KEYS AND SSL CERTIFICATES
PRIVATE KEYs, PUBLIC KEYs AND SSL CERTIFICATES
Earlier today, while configuring a bare-metal server, I found myself in the unforgiving shackles of misconfigured SSL. It took three cups of coffee and 2 hours to fix the issue! This left me thinking, I never quite understood, in-depth, the intricacies of SSL certificates. The result of this realization…. Well, here we are.
According to ChatGPT; A Secure Sockets Layer certificate (SSL), is a digital certificate that provides authentication for a website and enables an encrypted connection between the web server and a user’s browser. The SSL protocol is commonly used to secure data transfer, credit card transactions, login credentials, and other sensitive information.
We can break that down into two main functions, data encryption and authentication. What does that mean? The browser and the website exchange two keys. When a user wants to communicate with the website (i.e Log into an account, purchase a product, send a comment) the browser (a user) will create a message and lock it, this message can ONLY be unlocked with the key the website has, no other party can unlock it. This is important because the user will send the message through the internet (hopping through routers, computers, good guys, bad guys, hacker wannabes…)
This begs two questions; How will I know a website has SSL and how can I get one for my website? The former is easy, just look for the lock icon on the address.
To get an SSL Certificate for your website, you issue a Certificate Signing Request (CSR) to CA. More confusing terms! I will explain that in a second.
A Certificate Signing Request (CSR) is like a written application for a digital ID card. When you need a secure website with a lock icon in the address bar, you need to prove you’re the rightful owner (authentication). A CSR is your way of officially requesting this digital ID:
Similar to submitting your ID application to the government, you send the CSR to a special security company called a “Certificate Authority” (CA). The CA checks your information and confirms you’re the true website owner. They then sign the request, digitally vouching for your identity.
With the CA’s signature, you receive your actual digital ID card called a “certificate.” This certificate proves your website’s legitimacy and enables secure connections.
How exactly do SSL certificates encrypt data during transit?
Imagine you have a special mailbox with two locks:
- Public lock: Anyone can open this lock and put a letter inside (data). This represents the public key. It’s shared with everyone who wants to send you something securely.
- Private lock: Only you have the key to open this lock. This represents the private key. It’s a secret you keep hidden and never share.
An SSL, or Secure Sockets Layer, uses these locks to create a secret tunnel for information to travel safely online. Here’s how it works:
- Someone wants to send you a message (data):
- They take their message and lock it using your public key.
- The locked message travels through the internet:
- Even if someone intercepts the message, they can’t read it because it’s locked with your public key.
- The message arrives at your website:
- Only you can unlock the message using your private key.
So, the public key lets anyone send you a secret message, but only you can read it with your private key. This creates a secure tunnel for information to travel online, like sending confidential documents or credit card information through the Internet.
Think of the SSL as a guard who checks incoming packages (data). Only packages locked with your public key are allowed in, and only you can open them with your private key. This keeps everything safe and confidential!
We’ve mentioned keys and SSL Certificates, how do the three pieces, Certificate Signing Request (CSR), private key, and SSL certificate, all fit together?
To understand that, let’s go back to the process of obtaining an SSL certificate. Step one would be to send a Certificate Signing Request (CSR) to a Certificate Authority (CA). How do you do that? You run a command from your server. A sample command to request a certificate from DigiCert (a CA) is shown below.
The command performs the following tasks;
- Generating a private key: First, you create a secret password-protected “key” on your server. This is your private key, and it’s crucial for the entire process. You never share this key with anyone.
- Creating a CSR: Using the private key, you generate a Certificate Signing Request (CSR). This CSR is then submitted to the CA.
The CA will then verify your information and, if everything checks out, they issue a signed digital ID called an SSL certificate. This certificate is essentially a public document vouching for your website’s authenticity and encryption capabilities.
Finally, you install the certificate on your web server, linking it with your private key. This completes the puzzle! Installing the certificate is not as complicated as it might sound, it involves copying the certificate text into a file named with .crt extension then adding the path to the Nginx configuration file, here’s an example of Nginx configuration file;
Below is an example of SSL Certificate
The private key is the foundation, encrypting information and signing the CSR. The CSR acts as your official request for verification, signed by the private key. The SSL certificate is the trusted digital ID you receive after verification, enabling secure connections on your website.
If you’ve worked with cloud servers before, you might have come across private and public keys. By now you’re asking yourself, what’s the difference between between those two keys and the ones I have referenced above?
The private and public keys used for SSL and SSH connections are fundamentally the same concept, but they serve different purposes and have distinct applications. Here’s a breakdown:
Similarities:
- Both involve generating a pair of keys: a private key kept secret and a public key that can be shared openly.
- Both keys use asymmetric cryptography, where the private key can decrypt data encrypted with the public key, and vice versa. This ensures only the intended recipient can access the information.
- Both offer a secure way to authenticate and establish encrypted connections.
Differences:
- Purpose:
- SSL: Secures communication between a web browser and a web server, protecting data like login credentials and financial information.
- SSH: Provides secure remote access to a computer system over a network.
2. Key generation:
- SSL: Key generation often happens automatically when obtaining an SSL certificate from a Certificate Authority (CA).
- SSH: Users typically generate their own key pair using dedicated tools like ssh-keygen.
3. Key distribution:
- SSL: The public key is embedded within the SSL certificate and shared with anyone accessing the website.
- SSH: The public key is added to the authorized_keys file on the remote server to grant access to specific users.
In essence, both SSL and SSH utilize the power of private and public keys to establish secure connections but in different contexts. SSL focuses on web communication, while SSH facilitates secure remote access to systems.
What is all this business with keys, can’t we just use passwords?
The internet is made up of billions of computers. These computers and the services running on them communicate with each other exchanging public and private data. An example of private data would be sending your login credentials, credit card information, logging into a remote server or sending a private email. Examples of public information are things like advertisements, API’s, Public facing social media pages etc. For sending private data we need a secure way of exchanging that data. We use different protocols for communications, HTTP/HTTPS, WebSockets, SSH, FTP, SMTP, RPC, etc.
Some protocols have rules that ensure data is encrypted in transit by using tools such as SSL or TLS. Some send unencrypted data such as TELNET.
Using a username and password can work in certain conditions that do not require the highest level of security. When you want to login to a server, hosting a business-critical database, or apps the normal username and password authentication will not suffice from a security stand-point, you’ll need a stronger authentication method, hence the use of keys.
Keys use asymmetric cryptography, which involves a pair of mathematically linked keys: a public key and a private key. The public key is used to encrypt data, while the private key is used to decrypt it. This makes it much more difficult for attackers to crack the encryption and steal your data, compared to a password which can be brute-forced or leaked through phishing attacks.
I hope this article helped understand SSL Certificates and Keys.
That’s it for today. I hope you and your loved ones are keeping safe.