Understanding SSL

Table of Contents

TODO

  1. https://www.ssl.com/article/what-is-a-certificate-authority-ca/#:~:text=The%20CA%20verifies%20the%20certificate,trust%20in%20the%20certificate's%20validity.
  2. https://www.digicert.com/blog/what-is-a-certificate-authority

How are certificate signing authorities used in companies?

  1. The entity that wants to be secured will use its own private key and send a CSR (Cerficate Signing Request) to a Certificate Signing Authority (CSA).
  2. The CSA will use their private key to approve this CSR and they will give a certificate to the requesting entity.

Examples of CSAs

  1. DigiCert

How will the client applications (the developer applications in developers’ local computers) connect to this secured entity?

  1. All of the client applications have the CSA’s public key.
  2. All of the client applications will also have the public key of the secured entity (the bank).
  3. Check the path /etc/ssl/certs for the list of available public keys that are being used by the local computers.
  4. The client application needs to send a request to the secured entity with a key that is encrypted using the public keys of the CSA and the secured entity.
  5. Since the secured entity has a certificate from the CSA and it’s own private key, it will use it’s private key and the certificate from the CSA to validate whether this request from the client application can be trusted or not.
  6. This is how the communication between the client applications and the secured entity are protected/secured.

How to set this up for local computers for development purposes?

  1. We don’t have a CSA for local
  2. So we have to set-up our own certificates.

How do we generate certificates for local development?

See https://github.com/explorer436/programming-playground/blob/main/docker-compose-files/kafka/06-kafka-security-sasl-ssl/generate-certs/create-certificates.sh

  1. root.key is the private key of the server that wants to be secured.
  2. root.crt is the root certificate of the server that wants to be secured.
  3. kafka.keystore.jks is for the server that wants to be secured.
  4. kafka-signing-request.crt is the CSR from the server to the local CSA.
  5. kafka-signed.crt is the signed certificate from the local CSA.
  6. The server’s root certificate and the signed certificate from the CSA are imported into keystore. This is because, for development purposes, we also the secured server. The secured server’s keystore needs to have the root certificate and the signed certificate imported.
  7. We also import the root certificate into the trust store. This is because, for development purposes, we are also the client application. So, the client application’s trust store needs to have the root certificate.

Tags

  1. What is server-key.pem?
  2. What is server-chain.pem?
  3. What is ca.pem?

Links to this note