SSL and Digital certificates
How digital certificates work:
Digital certificate have 2 different encryption keys
1. private key: it is kept private, the person who uses that are called IIS only
2. Public key: anybody uses the public key
Both are called asymmetric keys.
Anything encrypted using public key can be decrypted using private key
Anything encrypted using private key can be decrypted using public key
When you sent a request to web server where it uses the certificate, then it process the request and got the data and encrypted the data using the private key and send it to client along with server certificate.
That certificate has the public key and it is extracted by browser and decrypt the content.
CA (certification authority): server can have certificates (go to internet options, content, certificates, we have trusted root certification authorities) here we have authorities so that the server can accept the certificates that are issued by that authorities..
when we go to amazon.com and do the checkout then it will go to https and gives the certificate and it checked in the certificates of our browser and checks the is this certificate is from the intended authorities.
Means the certificate is issued to amazon.com by authority and authority will take the all the company information and issues to amazon
Certificate types:
1. Domain only: here the CA did not verify the company. it will issue the certificate to the company.
It will issue because you have domain so they issues certificate.
It will only encrypt the files; it will cost 20 bucks for every year
2. Normal SSL (Transport layer security)… normally called the ssl
It will cost 100 bucks for every yr., as company needs to prove their identity for every yr.
They have opportunity to re verify the identity
It will cost more CA needs to verify all things about certificates
Both the above certificates are issued to a host.
If you try to install it on other web server, it will give error. This certificate does not match the hostname
3. SAN (Wildcard) Certificate: subject alternative name
it will be used to issues certificates to *.mycompany.com
ex: ftp.mycompany.com
users.mycompany.com
it is costlier than ssl, but it is cheaper as compared to ssl when buying certificates for multiples hosts.
4. Extended verification (EV)-> it’s a high grade security certificate.
so much process for this.
if we go to amazon.com after address bar, we will get the lock symbol. it’s a normal ssl certificate.
if you go to icicibank, after address bar, you will get the lock symbol with icici bank name.
And address bar is in green color.
If certificate is expired then address bar will turn to red or orange color
Certificates can be assigned to multiple websites, but they are managed at server level.
Go to server certificates, create certificate request, give the information of company details,
Cryptographic service provider -> rsa, bit length 1024
Export it to a file. Take the information from file and submit to the SSL Admin to get the certificate.
Import this certificate in IIS and do the binding to the site. and in ssl settings check the check box, allow ssl.
Create domain certificate request, it’s a certificate created by our self, no one issued the certificate.
Regards,
Chaitanya
SQL BLOGGING 