SSL Mutual Authentication on Linux - ssl

It must be something really simple but right now I am not getting anywhere with this (I am not a network geek but a programmer).
We are trying to secure web services created between our server and a vendor. Our vendor is asking to send them the public key for an SSL certificate to secure requests and responses in our web services.
What I did
I forwarded the following to our hosting provider but they only provide SSL certificate for websites and didn't give any clear clue to what to do next.
Create a Certificate Signing Request (CSR) with any CN
Have CSR signed from CA
Merge the signed cert file with the CSR to create the actual
certificate
Extract the public and private certificates
What I need
All I need simple set of instructions to what I should do or where can I get/purchase this certificate.
Thanks,

Related

How to generate x509 client certificate with extension TLS Web Client Authentication enabled

Good evening, the ANAC (National Anti-Corruption Authority), in order to configure cooperation services in mutual authentication, asks to send a client certificate (even self-signed) in X.509 format, with the extension "TLS Web Client Authentication" enabled.
It also asks to provide the public certification chain used to sign the client certificate.
Question: How do I generate the certificate? OpenSSL? And with which public certification chain do I sign it? Thanks in advance for any suggestions.

How SSL certificate and keystore works together?

I'm wondering why we need SSL certificate ? Because the moment we generate the keystore, it does the same functionality. It gives SSL platform.
May I know please why we need certificate and if it really needs then how it works (Certificate merged with keystore) when a third party sends a request to access web-server's website ?
To use the SSL certificate in a web server, you configure your web server software (Apache, NGINX, etc...) to read the certificate. Tutorials on this topic abound; here is a sample set of instructions from DigiCert, who sells SSL certificates: https://www.digicert.com/ssl-certificate-installation-ubuntu-server-with-apache2.htm

store certificate which we got via SSL handshake

We have done client certificate authentication via SSLVerifyClient require method. Now authentication is being done as required.
Now we want to store the client certificate which we is being presented by the client during SSL handshake.
Is there a way I can save the client certificate which I am getting during authentication into a directory or somewhere? I need to get the public key and CN information from the client certificate.
Apache provides the full certificates and extracted parts of it using a variety of environment variables, like SSL_CLIENT_CERT for the full certificate or SSL_CLIENT_S_DN for the subject DN. See the documentation for more details on this.

SSL approach for private software

What is the proper way of using SSL certificates for private applications? By private I mean that I am the only user, and software is running on my computers.
I want to have a encrypted communication between two of my programs. I want to send passwords between them, so I need to be sure that remote program is not fake/hacked.
As far as I understand I don't need to get paid SSL certificate from the CA, if there is no third party involved.
Is the following correct?
Server has a private key and self-signed SSL certificate.
Client has a copy of server's self-signed certificate (it needs to be well protected).
During the handshake server sends the certificate to client.
client checks if the certificates are the same.
client can start encrypted transmission.
Is there other way?
Server has a private key and self-signed SSL certificate.
Yes
Client has a copy of server's self-signed certificate (it needs to be well protected).
The client has either a copy of the certificate or the certificates public key or the fingerprint of these. Since the certificate is public these information do not need to be protected. Only the private key of the server (residing only in the server side) needs to be protected because using this key one could prove ownership of the certificate.
During the handshake server sends the certificate to client.
Yes.
client checks if the certificates are the same.
Kind of. It might check the certificate or the public key or the fingerprints.
client can start encrypted transmission.
Yes.
I would recommend that you read the OWASP article about certificate and public key pinning. It also contains sample code for various environments.
Client has a copy of server's self-signed certificate (it needs to be well protected).
Clients do not have copy of the server certificate. They get it in SSL handshake
client checks if the certificates are the same.
NO! Clients will have the public certificate of the Certificate Authorities who would have signed the server certificate. They will validate the server cert with the CA cert including things like certificate expiry, CRLs. Not compare for 'sameness'
In your case you are using the self-signed certificates. The clients should be made to ignore the self signed certificate and proceed with SSL handshake.
I would recommend you read through SSL handshake sequence again.

SSL Certificates and browser to web-server connectivity

I am sure this is embedded in the details of the SSL certificate/HTTPS specs but I am not entirely grokking this subject.
If a modern browser connects to a HTTPS site, the body of the HTTP request is encrypted. Is the SSL certificate essentially the "public" key used to communicate back and forth between the client and server?
Couldn't a hacker get the public key from the public site, say "https://www.google.com" and monitor client/server traffic and decrypt the data?
Also, do clients need to verify the "issuer" of a certificate. For example, self sign certificates clients don't need to verify but for certificates provided from a trusted issuer, what happens during the certificate verification process?
The server's certificate contains a public key which in fact is visible to everybody. This key in turn is used during the handshake between the server and client in order to create a unique session key that will be used to encrypt any further messages:
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail
Couldn't a hacker get the public key from the public site, say
"https://www.google.com" and monitor client/server traffic and decrypt
the data?
The hacker won't know the session key. He will be listening to (senseless) encrypted stuff.
Also, do clients need to verify the "issuer" of a certificate. For
example, self sign certificates clients don't need to verify but for
certificates provided from a trusted issuer, what happens during the
certificate verification process?
Like you said, the issuer of the certificate is verified against a pre-defined list of trusted authorities. Any certificate up in the chain will be verified too, including the trusted issuer, expiration dates. Additionally each certificate contains URLs that point to Certificate Revocation Lists (CRL Distribution Points), the client will attempt to download the list from such URL and ensure the certificate at hand has not been revoked.