I get a lot of questions on understanding certificates in general, this post is intended to answer those general questions and is not specific to any product. Although I plan on using Windows Home Server and Windows Small Business Server 2008 as examples here. I do have a previous post on understanding the self-issued certificate in SBS 2003 and SBS 2008, as this post will focus on understanding trusted certificates, and what makes them trusted.
Certificates provide two purposes:
- Authenticating the server to the client
- Providing encryption between the server and the client
I will cover the authenticating the server to the client in this part 1 post, and will write a part 2 post that handles the second part of encryption.
Part 1 – Authenticating the Server to the Client
Think of a certificate like a drivers license; a United States drivers license as that’s what I’m most familiar with. The drivers license has three key components that makes it what it is.
- A name that identifies what you are called, in my case, “Sean Daniel”
- An expiry date, that identifies when the license is valid from. This ensures data doesn’t get stale, like your picture, or hair colour, or if you need glasses or not to drive
- An issuing authority, such as Washington State
This is the same as a computer SSL certificate. It has a valid URL, an expiry date, and an issuing authority. When the client gets to the intended URL such as https://remote.contoso.com, it asks the server for proof that it is remote.contoso.com, and the server presents it’s certificate. The client validates the 3 checks. Does the URL in the certificate match (ie. are you “Sean Daniel”). Is this certificate valid (is the expiry date past today’s current date and time). Those are the two easy to understand checks. The final check is “do I trust the issuing authority”. In the case of a drivers license, you’d bend it, look at it under a black light to make sure it’s authentic, and then you’d see Washington state issued it and be. Sure, I trust the state government.
With certificates, it’s slightly different. The computer follows the certificate chain outlined in the certificate path (IE view):
In the above example for Home Server, the client will check if it trusts foo.homeserver.com. It looks into it’s trusted certificate store for a matching certificate, none would exist of course, so it would then look for the “GoDaddy Secure Certification Authority” in the same store. Because the “GoDaddy Secure Certification Authority” trusts foo.homeserver.com, the client can base it’s trust on that. Again, it won’t find that certificate, so it bounces up to the root certificate and looks for “Go Daddy Class 2 Certification Authority” in the trusted root store:
As you can see from a view on my Windows 7 box, Windows 7 by default trusts this certificate, so since I trust that certificate, and that certificate trusts the “Go Daddy Secure Certification Authority”, then my Windows 7 machine also trusts this authority, and since the “Go Daddy Secure Certification Authority” trusts foo.homeserver.com, then My Windows 7 client also trusts foo.homeserver.com, and a trusted certificate connection is established.
In the non-computer world, think of it this way. When I try to get on a plane, and I present my drivers license (domestic flights only!), they trust WA state and allow me on the plane. If I were to present my Microsoft Identification, they would probably look at me sideways and ask for another ID, because the airlines don’t trust the Microsoft employee issuing authority. However, if I go to my companies Christmas party I can present EITHER my drivers license, or my Microsoft ID, and they trust both, since they trust WA state, and the Microsoft employee issuing authority.
In Windows SBS 2003/2008 and the use of self issued certificates. You install the leaf cert (sbs 2003) or the root cert (sbs 2008) into your client trusted root store, and now your client will trust that issuing authority as mentioned above. This is outlined in my old post.
On Mobile devices, such as Windows Mobile, you need to ensure the certificate is in that root store as well, which is why some certs work and some don’t on older Windows Mobile devices. Additionally it’s important to call out that browsers on clients behave differently too. For example, Firefox has it’s own certificate store and doesn’t use the one in Windows. The certificates in Windows and also on later mobile devices are updated and maintained through the secure connection of Windows Update.
Hopefully this clears up the server to client authentication. Of course we know the client authenticates to the server by providing your username and password to prove you are indeed the user the server should give access to.
Last important thing to remember, is NEVER install a certificate over an unsecure or un-trusted internet connection, you should always use a SECURE method of installing certificates. That means you download a cert over an already trusted and secure connection, or you bring it home in your pocket on a USB key. You never know if there is going to be a malicious server giving you a bad certificate for the wrong server on the Internet. Then you will just be giving your username and password to the wrong server on the Internet, and that would be disaster.
Update: Continue on to Part 2, now posted.
24 comments:
great post - thanks Sean! eagerly anticipating part2 re: encryption between server <---> client... ;)
Hi Ryan,
Thanks for the poke to get this finished, you can find this post live now.
It's interesting that after reading https://justdomyhomework.com/blog/homework-does-not-have-to-be-hard I realized that homework does not have to be heard. Now I definitely want my teachers to read this.
StudentsAssignmentHelp.com works continue to give the best Case Study Assignment Writing for all the students studying in different colleges or universities of Australia. Our team of Aussie writers will help you to done your work easily.
HPE0-S55 Practice Test HPE0-S55 marks4sure exam dumps help you to clear HPE0-S55 test. If you want get professional and HP real practice, recommend you to use our HPE0-S55 marks4sure
CertificationGenie provides an effective and cost-efficient method to become a certified professional in the field of IT. We offer solutions for many certification programs like Microsoft Exams, Vmware Certification Exam Questions, IBM Tests, Oracle Dumps, Cisco Certification Braindumps and more. All the solutions meet the requirements for every certification and help you to become a certified professional.
Your article is always informative. To get solution to assignment related query seek help from online members of our company.
Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.
A high-standard post with all imperative information about Assignment Help UK services. Looking forward to avail the premium services.
Amazing Information. I really Like it. asphalt 9 legends mod apk for android plants vs zombies 2 mod apk free download mortal kombat x modes
Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.
I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Get Online Assignment
I find your blog really a good piece of content. I would love to share with other as it has really a useful information.
acer support
apple support
samsung support number
samsung printer support
epson support
aolmail.com
aol mail
mcafee.com/activate
norton.com/setup
Thank you for posting such a great blog! I found your website perfect for my needs. It contains wonderful and helpful posts. Keep up the good work. Thank you for this wonderful Blog!
Visit: Homework Help
Java Assignment Help
Thanks for sharing this blog. A great information you shared through this blog. Keep it up and best of luck for your future blogs and posts. I have an important information regarding Web app development company
Being an academic writer from past 5 years providing assignment help writing services to college and university students also associated with Myassignmenthelp platform. I am dedicated in providing best online academic writing services to the college students at the affordable rates. Fast Assignment Help - My Assignment Help
Avail the best essay writing solution in Australia. At EssayAssignmentHelp.com.au, you can get online essay help from top university experts.
Your blogs are amazing and I am glad to read them. Thanks for sharing the tips and samples of our assignments. They are useful in knowing the key points that can increase the value of an assignment. And a special thanks to the My Assignment Help Australia for helping the students 24/7. You can email us at Info@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227
Digital Marketing is not just present, its future! As we see around us everything is getting related to the virtual world with each counting day, so it is important for us to keep up with the flow and adopt this change smartly in everything we do, we sell. We are teaching here at Koderey Techstack - Digital Marketing Course in Delhi to grow your Digital Marketing skills and see some wonderful growth in your current business. Thanks
Types of marketing
Scope of digital marketing
What is SEO
This is simply not hidden to anybody that speaking in English these days has been more than just a trend and it helps you grow the overall personality that further helps you in many aspects in your life. even if you are appearing for a good job, the first that an interviewer judges you is with your way of communication and understanding the same. American Lingua is teaching you with all the skills you require to have an excellent command on your Language.
Spoken english classes in janakpuri
Hello,
I am roxy smith.
thanks for sharing this post.
provide you best Assignment help Australia anytime.
Post a Comment