This section describes how SSL provides and signs certificates to provide security.
SSL starts with a “handshake,” during which the client authenticates the server, and the server optionally authenticates the client. Handshake negotiations are based on the public-key cryptography: The client and server agree on how to encrypt and decrypt data, such as using cipher suites and session keys. Also, the format to transmit encrypted data is defined in the handshake.
When securing communications, both client and server use X.509 certificates. The client must verify the server's certificate based on the certificate of the Certificate Authority (CA) that signed the certificate or based on a self-signed certificate from the server. (The client verification is optional.) Then, the client and the server use the negotiated session keys and begin encrypted communication, using private-key cryptography.
These are the main fields in a X.509 V3 certificate:
Issuer
Subject fields (an X.500 Distinguished Name, commonName field)
Algorithm identifier
Subject's public key
Period of validity
Extensions
Digital signature
The process of generating a certificate involves these basic steps:
Generate the public-private key pair.
Store the private key securely (as password-encrypted).
Generate a certificate signing request (CSR) in PKCS#10 format for the server certificate.
Present the CSR to the CA.
Receive the signed certificate from the CA.
Store the certificate.
You can use different tools to generate test (self-signed) certificates.
