In our previous post, we discussed what a digital certificate is. But how do digital certificates work? Today, we're going to give you an overview of the basic process involving the creation, signing, deployment, and use of digital certificates.
There are different types of digital certificates but we'll be focusing on the server certificates used in secure web servers since they're the most common. You come across these kinds of certificates on the Web everyday, particularly when you connect to sites that support HTTPS. A CA-signed server certificate is the kind of certificate you would need to deploy if you don't want Web browsers to display a warning when users attempt to connect to your secure file transfer server.
CA Certificates - the certificates in your browser
Before any major Web browser like Chrome, Firefox, Safari or Internet Explorer connects to your server via HTTPS, it already has in its possession a set of certificates that can be used to verify the digital signature that will be found on your server certificate. These web browser digital certificates are called CA (Certificate Authority) certificates. On these certificates is a copy of the public key of the CA who might issue (sign) your server certificate.
CA certificates of widely accepted certificate authorities are already pre-installed on popular Web browsers, so we don't worry about installing them anymore. This explains how CA certificates can verify the digital signature on server certificates (more about this process later). The private keys that are used for signing the server certificates already have their corresponding public key pairs on our users' Web browsers.
Generating CSRs and having your cert signed by a CA
You can create your own digital certificate if you want. You can use free tools like OpenSSL. Alternatively, you can also use built-in tools that come with secure file transfer software like JSCAPE MFT Server.
You usually start by generating a private key / public key pair, followed by a CSR (Certificate Signing Request). The CSR would contain a copy of the public key and some basic information about the subject. Once you've generated a CSR, you would then submit that CSR to a CA.
The article How To Set Up A HTTPS File Transfer includes a nice discussion detailing the steps of creating a digital certificate in JSCAPE MFT Server. Once the CA is done signing the cert, the CA would then return the cert to you and you would then import that signed certificate to your server.
If we recall our discussion on digital certificates, the signed cert would contain some basic information regarding the subject (your site), the issuer, the validity period, the public key (of your site), and a digital signature of the cert signed using the CA's private key.
- You generate a private key / public key pair and submit a CSR to a Certificate Authority. The contents of the CSR will form part of the final server certificate.
- The CA verifies whether the information on the certificate is correct and then signs it using its (the CA's) private key. It then returns the signed server certificate to you.
- You import the signed server certificate unto your server.
Sending of server certificate during SSL Handshake
Before a browser and an HTTPS server can exchange data over an encrypted connection, they first engage in a process known as the SSL handshake. One important part in the SSL handshake is the sending of the server certificate to the web browser. It's here when the Web browser is able to authenticate the identity of the server it's connecting to.
As soon as the browser receives a copy of the server certificate, it checks which CA signed the server cert and then retrieves the CA certificate of that particular Certificate Authority. It then uses the public key on that CA certificate to verify the digital signature on the server cert.
Once the digital signature has been authenticated, the browser and server can proceed with the rest of the SSL process. If you want to know how the public key on the server certificate is used, I suggest you read the article Roles of Server and Client Keys in Secure File Transfers.
Now that you have a basic understanding of digital certificates, you can start enhancing the security of your web file transfer.