Monthly Archives: February 2014

Security certificates

I got interested in security certificates. What are these? How does it work? It is possible to use it on your own website? Those were my questions.
The principle is somewhat confusing, but is works. The idea is that a security certificate exists of two elements. One element is a so-called private key. This private key rests with the webserver and it is used to decrypt a message that is sent to the server. Likewise, it encrypts the message that is sent by the server. The private key is also used to generate a public key. This public key is sent to any browser. The browser is then able to do the opposite; it is able to encrypt a message sent to the server and decrypt the message received. The result is that encrypted traffic can be exchanged between browser and webserver.
In a sequence, one gets:
[1]: the browsers requests a secure page via https://…
[2]: the webserver sends the public key to the browser with the signed certificate
[3]: the browser checks the certificate. If the certificate cannot be correctly identified, the browser issues a warning. If one creates the certificates yourself, you get such a warning.
[4]: the browser uses the public key to encrypt the url that is asked
[5]: the webserver uses the private key to decrypt the url.
[6]: the webserver encrypts the page that is sent to the browser
[7]: the browser decrypts the page that is recieved.

One may buy a set of certificates, but is more fun to create a set of certificates oneself.
To do so, one needs an opensource software programme “openssl”. It is available for free. But I must admit, I had to search for it. It was not really easy to find. Maybe, it help in you know the exact name; in my case it was openssl-0.9.8h-1-setup.exe.
The programme is meant to be used in Linux. There are windows versions, but then one should then set a parameter: set OPENSSL_CONF=C:\Program Files\GnuWin32\share\openssl.cnf, in my case. It depends of course on where the config file resides.
The creation of the the private file is then done with a series of commands:

openssl genrsa -des3 -out tom.key 2048 #generate private key
openssl req -new -key tom.key -out tom.csr #generates signing request
copy tom.key tom.key.orig
openssl rsa -in tom.key.orig -out tom.key #write rsa key, private signed key

Subsequently, the public key is generated with:

openssl x509 -req -days 365 -in tom.csr -signkey tom.key -out tom.crt #delivers public signed key

But, how do we apply these certificates to the webserver. Somehow, we must tell the webserver that such certificates exist. I now use nginx as webserver and this is how my config file looks like:

worker_processes  1;
events {
          worker_connections  1024;
       }
http {
    include       mime.types;
    server {
            listen       80;
            server_name 192.168.5.14;
            return https://$server_name$request_uri;
           }
    # HTTPS server
    #
    #
    server {
        listen       443 ssl;
        server_name  192.168.5.14;

        ssl_certificate      tom.crt;
        ssl_certificate_key  tom.key;


        location / {
            root   html;
            index  index.html index.htm;
            error_page 404 /404.html;
                   }
            location ~ .php$ {
                               root           html;
                               fastcgi_pass   127.0.0.1:9000;
                               fastcgi_index  index.php;
                               fastcgi_param  SCRIPT_FILENAME c:/nginx/html/$fastcgi_script_name;
                               include        fastcgi_params;
                             }
          }

     }

I would say that this config file looks rather straightforward. In the first part, any request is translated into an https request. In the second part, you see that the certificates are shown to the server.