Menu
Before using a ssl sertificate between a service that I will be hosting on my local network I will like to understand a little more about it. From reading on the internet this is how I understand how an SSL works.
Know here are some things I do not understand:
247
Your private key is the single most important component of your SSL certificate. It's what gives you the power to authenticate your website to internet users, helps to enable encryption and prevents others from impersonating you.
Finding your Private Key when you created the CSR in-browser If you chose to create your CSR in-browser during SSL activation, the Private Key is generally downloaded as a zip file to your computer's “Downloads” folder by default.
A CA's private key should be stored in hardware-based protection, such as a Hardware Security Module (HSM). This provides tamper-resistant secure storage. A Private key for an end entity could be stored in a Trusted Platform Module (TPM) chip or a USB tamper-resistant security token.
First off, there are some steps missing in step three. What actually happens in step three is:
The reason for this is twofold. First, the math for public key crypto is much more expensive than the math for secret key crypto. The idea is to do that expensive math only once, to enable exchanging a shared secret. Second, the client knows the server's public key, but the client might not even have a public key, so how can the server send it a secret message? That's why they must agree on a shared secret key.
Anyway moving on to your questions:
Where does the service keep its private key?
On Windows it's in the certificate storage provided by the operating system. On other operating systems, I don't know.
Why is the certificate needed?
Suppose you want to buy my lawnmower with a credit card, but you are worried that I might actually be a crook. You would like to know my real name so that you can prosecute me if I start charging my trip to Vegas on your card.
So when we do the transaction, I show you a piece of paper that says "Eric Lippert claims that the owner of this piece of paper is Eric Lippert, signed, Eric Lippert". Do you believe me? If you already trust Eric Lippert then you don't need the piece of paper, and if you don't trust Eric Lippert, then the paper doesn't establish trust. This is a "self signed certificate".
Now, if I show you a piece of paper that says "VeriSign incorporated claims that the owner of this piece of paper is Eric Lippert, signed VeriSign", then the question is: do you trust VeriSign to have verified my identity? If you do, then this is evidence that the person you're talking to is who they claim to be.
That's the purpose of the cert. It establishes that a particular public key is really associated with a particular organization because it is signed by a mutually trusted third party called the certifying authority.
When you buy something with your credit card online, you presumably trust the web site to only make authorized charges to that card. The cert verifies that the public key you are going to use for encryption really is the public key of that web site, not some evil hacker's public key.
But the certificate with the public key is public, so couldn't someone grab the certificate and pretend to be the server?
Yes, but that doesn't help them unless they steal the private key, which is private. The person with someone else's cert cannot decrypt messages that were encrypted with the public key, so they're not going to be able to do the secret key exchange with the client! Even if they manage to trick the client, all they're going to get is a stream of bits encoded with a secret key of the client's choice, a secret key which the attacker cannot obtain without the private half of the certificate.
That means: if I allow access to my private key, someone can impersonate me, right?
Yes. The security of the entire system depends on the private key remaining private. That's why its called the private key. If an attacker gains access to your private key then they can impersonate you at will, so keep it secret, keep it safe. If your key is compromised there is a mechanism whereby the certificate can be revoked, but the damage will typically already be done.
116
Eric Lippert's answer is great, but I thought I'd add a few more details in response to a couple points:
Yes, it is true that SSL verifying the server's identity is correct might not of much benefit if you are inside and intranet or on a trusted secure LAN. However, SSL or more correctly, TLS (Transport Layer Security), gives you an encrypted channel to communicate between your client and server. This means if anybody between your client and server is sniffing the network, they won't be able to read the message. TLS (SSL) is the most supported and simple way to achieve this.
If someone has admin access to the server where the private key is stored (in the cert), and that person has malicious intent, then frankly, you lost a long time before that. When storing your certificates in the cert store, you can set specific permission about who is able to read, write, and modify the cert.
Hope this helps.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
