We get many questions about SSL, including what it is, how to implement it, and, of course, why it breaks. If you want to learn a little bit more about SSL and how it works, read on below.
SSL is short for Secure Socket Layer. It was technically superseded by the Transport Layer Security (TLS), but the name SSL has continued in common use. SSL is a form of asymmetric key cryptography used to secure many web pages, mail servers and other internet based services. In the case of a web site, it allows a browser to establish a secure connection that prevents data from being easily read by a third party.
This sort of security has an obvious value for servers that collect financial information and other sensitive data. In order to further verify the identity of these servers, SSL certificates intended for web use are generally signed by a trusted authority. These tend to be companies that specialize in creating SSL certificates, and act as a sort of “character reference” to confirm the identity of a server.
In order to create an SSL certificate from one of these authorities, one must first create a key. The key is a unique and random piece of data that is kept secret on the server. The server uses this key to generate the encryption for each incoming session. The next step is to create a Certificate Signing Request (CSR). The CSR includes information about your key and your server. You provide this to the certificate authority, and they use it to generate your certificate.
To generate a key and CSR at the same time on a Linux system, use the following command:
openssl req -new -nodes -keyout server.key -out server.csr -newkey rsa:2048
Once the certificate has been provided, it can be installed on the server. This process can take many different forms. Because of the identity aspect of an SSL certificate, it is important that each distinct certificate on a server has a unique IP address. Once you have dedicated an address to the site, it is time to add the key files. Some Apache web servers are configured to take two separate files (key and cert), while some use a single “pem” file. The pem will include the key, certificate, and the certificate for the signing authority, typically in that order. The certificate for the signing authority should be provided to you with your own certificate, and will often be named something like “bundle.crt”, although it can be named just about anything.
On a Linux system, you can generally create a pem file using this command (assuming your key, certificate, and bundle are in the same directory):
cat server.key server.crt bundle.crt >> server.pem
While SSL may seem complicated at times, these basic steps will satisfy the needs of most basic websites. There are a couple of more complicated uses, which I will not cover in detail. In some cases, a single certificate can be used to serve several different domains. In this case a special UCC certificate can be generated. Another new development is the SNI certificate, which allows a server with a single IP address to server many different certificates. Generating CSR files for these types of certificates can be a bit more involved, requiring a few steps beyond a single, simple command.