Security

Creating Security Certificate Tutorial

2 Comments

Today we will see how to create CSR (certificate signing request), generate the self-signed certificate.

The security certificate is a file used to identify the identity of the server. The certificate contains information like the server name/IP, the certificate serial number, expiration date, and public key.

If you are not familiar with the security certificate and how it is used, it is strongly recommended to read our last article (Secure Connection – Part 1).

https://webmethodsexpert.com/2014/11/09/secure-connection-part-1-introduction/

In this tutorial we will use OpenSSL to generate the certificate, you can download it from the internet, it is open source tool.

 

1. Open the command line and go to the bin directory of OpenSSL

             Ex. C:\OpenSSL-Win32\bin\

 

2. Set the configuration file of the openSSL by the following command :

            set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

 

Note : search for your config file in the openSSL directory. This step might not be necessary if the application config file is already configured.

 

3. Generate the private key of your server using the following command

           openssl genrsa -aes256 -out server.key 1024

aes256 : is the encryption algorithm used to encrypt your private key files.

server.key :  Is the file name which contains the private key.

1024 : The key length

Note : Don’t share your private key with anyone or entites including the CA. The CA doesn’t need your prviate key to issue the certificate.

private key

Note : you will be asked to choose password for your private key file(will be used to encrypt the file). The file will be generated in the bin directory of the openSSL.

 

4. In this step we will genrate the CSR (certificate signing request) file to sen it to the CA (certification authority).

Here is the openSSL command :

          openssl req -new -key server.key -out server.csr

server.key : The file which contain the private key of your server (from step 3)

server.csr : The file name to be generated with the CSR (certificate signing request)

You will have to answer the following questions to be included in the CSR file.

  • The private key file password (will not be included in the CSR file).
  • Country name (Only the initial. Example ‘CA’ for ‘Canada’)
  • State or Province.
  • Locality name (city).
  • Organization name (ex. company)
  • Organization unit name (department)
  • Common name (server name) : this is the name or IP of your server. It must 100% match the server or IP used by the client or the calling servers. Example localhost and 127.0.0.1 is refering to the same server but from the certificate point of view they are not the same.
  • Email address of the contact person (certificate requestor).
  • A challenge password, and optional company name.

CSR request

After entering the information you will find your .CSR file in the bin directory of the open SSL.

5. You have to decide which type of certificate your want :

  • Certification signed by a CA (Certification Authority) – usually all the production server must be using this type.

So your next step will be sending the .CSR file to the CA. The CA will verify all the information in the CSR file to make sure that the requestor is a trusted company, then they will issue a signed security certificate, and send it to you. This is the end of the tutorial for the certificate signed by CA.

  • Self-signed certificate : which means that you will be generating the certificate without CA – usually it is used in development and testing servers.

Note : The rest of the tutorial is related to the self-signed certificate.

 

6. Generate the self-signed certificate by executing the following command :

           openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

sha256 : The hash algorithm that will be used to sign the certificate.

365 : The validty of the generated certificate in days.

server.csr : The certificate sigining request which contains all the server, and the requestor orgainzation info.

server.key : The private key of your server which will be used to sign the certificate.

server.crt : The certificate file name generated after the command execution.

Note : Theoritcally in the CA uses a command like this but they will their private key to sign the certificate(server.key in our case).

Your self-signed certificate has been generated in the bin directory of the openSSL. In windows you can double click the server.crt to view the certificate information.

Thank you for visiting our website. We are looking forward reading your comments and questions.

Follow us:

on twitter: @WM_Expert

Group on LinkedIn: webmethodsExpert.com

(C) 2014 Hossam Elsharkawy. All rights reserved.

Advertisement

Secure connection – part 1- Introduction

11 Comments

Securing the business transactions, and customer information is critical for business success and wining the customer’s trust.

In this article we will cover some of the basic concepts that you should know as a start to secure your business transactions.

security image

Here are the topics we will cover:

  1. When to use secured connection and when to use non-secured connection?
  2. Definition of Symmetric and Asymmetric encryption?
  3. What is Security certificate?
  4. What happens when accessing HTTPS page from the browser?
  5. KeyStore and TrustStore

 

1. When to use secured connection and when to use non-secured connection?

You should consider the secured connection (ex. Https) in the following situations:

  • The traffic sent/received contains critical info such as personal data (name, address, phone number, birth date, email address, …), credit card info, …, etc.

Why? the information might be target for man-in-the-middle attack from inside or outside the network, so the data from this types must be always encrypted to make sure that it is not readable if intercepted.

  • The Web service is being called from the internet or from outside of the network.

why? Exposing the web service to the internet will increase the risk of man-in-the-middle which can lead to data leakage. Using secured connection will encrypt the data, and verify the identity of the calling server.

Note: The test servers must have the same level of security if it is a replica from the production server as it will contain critical data.

You should consider the non-secured connection (ex. HTTP) in the following situation:

  • The web service is called only within the internal network, and no sensitive data is being transferred.

Explanation: The internal network is already protected by the network firewall and the DMZ (demilitarized zone).

  • The web service will return non-sensitive data. Ex. a web service returning the weather forecast, the forecast is available for everybody anyways (there is nothing to hide).

 

2. Definition of Symmetric and Asymmetric encryption?

  • Symmetric Encryption Algorithm: is encryption algorithms which use the same key to encrypt and decrypt the data. Examples: AES, DES, 3 DES
  • Asymmetric Encryption Algorithm: is encryption algorithms which use a pair public and private keys. The data encrypted by the private key can be decrypted only by the matching public key, and the data encrypted by the public key can be decrypted only by the matching private key. The public key is shared with everybody, and the private key will be only with one entity (everybody can send me a message encrypted by my public key, and the message can be decrypted only by my private key). Examples: RSA, ElGamal, Deffie-Hellman.

 

3. What is Security certificates?

  • Security certificate contains information about a specific server (certificate serial number, expiry date, organization name, issuer of the certificate, public key of the server, IP or name of the server as called by the client, … etc), The security certificate can be issued by Certification authority (CA), or self-signed.
  • Certification authority (CA): is the certification authority which is responsible for granting and signing the certificates after verifying the requestors information, revoking  the compromised certificate. Examples: VeriSign.
  • The certificate issued by CA is trusted and it recognized by the web browser, so users can trust it. All the production server must use security certificate signed by the CA. The self-signed certificate contains the same information as the one signed by the CA except that it was created by the developer or the company owning the server so when dealing with the production server there is no way to guarantee the identity of the server and your data will be at risk.
  • Usually you can use self-signed certificate for the development, and test servers. But for the production it is strongly recommended to use a certificate issued by CA.
  • The security certificate is issued for a specific IP or address and can’t be used to other  servers. Example: if the certificate was for localhost and you used 127.0.0.1 (which is the IP of the localhost), it will not work as it is considered a different server.

 

4. What happens when accessing HTTPS page from the browser?

In this section we will discuss what happens when you access HTTPS page through your browser.

     1. When you type the address, the browser will check the certificate of the target server to make sure that it is valid, and signed by known CA. If not, the browser will notify you that the page is not trusted.

The following is print screen from the page of Bank of Montreal (BMO) login, the browser is showing that is trusted web site and by clicking on the lock beside the address bar and you can see the certificate details.

https and certificate

    2. Your browser and the server will perform some requests which called the handshake to agree on the Encryption algorithm used and the encryption key used in the session(random key changes with each session). During the handshake the browser will use the server’s public key to encrypt/decrypt the messages, and the server use the private key to decrypt/encrypt the messages.

    3. After the browser and server agree on the algorithm and key, they will use symmetric algorithm (stated in the handshake) and the encryption key(stated n the handshake) as the symmetric encryption is faster that the asymmetric algorithm (public/private key).

 

5. What are KeyStore and TrustStore?

  • Key Store: Is password protected file which contains the private key and a copy from the security certificate of your server. So your server can use it to sign the messages/traffic sent with the private key to that the message was not altered during its way to destination, and can decrypt the incoming traffic encrypted by the servers public key.
  • Trust Store: IS a password protected file which contains the root CA certificates that you recognize. So your server will accept the traffic from any server which has a certificate signed by the root CA certificate which exists in the trust store. For example if you added the root certificate of VeriSign in your truststore you will accept the traffic from any server has a certificate signed by VeriSign.

Technically the key store, and trust store is using the same technology and the only difference how to use it in your application. Example for famous store formats are:

1. JKS (Java key Store).

2. PKCS12.

Next time we will see how we can create a security certificate request (CSR), and generate a self-signed certificate.

Thank you for visiting our website. We are looking forward reading your comments and questions.

Follow us:

on twitter: @WM_Expert

Group on LinkedIn: webmethodsExpert.com

(C) 2014 Hossam Elsharkawy. All rights reserved.