TLS/SSL Review - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

TLS/SSL Review

Description:

TLS/SSL Review Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent and secure ... – PowerPoint PPT presentation

Number of Views:222
Avg rating:3.0/5.0
Slides: 19
Provided by: Mariaj433
Category:
Tags: ssl | tls | openssl | review

less

Transcript and Presenter's Notes

Title: TLS/SSL Review


1
TLS/SSL Review
2
Transport Layer SecurityA 30-second history
  • Secure Sockets Layer was developed by Netscape in
    1994 as a
  • protocol which permitted persistent and secure
    transactions. In
  • 1997 an Open Source version of Netscapes
    patented version
  • was created, which is now OpenSSL. In 1999 the
    existing
  • protocol was extended by a version now known as
    Transport
  • Layer Security (TLS). By convention, the term
    "SSL" is used
  • even when technically the TLS protocol is being
    used.

3
TLS Server Certificate
  • Authentication
  • Server and/or client identity is verified via
    certificate.
  • Privacy
  • Data is encrypted with block cipher
  • Cipher key is exchanged via public key

4
TLS Server Certificate Verification
  • The client browser recognizes the Certificate
    Authority and thus verifies the authenticity of
    the connection.

5
Failed Verification
  • If there is a conflict between the name on the
    certificate and the name of the server, the
    browser pops up a Domain Name Mismatch notice,
    allowing the user to decide whether to continue.

6
Cert Request CSR
  • CSR Certificate Signing Request
  • It contains
  • Information about the organization (organization
    name, country, etc...)
  • Web Server's public key
  • A unique mathematical match to server's private
    key .

7
Cert Request CSR (cont.)
  • Lets Create one

8
Cert Request
  • Go to http//security.sdsu.edu/services/ssl/
  • Common Name ricardoserver.sdsu.edu
  • Server software
  • Certificate Term 1,2, or 3 years
  • CSR 2048-bit CSR
  • Pass-phrase (Dont use)

9
Cert Request
10
Cert Request Type
Certificate Type Description Purpose
Single domain (Incommon SSL Certificate) SSL certificate protects a single domain e.g. www.sdsu.edu.  These are the "traditional" SSL certificates that have been in use since the advent of the SSL protocol.
Multiple domain (Incommon Multi-domain SSL certificate) A multiple domain certificate allows you protect multiple host names with a single SSL certificate.  These are also known as SAN (Subject Alternative Name) certificates.   Up to 100 domain names can be included in a multi-domain certificate.  These certificates are often used on a single servers hosting many web sites to eliminate the need to use unique IP addresses for each web site e.g. www.sdsu.edu and www.ba.sdsu.edu. 
11
Cert Request Type (cont.)
Certificate Type Description Purpose
Wildcard (Incommon wildcard SSL certificate) A wildcard certificate protects a domain and unlimited subdomains of that domain e.g. (not used for sdsu.edu) 
UCC Exchange (Incommon Unified Communications Certificate)  A unified communications certificate allows you to protect multiple host names with a single SSL certificate.  Specifically designed for Microsoft Exchange and Microsoft Office Communications Server.  Newer versions of Microsoft products will work with multi-domain certificates.
12
Cert Request Type (cont.)
Certificate Type Description Purpose
Extended validation single domain (Comodo EV SGC SSL certificate) An Extended Validation certificate protects a single domain e.g. my.sdsu.edu.  However, the certificate is issued according to a specific set of identity verification criteria. Certificates issued by a CA under the EV guidelines are not structurally different from other certificates but are designated with a CA-specific policy identifier so that EV-aware software (browsers) can recognize them and display the "green bar". 
Extended validation multiple domain (Comodo EV multi-domain SSL certificate)  See above, except this certificate can protect multiple domains.  
13
Cert Request Email
  • Hello,You have successfully enrolled for an
    InCommon SSL certificate.You now need to
    complete the following steps    Click the
    following link to download your SSL certificate
    (generally try to use a version that includes
    intermediates root or your certificate may be
    rejected by some older clients)    Format(s)
    most suitable for your server software       as
    X509 Certificate only, Base64 encoded https//cer
    t-manager.com/customer/InCommon/ssl?actiondownloa
    dsslIdxxxxformatx509CO       as X509
    Intermediates/root only, Base64
    encoded https//cert-manager.com/customer/InCommo
    n/ssl?actiondownloadsslIdxxxxformatx509IO 
         as X509 Intermediates/root only Reverse,
    Base64 encoded https//cert-manager.com/customer/
    InCommon/ssl?actiondownloadsslIdxxxxxformatx5
    09IOR    Other available formats       as
    PKCS7 Base64 encoded https//cert-manager.com/cu
    stomer/InCommon/ssl?actiondownloadsslIdxxxxxxf
    ormatbase64       as PKCS7 Bin
    encoded https//cert-manager.com/customer/InCommo
    n/ssl?actiondownloadsslIdxxxxxformatbin   
       as X509, Base64 encoded https//cert-manager.c
    om/customer/InCommon/ssl?actiondownloadsslIdxxx
    xxxformatx509   

14
Cert Request Email
  • Which File to download?
  • X509 Certificate only, Base64 encodedThis file
    contains only your domain/entity certificate and
    is commonly used with Apache-based systems
    (Apache Directive SSLCertificateFile), Tomcat
    and Oracle Wallet Manager.
  • X509 Intermediates/root only, Base64 encodedThis
    file includes only the Root and Intermediate CA
    certificates (in order) for your domain/entity
    certificate.
  • X509 Intermediates/root only (Reverse), Base64
    encodedThis file contains only the
    Intermediate(s) and Root CA certificates (in
    reverse order) and is commonly used with
    Apache-based systems (Apache2 Directive
    SSLCertificateChainfile). This file is also known
    as a 'CA Bundle' or 'Certificate Chain
    File'. Other available formats
  • PKCS7 Base64 encoded
  • PKCS7 Bin encodedPKCS7 is commonly used with
    IIS 5.x and later. This file contains the Root,
    Intermediate(s) and your certificate all rolled
    into a single file.
  • X509, Base64 encodedThis file typically includes
    (in order) Root, Intermediate(s) and your
    certificate.

15
Cert Request Email
  • PKCS7 vs. X509?
  • PKCS7 is a cryptography standard published by
    RSA Security in 1993 that deals with data that
    has cryptography applied to it. Its a standard
    for how to package data securely. PKCS7
    references the X.509 standard, as the source for
    certificate formatting.
  • X.509 is a wide ranging security standards
    document published in 1998 which includes amongst
    other things, certificate file formats.
  • X.509 specifies that certificates should be
    encoded using the Distinguished Encoding Rules of
    the ASN.1 (documented in the X.208 and now X.608)
    standard, first published in 1984.
  • So, DER says how to encode some strings and
    numeric source data into a binary format, X.509
    says which data needs to go into a digital
    certificate, and PKCS7 says how that certificate
    should be used, to digitally sign a message.

16
SSL Cert Install
  • Add to httpd.conf
  • SSLEngine on
  • SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
  • SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName
    .crt
  • SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomai
    nName.ca-bundle
  • Restart apache

17
SSL Cert Expr. Monitoring
  • Nagios
  • Bash Script http//prefetch.net/code/ssl-cert-ch
    eck

18
SSL Cert
  • Thank you
  • Questions
  • Email me at rfitipal_at_mail.sdsu.edu
Write a Comment
User Comments (0)
About PowerShow.com