Thursday, January 14, 2010

Understanding SSL Certificates

I get a lot of questions on understanding certificates in general, this post is intended to answer those general questions and is not specific to any product.  Although I plan on using Windows Home Server and Windows Small Business Server 2008  as examples here.  I do have a previous post on understanding the self-issued certificate in SBS 2003 and SBS 2008, as this post will focus on understanding trusted certificates, and what makes them trusted.

Certificates provide two purposes:

  1. Authenticating the server to the client
  2. Providing encryption between the server and the client

I will cover the authenticating the server to the client in this part 1 post, and will write a part 2 post that handles the second part of encryption.

Part 1 – Authenticating the Server to the Client

Think of a certificate like a drivers license; a United States drivers license as that’s what I’m most familiar with.  The drivers license has three key components that makes it what it is. 

  1. A name that identifies what you are called, in my case, “Sean Daniel”
  2. An expiry date, that identifies when the license is valid from.  This ensures data doesn’t get stale, like your picture, or hair colour, or if you need glasses or not to drive
  3. An issuing authority, such as Washington State

This is the same as a computer SSL certificate.  It has a valid URL, an expiry date, and an issuing authority.  When the client gets to the intended URL such as https://remote.contoso.com, it asks the server for proof that it is remote.contoso.com, and the server presents it’s certificate.  The client validates the 3 checks.  Does the URL in the certificate match (ie. are you “Sean Daniel”).  Is this certificate valid (is the expiry date past today’s current date and time).  Those are the two easy to understand checks.  The final check is “do I trust the issuing authority”.  In the case of a drivers license, you’d bend it, look at it under a black light to make sure it’s authentic, and then you’d see Washington state issued it and be.  Sure, I trust the state government.

With certificates, it’s slightly different. The computer follows the certificate chain outlined in the certificate path (IE view):

Certificate Chain

In the above example for Home Server, the client will check if it trusts foo.homeserver.com.  It looks into it’s trusted certificate store for a matching certificate, none would exist of course, so it would then look for the “GoDaddy Secure Certification Authority” in the same store.  Because the “GoDaddy Secure Certification Authority” trusts foo.homeserver.com, the client can base it’s trust on that.  Again, it won’t find that certificate, so it bounces up to the root certificate and looks for “Go Daddy Class 2 Certification Authority” in the trusted root store:

Trusted Root Certification Authority Store

As you can see from a view on my Windows 7 box, Windows 7 by default trusts this certificate, so since I trust that certificate, and that certificate trusts the “Go Daddy Secure Certification Authority”, then my Windows 7 machine also trusts this authority, and since the “Go Daddy Secure Certification Authority” trusts foo.homeserver.com, then My Windows 7 client also trusts foo.homeserver.com, and a trusted certificate connection is established.

In the non-computer world, think of it this way.  When I try to get on a plane, and I present my drivers license (domestic flights only!), they trust WA state and allow me on the plane.  If I were to present my Microsoft Identification, they would probably look at me sideways and ask for another ID, because the airlines don’t trust the Microsoft employee issuing authority.  However, if I go to my companies Christmas party I can present EITHER my drivers license, or my Microsoft ID, and they trust both, since they trust WA state, and the Microsoft employee issuing authority.

In Windows SBS 2003/2008 and the use of self issued certificates.  You install the leaf cert (sbs 2003) or the root cert (sbs 2008) into your client trusted root store, and now your client will trust that issuing authority as mentioned above.  This is outlined in my old post.

On Mobile devices, such as Windows Mobile, you need to ensure the certificate is in that root store as well, which is why some certs work and some don’t on older Windows Mobile devices.  Additionally it’s important to call out that browsers on clients behave differently too.  For example, Firefox has it’s own certificate store and doesn’t use the one in Windows.  The certificates in Windows and also on later mobile devices are updated and maintained through the secure connection of Windows Update.

Hopefully this clears up the server to client authentication.  Of course we know the client authenticates to the server by providing your username and password to prove you are indeed the user the server should give access to. 

Last important thing to remember, is NEVER install a certificate over an unsecure or un-trusted  internet connection, you should always use a SECURE method of installing certificates.  That means you download a cert over an already trusted and secure connection, or you bring it home in your pocket on a USB key.  You never know if there is going to be a malicious server giving you a bad certificate for the wrong server on the Internet.  Then you will just be giving your username and password to the wrong server on the Internet, and that would be disaster.



Update: Continue on to Part 2, now posted.

24 comments:

Ryan said...

great post - thanks Sean! eagerly anticipating part2 re: encryption between server <---> client... ;)

Sean Daniel said...

Hi Ryan,

Thanks for the poke to get this finished, you can find this post live now.

Richard Majece said...

It's interesting that after reading https://justdomyhomework.com/blog/homework-does-not-have-to-be-hard I realized that homework does not have to be heard. Now I definitely want my teachers to read this.

Nikki Heysen said...

StudentsAssignmentHelp.com works continue to give the best Case Study Assignment Writing for all the students studying in different colleges or universities of Australia. Our team of Aussie writers will help you to done your work easily.

damion said...

HPE0-S55 Practice Test HPE0-S55 marks4sure exam dumps help you to clear HPE0-S55 test. If you want get professional and HP real practice, recommend you to use our HPE0-S55 marks4sure

Donald Harper said...

CertificationGenie provides an effective and cost-efficient method to become a certified professional in the field of IT. We offer solutions for many certification programs like Microsoft Exams, Vmware Certification Exam Questions, IBM Tests, Oracle Dumps, Cisco Certification Braindumps and more. All the solutions meet the requirements for every certification and help you to become a certified professional.

abc assignment help said...

Your article is always informative. To get solution to assignment related query seek help from online members of our company.

allassignmenthelp reviews said...

Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.

Amy Willor said...


A high-standard post with all imperative information about Assignment Help UK services. Looking forward to avail the premium services.

Patricia Garza said...

Amazing Information. I really Like it. asphalt 9 legends mod apk for android plants vs zombies 2 mod apk free download mortal kombat x modes

assignment help said...

Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.

Get Online Assignment said...

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Get Online Assignment

John Wayne said...

I find your blog really a good piece of content. I would love to share with other as it has really a useful information.
acer support
apple support
samsung support number
samsung printer support
epson support
aolmail.com
aol mail
mcafee.com/activate
norton.com/setup


mycoursehelp said...

Thank you for posting such a great blog! I found your website perfect for my needs. It contains wonderful and helpful posts. Keep up the good work. Thank you for this wonderful Blog!
Visit: Homework Help

Anonymous said...

Java Assignment Help

Web App Development Company said...

Thanks for sharing this blog. A great information you shared through this blog. Keep it up and best of luck for your future blogs and posts. I have an important information regarding Web app development company

ammie jackson said...

Being an academic writer from past 5 years providing assignment help writing services to college and university students also associated with Myassignmenthelp platform. I am dedicated in providing best online academic writing services to the college students at the affordable rates. Fast Assignment Help - My Assignment Help

Keira Tayor said...

Avail the best essay writing solution in Australia. At EssayAssignmentHelp.com.au, you can get online essay help from top university experts.

MyAssignmentHelpAu said...

Your blogs are amazing and I am glad to read them. Thanks for sharing the tips and samples of our assignments. They are useful in knowing the key points that can increase the value of an assignment. And a special thanks to the My Assignment Help Australia for helping the students 24/7. You can email us at Info@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227

Anurag arora said...

Digital Marketing is not just present, its future! As we see around us everything is getting related to the virtual world with each counting day, so it is important for us to keep up with the flow and adopt this change smartly in everything we do, we sell. We are teaching here at Koderey Techstack - Digital Marketing Course in Delhi to grow your Digital Marketing skills and see some wonderful growth in your current business.  Thanks

Types of marketing
Scope of digital marketing
What is SEO

Anurag arora said...
This comment has been removed by the author.
Anurag arora said...
This comment has been removed by the author.
Anurag arora said...

This is simply not hidden to anybody that speaking in English these days has been more than just a trend and it helps you grow the overall personality that further helps you in many aspects in your life. even if you are appearing for a good job, the first that an interviewer judges you is with your way of communication and understanding the same. American Lingua  is teaching you with all the skills you require to have an excellent command on your Language.

Spoken english classes in janakpuri

Roxy smith said...

Hello,
I am roxy smith.
thanks for sharing this post.

provide you best Assignment help Australia anytime.