SSL Authentication in HTTP : Basics – Part 1

Before going into any details of SSL, best thing is to know the following terminology and file formats. HTTP(s) is basically used for secure transactions in HTTP like payments etc.

HTTPS : HTTP protocol on Secure shell which is encrypted to outside for any communication exchange. That way, it is quite secure in HTTP communication.

Keystore : keystore is basically a placeholder for a pair of public & private keys. It can hold multiple such pairs.

Key : It’s basically a string which is encoded in base64 format (I guess).

PKCS12 : This is the format of keystore file we create by default using openssl or keytool. You can see the respective commands in next part of this series. All most all the browsers expects keystore should be in this format to import the respective certificates. Normally, all keystore files will have extension .p12 in general.

PEM : This is the format of a file that can be certificate or key or keystore.

DER : This another format similar to PEM. But PEM is more popular in use.

Certificate : This basically a digital signature generated using the above pair of public & private keys. This represents some identity of a machine in the secure HTTP world of internet.

Self signed : After we create a certificate, the next step would be some one has to sign it. If you create a certificate and you are signing the same certificate, then it’s called self signed. After this, you need to copy your certificate to ca-bundle.cer file in both the machines. This way, you are trusting your own signed certificate.

CA signed : There are list of CAs (Certificate Authorities) available in the internet who has the right to sign a cert and it is considered to be trusted among all the internet. All most all operating systems and browsers have their certificates listed in that default ca-bundle.cer file as trusted. Though these CA signed certificates are very costly.

cert/cer : Standard extension for certificate files which can be either PEM or DER format.

keytool : a utility tool to generate these keystore/keys/certificates supplied along with java sdk.

openssl : similar to keytool another open source utility tool.

One way authentication in SSL : In this case, server machine hold a certificate for any HTTPS authentication. When client sends requests to server, first server send this CA signed certificate to identify itself. Client machine check this certificate to it’s default list of trusted certificates from a file called ca-bundle.cer and depending on that it can further communicate to server. If it find that the certificate is not there in that list, it can have two choices. Either it can proceed further for communication ignoring security aspects or it can stop further communication as it finds it’s not a trusted server.

Two way authentication is SSL : In this case, both server and client machines have their own CA singed certificates. When client sends request to server, it gets server certificate. It then verifies the certificate trusted or not, then sends back with it’s own certificate, then server verifies the same and depending on verification, communication starts on HTTP(S) medium. This method is kind of tricky, you need to configure you HTTP client (by which you will be sending request to server, normally a web browser) with client certificate as well as private key too.

We’ll see the commands to create these keystores, keys, certificates and along communicate with servers using curl (open source http client) in our next part of this series.

For Part 2 click here.

One thought on “SSL Authentication in HTTP : Basics – Part 1

  1. Pingback:

Leave a Reply

Your email address will not be published. Required fields are marked *