SSL Certificates

SSL Certificates

SSL Certificates

When setting up EASYProcess and creating the site in IIS, an SSL certificate will need to be installed through IIS on the Web Server. When this is done, navigating the site will use SSL security and HTTPS will be applied at the beginning of the site’s url. Information sent to or from the site will be encrypted using the SSL certificate.

How It Works

SSL certificates encrypt the data passed to and from the site. SSL certificates have a private key and a public key.

A Certificate Signing Request (CSR) is a block of encoded text that is given to a Certificate Authority (CA) when applying for an SSL Certificate. A certificate authority (CA) is a trusted entity that issues digital certificates. The CSR is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is created at the same time that you create the CSR, making a key pair.

A Certificate Authority (CA) will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

The normal method is that you generate your private/public key pair on your own machine, then send the public key to the CA as part of a certificate request. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA assembles and signs the certificate, and sends it back to you. Your private key never left your machine, and the CA never saw it.

However, in some cases, it is a good idea to let the CA generate the key pair, and send it to you. One situation where this is desirable is for asymmetric encryption keys: if you lose a private key, then you lose all the data which has been encrypted with the corresponding public key, since you can no longer decrypt it. Therefore, encryption private keys should be backed-up somewhere, and having the CA generate the private key makes it easy for the CA to enforce a comprehensive, inescapable backup system.

Once you receive the SSL certificate, you install it on your server. You also install an intermediate certificate that establishes the credibility of your SSL Certificate by tying it to your CA’s root certificate. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The intermediate certificate could be one or several certificates that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you.

Certificate Formats

Note: More than one certificate can be stored in a single file in the following formats: Personal Information Exchange- PKCS #12 (.PFX, .P12), Cryptographic Message Syntax Standard-PKCS #7 Certificates (.P7B), Microsoft Serialized Certificate Store (.SST)

  • .pem
  • It is the most common format used for certificates
  • Extensions used for PEM certificates are .cer, .crt, .pem, .key files
  • .der
  • A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
  • .cert .cer .crt
  • A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
  • P7B/PKCS#7
  • The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
  • A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
  • The most common platforms that support P7B files are Microsoft Windows and Java Tomcat