Discuss about the Generating Digital Certificate Using Openssl.
Secure Sockets Layer (SSL) as well as its succeeded, the Transport Layer Security (TLS), both termed as SSL, are used to provide secured communication over the internet, and it is considered as a cryptographic protocols. Many websites are equipped with the TLS for securing the communication in between the servers and client, who is trying to access the data.
TLS protocol is proposed standard of IETF (Internet Engineering Task Force), defined, initially, in the year 1999 and later updated in 2008, as RFC 5246 and again as RFC 6176, in 2011. The standard is based on the SSL specification.
TSL protocol has the following objectives and goals.
TLS protocol benefits the client server communication, by preventing the tampering and eavesdropping.
When the server and client are communicated through the communication security protocol, TLS, the following properties will be gained by the server and client.
The TLS active certificates are monitored by Netcraft and according to it, the leading certificate authority in this domain is Symantec.
When the TLS certificates are installed, the protocols are implemented over the layer called transport layer protocols that encrypt protocol data, related to the protocol, like FTP, HTTP, XMPP, NNTP, etc.
The primary use and benefit of the TLS protocol is the secured communication of the World Wide Web traffic that is established in between the web browser and website that are encoded with the protocol of HTTP.
The digital certificates that are created by the year 2016, can be installed with the versions that are latest, like TLS 1.0, 1.1 and 1.2. The protocol can be enabled and used in several browsers as the following.
There are many libraries that can be supportive to the TLS or SSL, as the following.
The digital certificates can provide the protection from the following attacks imposed over the SSL or TSL.
Forwards secrecy is an important parameter and property of the system of cryptography. This parameter is used to ensure that a derived session key from combination of the private and public keys doesn’t get compromised, in case any of the private keys, in case it is compromised possibly in the future.
Client server communication can be done with or without the protocol, TLS. However, for the security concerns, client would ask the server to setup the connection of a TLS. Client communicates it in two different ways. One way is using a TLS connection port number. And another way is using a mechanism that is protocol specific. If the server is enabled to setup TLS connection, both the server and client will start negotiating the stateful connection, initiated by the procedure called handshaking. The client and server would come to an agreeable point, with reference to various following parameters.
The procedure concludes the secured connection through the handshake and a secured connection will begin and continued till the end of the connection. The connection will not be created, if the handshake of the TLS is failed during any step, above.
TLS has the basic component called certificates, which are digital certificates, specifically.
The objective of the digital certificate is to certify the public key ownership, by the subject name fo the certificate. Digital certificate is also called as a public key certificate. The certificate is an electronic document referred for the validity and ownership of the public key.
The digital certificate or public key certificate contains the information,
Once the signature is proved to be valid, the signer will be trusted by the certificate examining person. Then the key will be used for the communication.
Here, the signer is typically a certificate authority or CA. most of the time it is a company that validates the company and issues the certificate to the company. So, the signer becomes the owner of the key, for typical self-signed certificate or possibly the endorsements or other users, whom the examiner trusts, upon verification and validation.
Here, the trust relationship, associated with this model is expressed in terms of the certificate authority, as third party that is trusted. The trust is won by both the party that relies over the certificate and the owner or subject of the certificate.
The contents of the usual and regular and typical digital certificates are the following key points.
The digital certificates are usually installed for the commonly used website that are based on HTTPS. The security is represented and provided by the verification and validation of the TLS web server. The digital certification ensures the security of the website, by ensuring that the website is the same, for whom, it is claimed to be and also makes sure that it has no eavesdroppers. The security is implemented as a mandate feature of the electronic commerce websites.
The digital certificate can be obtained by any entity or an individual for his or her own website, by applying to the issuer, who provides the certificate. Typically, the issuer is the certificate authorities, who are the commercial certificates retailers. The applier has to provide the basic information of the website and preferably the details of the entity or the business, with the details, like name fo the website, email address for contact, detailed information about the compnay and the public key. Here, the private should not be sent, as there can be related issues with the server. Then the provider fo the certificate verifies all the information provided by the applicant and signs on the request and then would it signs the request and provides the public certificate. When the web browsing is performed, the public certificate that has been issued to the entity, is served to the browser, which connects the required website and the certificate proves to the web browser that the it is believed by the provider that the certificate is issued to the real and truthful website owner.
The digital certificates can be validated at various levels.
OpenSSL stands to be a software library developed for the applications. Which need more protection and security of the communication against the need to ascertain the party’s identity at the other end. It is used widely by the web servers in the internet. The potential benefit of the OpenSSL can be implemented for a free of cost, as it is available through open source. So, any organization or even the individuals can implement the protocols of the SSL and TSL. The library functions are written using the C programming language and help implementing the basic cryptographic functions to provide many of the utility functions.
OpenSSL is widely available for the operating systems, especially for the UNIX based and UNIX like operating systems, like Mac OS X, Linux, Solaris, etc. OpenSSL usually support many of the cryptographic algorithms, lie Ciphers, public-key cryptography and cryptographic hash functions.
The digital certificates can be created using many kinds of tools, like OpenSSL.
Generating the Digital Certificate
This task is associated with requesting the digital certificate for the certificate authority. This task is quite similar for both the server and client and the difference being the values specified.
Here, let us consider, a company called XYZ, which is the organization that has applied to become a certificate authority. Initially, a request is sent for the certificate to the CA make it signed, so that it becomes a CA. after XYZ becomes a certificate authority, it can start issuing the digital certificates to the servers and clients for the networks. These certificates that are generated by the XYZ, they are taken as site-signed certificates.
These certificates can be generated by even individuals, to secure the personal network requirements.
If the option, –NODES is added in the OpenSSL command, during the digital certificate request creation, OpenSSL prompts for necessary password, before the access is allowed for the private key.
Then the digital certificates are to be generated using the OpenSSL commands, on UNIX. It has to use the values and arguments from the commands.
Here, a self-signed certificate for a root CA digital certificate represent the digital certificate that gets private key signed to correspond the public key, present in the digital certificate. Digital certificates are usually signed using private key, except for the root CAs, corresponding to the public keys, which are related to the other certificate authorities.
The digital certificate that is generated can be checked with the help of the command,
openssl > x509 –text –in filename.pem
finally the digital certificate that is generated contains the necessary data that has been collected for generation of the digital signature, digital certificate timestamps and other necessary information. However, the generated digital certificate is unreadable, as it is encoded into the PEM format.
After digital certificates are created for the server, CA and the client, which is optional, then the OpenSSL client application is to be identified for the certificate authorities of one or more that are trusted and the list that is made is called the trust list. In case, the trust is needed for only one CA in the application of the client, the file name has to be specified for all the CAs digital certificates, which are to be trusted by the application of the client. The certificate authorities that are created can be primary, root or intermediate certificates. They are to be added with the file, listing in any order. This list can be created manually.
Usually, .pem files are returned by OpenSSL, return .crt files of CA. The certificate authority files are concatenated together, instead of cutting and pasting the files manually, together, irrespective of the extension. For example, a primary certificate, root authority certificate and authority certificate file can be concatenated, all in a single file called PEM file.
These files can be placed in any order.
Since the digital certificates are unreadable, because of encoding, the file contents can be viewed, through the OpenSSL commands, for respective file types.
If there are files stored or present in the DER format, for the digital certifcates, they must be converted in to the format of PEM.
Servers and clients validate the digital certificates of each other after exchanging. The CA certificates required for validation of the server certificate do create or compose the trust chain. It is because the server certificate validation requires all of the CA certificates present in the trust chain are to be made available. These files can be either maintained as individual files or combined into a single file, all in one OpenSSL directory.
The certificates that are signed can be verified using the OpenSSL command, by a recognized CA. in case, the certificate is recognized by the OpenSSL installation, or the signing authority and then everything gets checked out, such as signing chain, dates, etc. it displays simply OK message.
Finally, OpenSSL can be ended through quit command at the command prompt.
Conclusion
Digital certificates are the means of providing the safe web traffic for the websites. These digital certificates can be created by a very large scale organizations or simply an individual for protected and safe web traffic resulting to their websites. The digital certificates are associated with the SSL and TLS protocols, which are majorly used for protection of the communication and interaction of the server and client. OpenSSL is one of the easier ways and economical ways to generate the digital certificates for the website.
References
AlFardan, N, Bernstein, D, Paterson, K, Poettering, B and Schuldt, J, “On the Security of RC4 in TLS”. Royal Holloway University of London
AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N., 2013, On the Security of RC4 in TLS, . 22nd USENIX Security Symposium. p. 51
AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. 2013, “On the Security of RC4 in TLS and WPA”
Boneh, Dan, 1999, “Twenty Years of attacks on the RSA Cryptosystem”. Notices of the American Mathematical Society 46 (2):
Coppersmith, Don, 1997, “Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities”. Journal of Cryptology 10
Cormen, Thomas H., Leiserson, Charles E., Rivest, Ronald L. Stein, Clifford, 2001, Introduction to Algorithms (2nd ed.). MIT Press and McGraw-Hill.
Daignière, Florent. “TLS “Secrets”: What everyone forgot to tell you…”, Matta Consulting Limited
Dierks, T, Rescorla, E, August 2008, “The Transport Layer Security (TLS) Protocol, Version 1.2”
Diffie, W.; Hellman, M.E. 1976, “New directions in cryptography”. IEEE Transactions on Information Theory 22
Diffie, W.; Hellman, M., 1976,. “New directions in cryptography”(PDF). IEEE Transactions on Information Theory 22
Diffie, Whitfield; van Oorschot, Paul C; Wiener, Michael J., 1992, .”Authentication and Authenticated Key Exchanges”. Designs, Codes and Cryptography 2
Goodin, Dan. “Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering”. Ars Technica. Condé Nast
Håstad, Johan, 1986. “On using RSA with Low Exponent in a Public Key Network“. Advances in Cryptology — CRYPTO ’85 Proceedings. Lecture Notes in Computer Science 218
Hendric, William, 2015, “A Complete overview of Trusted Certificates – CABForum”
Huang, L.S., Adhikarla, S, Boneh, D, Jackson, C, 2014, “An Experimental Study of TLS Forward Secrecy Deployments”. IEEE Internet Computing (IEEE)
Koblitz, N, 1987, A Course in Number Theory and Cryptography, Graduate Texts in Math., Second edition No. 114, Springer-Verlag, New York,. ,
Leyden, John, 2013, “Step into the BREACH: New attack developed to read encrypted web data”. The Registe
Leyden, John, 2013, “Step into the BREACH: New attack developed to read encrypted web data”. The Register
Menezes, Alfred; van Oorschot, Paul C.; Vanstone, Scott A., October 1996, Handbook of Applied Cryptography. CRC Press
Merkle, Ralph .C, April 1978, “Secure Communications Over Insecure Channels”. Communications of the ACM 21
Möller, Bodo, 2014, “This POODLE bites: exploiting the SSL 3.0 fallback”. Google Online Security blog. Google
Scholz, Florian, Shepherd, Eric. “Math.random”. Mozilla Developer Network
Sepehrdad, P, Vaudenay, S, Vuagnoux, M, 2011, “Discovery and Exploitation of New Biases in RC4”. Lecture Notes in Computer Science
Smart, Nigel 2008, “Dr Clifford Cocks CB”. Bristol University
Thomas Y. C. Woo, Bindignavle, R, Su, S, and Lam, S, S, SNP: An interface for secure network programming Proceedings USENIX Summer Technical Conference, June 1994
Wiener, Michael J. 1990, “Cryptanalysis of short RSA secret exponents”. Information Theory, IEEE Transactions on 36
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download