1 – What is SSL certificate
SSL is a component used to secure electronic connexions. It gives a guaranty than all the data during transactions between 2 parts (for example a web server and an internet browser) are encrypted and trustworthy.
In order to work, SSL uses certificates files.
SSL certificates are digital files used to establish a secured encrypted link between a client and a server.
SSL certificates are delivered by Certification Authorities (also called CA). Theses authorities are also used by internet browsers or clients to check certificates validity or integrity.
It is used by many web services to protect their users and services. Today, using a secure certificate became a must to have on all your services (either exposed on internet or only available in private networks).
2 – Why you must use a SSL certificate
Few years ago, SSL was just a nice feature to have on your website and was just recommended for e-commerce and payment pages. Today it became a must have for various reasons :
- It gives you credibility over your users. Most customers won’t perform any purchasing actions on a website who is not using a SSL certificates.
- It protects you against malicious attacks like phishing or man-in-the-middle.
- It provides authentication and assure you that the service is legitimate and recognize by a third certification authority.
- It brings you a bonus in Google ranking’s SEO. Indeed, since last year, Google implements a bonus to all websites using a SSL certificates, allowing you to have better rankings in their search engine’s results.
- It assures your website to still working on every browser in the future. Google, Microsoft or Mozilla already announced than soon, their tools will penalized resources who don’t use secured certificates.
Implementing SSL on an existing website can be difficult and expensive, you have to ensure that all your content is behind SSL (pages, links, images, videos, etc), so, for both increasing security and reducing cost, it’s recommended to implement it as soon as possible, during the development phase.
1 – How SSL works ?
A certificate is composed of 2 parts : a public file and a private key. They are both part of a whole, and are matching together.
When a connexion is trying to access a service, it will compare the public file (available to anyone) to the private key (accessible only on your server, and to never share) and only authorize the connexion if they are both matching together.
If you use a third party authority to generate a public certificate, it will also deliver to you a chain file, to legitimize your certificates. It will guaranty that the domain name and the service are both recognized by a legitimated specialized authority.
All the data who are transiting between your services will also be encrypted, according to the protocol and cipher you will choose in your server’s configuration. That means that all the content and the personal informations will not be able to be seen or read by anyone or anything without the private key, available only in the server and kept secret.
There is the process between an internet browser and a webserver using SSL :
- A web browser is trying to access to a secure website
- The website answers and indicates he use a SSL certificate, providing technical informations to use it (protocols and ciphers)
- The web browser get the informations and the public file. It also checks that the certificate is legitimate with a third party autority
- All the communications are now encrypted and the user can see a green lock displayed on the browser, saying the website is legitimate and secure.
2 – 3 ways to generate SSL certificates
- Buying it from professional organizations : the most famous are Comodo, Identitrust, Symantec, Godaddy, Namecheap..
- Generate it with Let’s Encrypt : see my ultimate guide about generating SSL certificates with Let’s encrypt
- Generate a self signed certificate : the procedure is available in the end of this article
3 – SSL vs TLS, different protocols for your certificate
First thing to know, secured certificates are working with encryption protocols. SSL is one of this protocol. TLS is another. Hopefully for us, certificates can work with several protocols. So, if you buy or generate a certificate, it will be compatible with both SSL and TLS. It is the configuration of your server who will tell the client which one to use (by forcing it or preferring ones above another).
Today, SSL and TLS are the most famous protocols, although, SSL is deprecated since a long time, in profit of TLS.
- SSL is currently is version 3, released in 1996, and the development of this protocol has been stopped since years. It is highly recommended to not use SSL protocol anymore.
- TLS is currently in version 1.2, released in 2008. The version 1.3 of the protocol is currently in working draft and should be available for use soon. For now, TLS is the protocol to use secure your connexions.
For more informations to how configure your webserver to force TLS protocol, you can read my step by step guide on configuring a LEMP server, or go directly to the corresponding chapter : Add SSL to Nginx
4 – Files and extensions
It can be complex for the beginners to understand all the extensions who are used to manipulate certificates. Some of them are very common, other pretty rares and used only in specific cases.
Here is a glossary of different files and extensions to help you understand :
- CSR : file containing personal informations for asking a certificate. Used only in the generation process
- KEY : also called private key. File containing the private informations of your certificate
- CRT : also named CERT. File containing the public informations, matching to the key file
- CER : identical to CRT, Extension provided and used by Microsoft
- PEM : container format for encoding crt , key or both (it’s not unusual to have a PEM containing the public and private certificate). It’s compatible with the X509 norm, so it can be used by another certificates than SSL, like SSH)
- DER : binary form of a certificate (instead of usual ASCII). It can have CRT or PEM extension. Mostly used for JAVA
- PKCS7 : also named P7B or P7C. This is a container including public certificate and chain in base54 ASCII. Mostly used for JAVA
- PKCS12 : also named P12 or PFX. This is a container containing both private and public certificates, protected by a password. Mostly used by Windows
Implement SSL certificates
1 – Generate SSL certificates
Generating SSL certificates is a process in 3 steps :
- Create the CSR file : You will have to provide your personal informations. You can answer the questions as you like, the most important is the common name, meaning your domain name.
- Create the KEY file : It will be generated according to the personal informations you provided in the CSR.
- Generate the CRT : You can do it by yourself in case of a self signed certificate, or buy a certificate from a tierce authority. In the second case, you will just have to send your CRT file and the authority will give you back the CRT.
Here are the command lines to do this operations (you can note than the first command will create both CSR and KEY files), in order to create a self signed certificates (do not use self signed certificates in production) :
openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/certifssl.key -out /etc/ssl/certifssl.csr
Country Name (2 letter code) [AU]: FR State or Province Name (full name) [Some-State]: Ile de France Locality Name (eg, city) : Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]: Isicca Organizational Unit Name (eg, section) : Blog Common Name (eg, YOUR name) : www.isicca.com Email Address : email@example.com A challenge password : An optional company name :
openssl x509 -req -in /etc/ssl/certifssl.csr -signkey /etc/ssl/certifssl.key -out /etc/ssl/certifssl.crt -days 999
2 – Convert certificates files
- View PEM certificate :
openssl x509 -in certificate.pem -text -noout
- View DER certificate :
openssl x509 -in certificate.der -inform der -text -noout
- PKCS12 to PEM (with both private and public certificates) :
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
- PEM to PKCS7 :
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
- PKCS7 to PEM :
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
- PEM to PKCS12 :
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- PKCS12 to PEM :
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
- PKCS7 to PKCS12 :
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
- PEM to DER :
openssl x509 -in certificate.crt -outform der -out certificate.der
- DER to PEM :
openssl x509 -in certificate.crt -inform der -outform pem -out certificate.pem