Introduction to SSL
SSL (Secure Sockets Layer) is protocol used for establishing secured connection over the internet between a client and a server. Oracle WebLogic Server Supports SSL 3.0. Configuring SSL is an optional. You can avoid SSL in development environments, Oracle recommends to use SSL configurations for production environments.
SSL can be configured in two ways
One-Way SSL
In One-Way SSL the server must present its certificate to the client, but vice versa is not required.
One-Way SSL is common on the Internet and used in B2C applications. B2C stands for Business to Customer. It refers to the transactions between businesses and their customers. Example: Amazon online bookstore.
Two-Way SSL
In this the server presents its certificate to the client and the client presents its certificate to the server.
It is used in B2B applications. B2B stands for Business to Business. It refers transactions between businesses such as between a manufacturer and a wholesaler, or between a wholesaler and a retailer.
Private Keys, Digital Certificates, and Trusted Certificate Authorities
SSL uses public key encryption technology for authentication. Private keys, digital certificates, and trusted certificate authorities establish and verify server identity.
Public-key cryptography require two separate keys, one of which is private and one of which is public. These two keys are mathematically linked. Public-key cryptography is also known as asymmetric cryptography as it uses two different keys.
Public Key
Public key is known to every one and it is used to
Private Key
Private key is a secret key which is known to owner or server only and it is used to
With public key encryption, a public key and a private key are generated for a server. The keys are related such that data encrypted with the public key can only be decrypted using the corresponding private key and vice versa.
Digital Certificate
It is also known as public key certificate is an electronic document which uses a digital signature to bind a public key with an identity. The identity could be anything. For example it could be represent a user, a device, a service or even a few lines of code. The public key is embedded into a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address. A private key and digital certificate provide identity for the server.
The certificate authority (CA) takes the responsible to issue the certificates. The data embedded in a digital certificate is verified by a certificate authority and digitally signed with the certificate authority's digital certificate. Well-know certificate authorities include Verisign and Entrust.net. The trusted certificate authority (CA) certificate establishes trust for a certificate.
Trusted Certificate Authorities
The certificate authority (CA) takes the responsible to issue the certificates. The data embedded in a digital certificate is verified by a certificate authority and digitally signed with the certificate authority's digital certificate. Well-know certificate authorities include Verisign and Entrust.net. The trusted certificate authority (CA) certificate establishes trust for a certificate.
There are multiple CAs and they will be organized hierarchically. The top level would be the Root CA, which have a certificate signed by itself. All subordinate Certificate Authorities certificate should be requested to and signed by the root CA. Clients send the certificate signing request (CSR) to some subordinate CAs. They will sign the certificate with their private key and issue the following certificates.
Root Certificate
A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates.
Chain Certificate
It is an intermediate certificate which forms the chain of trust. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate. It is also known as L1C or Intermeidate Certificate. It provides the chain of trust between the signed certficate, the signing CA and one of the root CAs.
How to check which one is Root Certificate, Chain Certificate or Server Signed Certificate?
Every certificate includes the fields "Issued To" and "Issued By".
Server signed certificate includes the fields "Issued To" be the host name or domain name and "Issued By" will be Intermediate CA.
On the other hand an intermediate CA certificate will show different information in these two fields like "Issued To" be the intermediate CA and "Issued By" will be the Root CA or another Intermediate CA
On the other hand the Root CA certificate contains both "Issued To" and "Issued By" will be the same CA.
SSL Certificate Types
Regular SSL Certificates: The regular certificates can be installed on one domain.
Wildard SSL Certificates: If you want to have encrypted secure connection over several subdomains on a on a single domain name you need Wildcard SSL Certificates.
EV SSL Cerificates: The EV SSL certificate are issued to firms and companies which are legally presented. These certificates are used to build additional confidence in the company‘s customers
SSL Hand Shake
It enables the client and server to agree on the version of the SSL protocol to use,type of cryptographic algorithms to select, authenticate each other by exchanging and validating digital certificates.
Steps involved in the SSL handshake are as below:
Once handshake is done, creation of a SSL session between the client and the server, allowing the end-points to exchange application data securely, using the negotiated parameters for encryption and decryption.
Note:
The SSL handshake involves compute-intensive public-key cryptography, adding significant delay to the connection establishment process.
SSL (Secure Sockets Layer) is protocol used for establishing secured connection over the internet between a client and a server. Oracle WebLogic Server Supports SSL 3.0. Configuring SSL is an optional. You can avoid SSL in development environments, Oracle recommends to use SSL configurations for production environments.
SSL can be configured in two ways
- One-Way SSL
- Two-Way SSL
One-Way SSL
In One-Way SSL the server must present its certificate to the client, but vice versa is not required.
One-Way SSL is common on the Internet and used in B2C applications. B2C stands for Business to Customer. It refers to the transactions between businesses and their customers. Example: Amazon online bookstore.
Two-Way SSL
In this the server presents its certificate to the client and the client presents its certificate to the server.
It is used in B2B applications. B2B stands for Business to Business. It refers transactions between businesses such as between a manufacturer and a wholesaler, or between a wholesaler and a retailer.
Private Keys, Digital Certificates, and Trusted Certificate Authorities
SSL uses public key encryption technology for authentication. Private keys, digital certificates, and trusted certificate authorities establish and verify server identity.
Public-key cryptography require two separate keys, one of which is private and one of which is public. These two keys are mathematically linked. Public-key cryptography is also known as asymmetric cryptography as it uses two different keys.
Public Key
Public key is known to every one and it is used to
- Encrypt plaintext (or)
- Verify the digital signature of a certificate
Private Key
Private key is a secret key which is known to owner or server only and it is used to
- Decrypt the cipher text or encrypted text
- Create a digital signature
With public key encryption, a public key and a private key are generated for a server. The keys are related such that data encrypted with the public key can only be decrypted using the corresponding private key and vice versa.
Digital Certificate
It is also known as public key certificate is an electronic document which uses a digital signature to bind a public key with an identity. The identity could be anything. For example it could be represent a user, a device, a service or even a few lines of code. The public key is embedded into a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address. A private key and digital certificate provide identity for the server.
The certificate authority (CA) takes the responsible to issue the certificates. The data embedded in a digital certificate is verified by a certificate authority and digitally signed with the certificate authority's digital certificate. Well-know certificate authorities include Verisign and Entrust.net. The trusted certificate authority (CA) certificate establishes trust for a certificate.
Trusted Certificate Authorities
The certificate authority (CA) takes the responsible to issue the certificates. The data embedded in a digital certificate is verified by a certificate authority and digitally signed with the certificate authority's digital certificate. Well-know certificate authorities include Verisign and Entrust.net. The trusted certificate authority (CA) certificate establishes trust for a certificate.
There are multiple CAs and they will be organized hierarchically. The top level would be the Root CA, which have a certificate signed by itself. All subordinate Certificate Authorities certificate should be requested to and signed by the root CA. Clients send the certificate signing request (CSR) to some subordinate CAs. They will sign the certificate with their private key and issue the following certificates.
- Root Certificate
- Chain Certificate
- Server Signed Certificate
Root Certificate
A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates.
Chain Certificate
It is an intermediate certificate which forms the chain of trust. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate. It is also known as L1C or Intermeidate Certificate. It provides the chain of trust between the signed certficate, the signing CA and one of the root CAs.
How to check which one is Root Certificate, Chain Certificate or Server Signed Certificate?
Every certificate includes the fields "Issued To" and "Issued By".
Server signed certificate includes the fields "Issued To" be the host name or domain name and "Issued By" will be Intermediate CA.
On the other hand an intermediate CA certificate will show different information in these two fields like "Issued To" be the intermediate CA and "Issued By" will be the Root CA or another Intermediate CA
On the other hand the Root CA certificate contains both "Issued To" and "Issued By" will be the same CA.
Regular SSL Certificates: The regular certificates can be installed on one domain.
Wildard SSL Certificates: If you want to have encrypted secure connection over several subdomains on a on a single domain name you need Wildcard SSL Certificates.
EV SSL Cerificates: The EV SSL certificate are issued to firms and companies which are legally presented. These certificates are used to build additional confidence in the company‘s customers
SSL Hand Shake
It enables the client and server to agree on the version of the SSL protocol to use,type of cryptographic algorithms to select, authenticate each other by exchanging and validating digital certificates.
Steps involved in the SSL handshake are as below:
- The ssl handshake starts from the client with "client hello" message that lists cryptographic information (the SSL version and the CipherSuites supported by the client.). The message also contains a random byte string that is used in subsequent computations.
- The server responds with a "server hello" message that contains the CipherSuite chosen by the server from the list provided by the SSL client, the session ID and another random byte string. The SSL server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a "client certificate request"
- The client verifies the digital signature on the SSL server's digital certificate and checks that the CipherSuite chosen by the server is acceptable.
- The client sends the random byte string (pre-master secret) that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server's public key.
- If the server sent a "client certificate request", the SSL client sends a random byte string encrypted with the client's private key, together with the client's digital certificate
- The client sends the server a "finished" message, which is encrypted with the secret key, indicating that the client part of the handshake is complete.
- The server sends the SSL client a "finished" message, which is encrypted with the secret key, indicating that the server part of the handshake is complete.
Once handshake is done, creation of a SSL session between the client and the server, allowing the end-points to exchange application data securely, using the negotiated parameters for encryption and decryption.
Note:
The SSL handshake involves compute-intensive public-key cryptography, adding significant delay to the connection establishment process.
