Practical SSL / TLS howto - faq / Securing Web Sites With SSL Encryption

What is SSL/TLS

Definition from Wikipedia - Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same.

SSL/TLS is the standard for encrypting online transactions. The most prominent example that this security encryption works is the Timothy McVeigh execution. The execution was recorded on closed-circuit TV and encrypted for viewing by the authorities and other allowed parites via SSL/TLS. The footage of the execution has never surfaced on the internet due to the security of SSL/TLS. More Information

Using a Public Certificate Authority or a Private Self-Signed Certificate

As a general rule publicly signed certificates should be used for all commercial transactions which occur online. These are explained in detail below. Private certificates can be used to secure intranet sites or sites that a Systems' Administrator uses to monitor the functionality of network or services components. Self-Signed certificates contain the same level of security as public certificates. The difference being the warning message. If the audience the site is intended for is internal to your company and the site is known to be secure, there is little reason to spend the money on a public certificate.

Public Certifiate Authorities

For commercial sites (sites conducting some type of business such as online-banking sites or eCommerce sites) a "publicly signed" certificate should be used. This simply means that your business has been investigated by the signing authority and they agree that the website is indeed attached to the business it claims to be and that the business entity is legally registered to conduct business. Once this information has been validated the signing authority "signs" the SSL certificate. What does this mean? In a web broswer or mail client when going to a secure site with a publicly signed certificate, a warning pop-up questioning the integrity of the certificate will not appear.

There are numerous companies which provide these publicly signed certificates. They range vastly in price. Although the product is essentially the same, there are three primary factors to consider when choosing a company to sign your certificate.

Noteriety / Public Trust - The largest and most familiar name in the certificate business is Verisign. The signing authority researches the validity of its customers prior to issuing certificates. Therefore the company name of the signing authority should generate consumer trust. The phrase "Secured With Verisign" generates nearly as much awe in the internet age as the "FDIC" sticker on a bank's window or the "Underwriters' Laboratory" seal on the back of consumer electronics. Item one deals strictly with public perception, but can be a powerful tool in business.

Backwards Compatability / Level of Encryption - The minimum acceptable level of security for online transactions according to the Payment Card Industry Data Security Standard (click here for more information) is 128-bit or above encryption. Some providers offer certificates that will downgrade the encryption level to accept connections from older broswers not capable of these levels. While this does allow consumers with older software incapable of modern encryption levels to perform online transactions, it is potentially a security risk for the consumer and a potential liability for the bank or eCommerce company.

Browser Compatibility - In order for a public signing authority to issue a certificate which will not generate a warning message in the client software such as a browser or mail client, the signing authority have it's "root certificate" distributed with that software. e.g. Internet Explorer, Firefox, Safari, etc. While this doesn't seem to be a problem with modern software versions, it can effect customers with older software. Can you imagine an online retailer or an online banking site that chooses a certificate authority which is not listed in Internet Explorer 5? Most consumers with older software are users new to the internet and have recently jumped onboard the "Information Super-Highway" via the carriers' recent ability to provide broadband internet to the masses at an affordable rate. Then the user goes online to bank or purchase something and gets a message indicating potential foul play? Disaster!!!

A great comparison of SSL/TLS certificate providers and a source for additional research prior to choosing a certificate authority is available at sslcertificatescomparison.com.

Create a Private CA and Create a Self-Signed Certificate

    create a private CA:
    /etc/pki/tls/misc/CA -newca
    copy openssl.cnf to MyOrgCA.cnf

    create a certificate:
    cd /etc/pki/tls/certs
    openssl genrsa -out certname.key 1024

    create a signing request:
    openssl req -new -key certname.key -out certname.csr

    Sign the Request:
    openssl ca -config ../MyOrgCA.cnf -policy policy_anything -out certname.crt -infiles     certname.csr

    Move the key file to the appropriate directory:
    mv /etc/pki/tls/certs/mail.key /etc/pki/tls/private/