I got interested in security certificates. What are these? How does it work? It is possible to use it on your own website? Those were my questions.
The principle is somewhat confusing, but is works. The idea is that a security certificate exists of two elements. One element is a so-called private key. This private key rests with the webserver and it is used to decrypt a message that is sent to the server. Likewise, it encrypts the message that is sent by the server. The private key is also used to generate a public key. This public key is sent to any browser. The browser is then able to do the opposite; it is able to encrypt a message sent to the server and decrypt the message received. The result is that encrypted traffic can be exchanged between browser and webserver.
In a sequence, one gets:
[1]: the browsers requests a secure page via https://…
[2]: the webserver sends the public key to the browser with the signed certificate
[3]: the browser checks the certificate. If the certificate cannot be correctly identified, the browser issues a warning. If one creates the certificates yourself, you get such a warning.
[4]: the browser uses the public key to encrypt the url that is asked
[5]: the webserver uses the private key to decrypt the url.
[6]: the webserver encrypts the page that is sent to the browser
[7]: the browser decrypts the page that is recieved.
One may buy a set of certificates, but is more fun to create a set of certificates oneself.
To do so, one needs an opensource software programme “openssl”. It is available for free. But I must admit, I had to search for it. It was not really easy to find. Maybe, it help in you know the exact name; in my case it was openssl-0.9.8h-1-setup.exe.
The programme is meant to be used in Linux. There are windows versions, but then one should then set a parameter: set OPENSSL_CONF=C:\Program Files\GnuWin32\share\openssl.cnf, in my case. It depends of course on where the config file resides.
The creation of the the private file is then done with a series of commands:
openssl genrsa -des3 -out tom.key 2048 #generate private key openssl req -new -key tom.key -out tom.csr #generates signing request copy tom.key tom.key.orig openssl rsa -in tom.key.orig -out tom.key #write rsa key, private signed key
Subsequently, the public key is generated with:
openssl x509 -req -days 365 -in tom.csr -signkey tom.key -out tom.crt #delivers public signed key
But, how do we apply these certificates to the webserver. Somehow, we must tell the webserver that such certificates exist. I now use nginx as webserver and this is how my config file looks like:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
server {
listen 80;
server_name 192.168.5.14;
return https://$server_name$request_uri;
}
# HTTPS server
#
#
server {
listen 443 ssl;
server_name 192.168.5.14;
ssl_certificate tom.crt;
ssl_certificate_key tom.key;
location / {
root html;
index index.html index.htm;
error_page 404 /404.html;
}
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME c:/nginx/html/$fastcgi_script_name;
include fastcgi_params;
}
}
}
I would say that this config file looks rather straightforward. In the first part, any request is translated into an https request. In the second part, you see that the certificates are shown to the server.