (CSR)

First step is to generate a key, this is needed even if you are self-signing your own certificate.

It will prompt for a passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. One can generate the key without a passphrase but this is highly not recommended and compromise to the key, means compromise of the server.

Re-type the passphrase to verify you typed it correctly. Once this is done, the server key is generated and stored in the server.key file.

Creating a CSR

openssl req -new -key server.key -out server.csr

It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter:

Once you fill in all those details it will ask for a Challenge password and then the CSR is created and named server.csr

You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Creating a Self-Signed Certificate

To create the self-signed certificate, run the following command at a terminal prompt:

The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.

Installing the Certificate

No comments yet, be the first!

Name:
Email:	** this is hidden **
Website:
Comment:
Verification code: