Normally web traffic (HTTP) is unencrypted i.e. it's passed around the network in plain text, so anyone with the right tools can view what's being transmitted. This is okay generally, but when we pass sensitive information like credit card information, passwords, nowadays even personal information & emails are important as they may be used to do identity theft, so even websites like Facebook & GMail use HTTPS by default. HTTPS works by using SSL, which in turn uses asymmetric cryptography popularly known as public key cryptography. In public key cryptography, a public key and a private key are present, anything encrypted with the public key can only be decrypted with the corresponding private key and vice-versa. Although SSL uses public key cryptography a certificate is necessary, not for the functioning or to strengthen the encryption but to verify the owner of the certificate to be the person/organization they claim to be, so CAs (Certificate Authorities) sign your certificate so that other can trust you. See the image below, how GMail certificate is signed by Thwate. In case, you just want to use SSL for web applications in your private network or organization, or just test using HTTPS with your application, you can self-sign the certificate and add the CA certificate to your browser's trusted list. Generating The Private Key We'll be using OpenSSL to generate the 2048 bit RSA private key using the Triple-DES algorithm. This is the CA's private key in the real world scenario. Code: [pradeep@home-desktop ssl]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ................+++ ..........................+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: Creating A Certificate Signing Request (CSR) Now that we have the private key, we'll need to create a CSR and normally it is sent to a CA (Certificate Authority) like Versign or Thwate who will sign our certificate with their private key, but here we'll be self-signing the certificate. Code: [pradeep@home-desktop ssl]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:IN State or Province Name (full name) [Berkshire]:Mumbai Locality Name (eg, city) [Newbury]:Matunga Organization Name (eg, company) [My Company Ltd]:Go4expert Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:secure.go4expert.com Email Address []:shabbir@go4expert.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Self-Signing The CSR Now we can sign the CSR using the first created private key and we'll get a certificate, using this certificate will show an error/warning in your browser, which we'll see how to be fixed in the last step. Code: [pradeep@home-desktop ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=IN/ST=Mumbai/L=Matunga/O=Go4expert/CN=secure.go4expert.com/emailAddress=shabbir@go4expert.com Getting Private key Enter pass phrase for server.key: This certificate is now valid for a year. Setting Up SSL in Apache Code: [pradeep@home-desktop ssl]# cp server.crt /etc/httpd/conf/ssl.crt [pradeep@home-desktop ssl]# cp server.key /etc/httpd/conf/ssl.key Configuring for virtual hosts or globally. Code: SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Making Your Browser Trust The Self-Signed Certificate Chrome Firefox IE
I just wanna ask you that is would be as secured as given by certificate authorities geotrust, comodo or verisign?