Mar Java Mit Java

  • Uncategorised

How does SSL handshake work

by · February 5, 2025

How a Website Owner Generates and Uses SSL/TLS Certificates

1. Generating the Certificate

  • Step 1: Generate a Private Key
    The website owner generates a private key using a tool like OpenSSL. This key is kept secret and secure.bashCopyopenssl genpkey -algorithm RSA -out private.key
  • Step 2: Create a Certificate Signing Request (CSR)
    The owner creates a CSR, which includes the public key and details about the website (e.g., domain name, organization). : openssl req -new -key private.key -out csr.csr
  • Step 3: Submit CSR to a Certificate Authority (CA)
    The CSR is sent to a trusted CA (e.g., DigiCert, Let’s Encrypt). The CA verifies the domain ownership and organization details.
  • Step 4: Receive the SSL/TLS Certificate
    Once verified, the CA issues the SSL/TLS certificate, which includes the public key, domain name, and the CA’s digital signature.

2. Storing the Certificate and Private Key

  • The SSL/TLS certificate and private key are stored securely on the web server. Common locations include:
    • Private Key: /etc/ssl/private/private.key
    • Certificate: /etc/ssl/certs/certificate.crt
  • Access to these files is restricted to prevent unauthorized access.

3. Configuring the Web Server

  • The web server (e.g., Apache, Nginx) is configured to use the certificate and private key for HTTPS connections.
  • Example for Nginx: server { listen 443 ssl; server_name example.com; ssl_certificate /etc/ssl/certs/certificate.crt; ssl_certificate_key /etc/ssl/private/private.key; location / { root /var/www/html; index index.html; } }

4. Browser Verification of the Certificate

  • Step 1: Server Sends Certificate
    When a browser connects to the website, the server sends its SSL/TLS certificate.
  • Step 2: Browser Checks Certificate Validity
    The browser checks:
    • The certificate is issued by a trusted CA.
    • The certificate is not expired.
    • The certificate’s domain matches the website’s domain.
  • Step 3: Browser Verifies the CA’s Signature
    The browser uses the CA’s public key (stored in its root certificate store) to verify the CA’s signature on the certificate.

5. Encrypting and Decrypting Data

  • Step 1: Establish a Secure Connection
    The browser and server perform a TLS handshake to agree on encryption algorithms and exchange keys.
  • Step 2: Encrypt Data
    The server encrypts sensitive data (e.g., login credentials, payment info) using the agreed-upon encryption algorithm and the server’s private key.
  • Step 3: Decrypt Data
    The browser decrypts the data using the server’s public key and the agreed-upon encryption algorithm.

Summary

  • Certificate Generation: The website owner generates a private key and CSR, submits the CSR to a CA, and receives the SSL/TLS certificate.
  • Storage: The certificate and private key are stored securely on the web server.
  • Configuration: The web server is configured to use the certificate and private key for HTTPS.
  • Browser Verification: The browser verifies the certificate’s validity and the CA’s signature.
  • Data Encryption/Decryption: The server encrypts sensitive data, and the browser decrypts it using the server’s public key.

This process ensures secure communication between the website and its users, protecting sensitive data from interception and tampering.

You may also like...