SSL

Secure Socket Layer (commonly abbreviated SSL) is a security mechanism for transmitting data electronically, and is most commonly coupled with the HTTP protocol, resulting in a more secure transport layer security known as HTTPS.

Specifications

• Baseline SSL Requirements Documents: https://cabforum.org/baseline-requirements-documents/

^[1]

Certificates

In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.

In a typical public-key infrastructure (PKI) scheme, the signer is a certificate authority (CA), usually a company that charges customers to issue certificates for them. In a web of trust scheme, the signer is either the key's owner (a self-signed certificate) or other users ("endorsements") whom the person examining the certificate might know and trust.

• wikipedia: Public key certificate^{[2][3][4][5][6]}
• wikipedia: Certificate authority^{[7][8][9][10][11]}
• wikipedia: Self-signed certificate^{[12][13][14][15][16][17][18][19][20][21][22]}

^{[23][24][25][26][27][28][29] [30]}

CSR

In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant's private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.

• wikipedia: Certificate signing request
• How to Generate 2048 bit CSR? (using OpenSSL): https://www.thesslstore.com/blog/generate-2048-bit-csr/
• Generating a Certificate Signing Request or CSR Topics (to be used with Apache & mod_ssl): http://www.networksolutions.com/support/csr-for-apache-with-mod-ssl-openssl/
• Generating a 2048-bit CSR (on Windows SBS 2003): https://www.experts-exchange.com/questions/26955374/Generating-a-2048-bit-CSR-on-SBS-2003.html#answer35398856

CA

Certificate Authority (CA).

• wikipedia: Certificate authority

Tools

• Smallstep SSL Certificate Manager: https://smallstep.com/certificate-manager/
• DigiCert - CSR tools: https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm (creation guides/tools for various platforms)^[31]
• Lets Encrypt - Free SSL Certificate Authority "Signing Agent": https://letsencrypt.org/^[32]
• Compare certs - SSL Certificate Wizard: https://www.sslshopper.com/ssl-certificate-wizard.html
• SSL Server Test: https://www.ssllabs.com/ssltest/analyze.html | DEMO - ALC.ca (analyzes website's support for SSL/HTTPS/TLS and related encryption standards such as SHA-1/SHA-2, RSA, etc)
• SSL Checker: https://www.sslshopper.com/ssl-checker.html
• CSR checker: http://support.ecenica.com/ssl-certificates/csr-checker/
• SSL Server Test: https://www.ssllabs.com/ssltest/ (free online service performs a deep analysis of the configuration of any SSL web server on the public Internet)
• Mozilla - SSL Configuration Generator: https://ssl-config.mozilla.org (generates SSL config snippets for Apache, Tomcat, nginx, IIS, and other popular web servers)

SNI

Additional part of SSL/TLS spec where you must indicate the Hostname intended to create a connection to prior to initiating the handshake process or sending/receiving any messages.

• wikipedia: Server Name Indication

^{[33] [34] [35] [36] [37] [38] [39]}

OpenSSL

• OpenSSL: http://www.openssl.org/ | [ SRC] | BINARIES

^[40]

MashSSL

• MashSSL: http://mashssl.org/

Google Tinks

• Google Tink: https://github.com/google/tink (multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse)

^{[41] [42] [43]}

Resources

• DigiCert - Certificate Signing Request (CSR) guides: https://www.digicert.com/csr-creation.htm
• What's in a CSR?: http://www.redkestrel.co.uk/Articles/CSR.html#anchor-whats-in-a-csr
• What is the SSL Certificate Chain?: https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/
• What is a Root SSL Certificate?: https://support.dnsimple.com/articles/what-is-ssl-root-certificate/
• What is a Certificate Authority?: https://support.dnsimple.com/articles/what-is-certificate-authority/
• ACME Support in Apache HTTP Server Project: https://letsencrypt.org//2017/10/17/acme-support-in-apache-httpd.html
• Weak Diffie-Hellman and the Logjam Attack: https://weakdh.org

Tutorials

• How to Generate a Keystore and CSR Using the Keytool Command: https://dzone.com/articles/keytool-commandutility-to-generate-a-keystorecerti
• Certificates for localhost: https://letsencrypt.org/docs/certificates-for-localhost/
• What ports does SSL use (by default)?: http://stason.org/TULARC/security/ssl-talk/3-4-What-ports-does-SSL-use.html#.Vgw37f7lvIU
• Install SSL certificate in Firefox: http://www.onlinehowto.net/install-ssl-certificate-in-firefox/784
• How do I check my certificates on Firefox?: https://support.quovadisglobal.com/KB/a41/how-do-i-check-my-certificates-on-firefox.aspx?KBSearchID=27234
• Managing Certificates In Internet Explorer: http://www.ejbca.org/sensornet/IEHowTo/ManagingCertificateIE.html
• Import Certificates in Windows: http://technet.microsoft.com/en-us/library/cc754489.aspx

• How to get HTTPS working on your local development environment in 5 minutes: https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec
• SSL Certificate -- SSL on XAMPP : http://raman-kumar.blogspot.ca/2008/08/ssl-certificate-ssl-on-xampp.html
• Creating Self Signed Certificate: https://dzone.com/articles/creating-self-signed-certificate
• Generating X.509 Certificates: http://www.ipsec-howto.org/x595.html
• How to manage Trusted Root Certificates in Windows 10: https://www.thewindowsclub.com/manage-trusted-root-certificates-windows
• XAMPP - SSL Encrypt Passwords: http://robsnotebook.com/xampp-ssl-encrypt-passwords

• Install OpenSSL on a windows machine: https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html
• Howto -- Make Your Own Cert With OpenSSL on Windows : https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/
• How to Install (Free) SSL Easily for Your Website: https://dzone.com/articles/how-to-install-free-ssl-easily-for-your-website
• Creating or Obtaining an SSL Key & Certificate: https://confluence.atlassian.com/hc/creating-or-obtaining-an-ssl-key-and-certificate-608731891.html (#1.Generate a private key, #2.Generate a CSR, #3.Send CSR to CA, who will then send you an SSL cert, #4.When you have your SSL certificate, replace Server's default private key and self-signed certificate with your own)
• Dissecting TLS Using Wireshark: https://dzone.com/articles/dissecting-tls-using-wireshark
• No more "unable to find valid certification path to requested target": http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target^[44]
• How to Deploy Wildcard SSL Certificates Using Let's Encrypt: https://blog.codeship.com/how-to-deploy-wildcard-ssl-certificates-using-lets-encrypt/

• Java -- sun.security.provider.certpath.SunCertPathBuilderException - unable to find valid certification path to requested target: https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find#12146838
• How To Fix -- PKIX Path Building Failed (Validation) - sun.security.validator.ValidatorException: http://java.globinch.com/enterprise-java/security/pkix-path-building-failed-validation-sun-security-validatorexception/
• SSL-Based REST Web Service in Java With Spring: https://dzone.com/articles/ssl-based-rest-web-service-in-java-with-spring
• SSL-Based REST Web Service in Java JAX-RS With Spring: https://dzone.com/articles/ssl-based-rest-web-service-in-java-with-spring
• SSL Certificate Pinning in iOS Applications: http://dzone.com/articles/ssl-certificate-pinning-in-ios-application
• Windows -- Trust SSL certificate to local system account: https://superuser.com/questions/370217/trust-ssl-certificate-to-local-system-account#370224
• How to trust the IIS Express Self-Signed Certificate: https://blogs.msdn.microsoft.com/robert_mcmurray/2013/11/15/how-to-trust-the-iis-express-self-signed-certificate/
• Authentication (in Java) with HttpUrlConnection: https://www.baeldung.com/java-http-url-connection
• Preemptive BASIC Auth (in Java) with HttpUrlConnection?: https://stackoverflow.com/questions/7019997/preemptive-basic-auth-with-httpurlconnection
• Fix Your Connection Is Not Private Error In Google Chrome: https://whatsabyte.com/featured/your-connection-is-not-private/
• java.security.cert.CertificateException -- No subject alternative names present: https://medium.com/@sajithekanayaka/solved-java-security-cert-certificateexception-no-subject-alternative-names-present-eec1669faf0d (how to fix an LDAP SSL connectivity issue which comes after upgrading the Java version)
• Know about SAN Certificate and How to Create With OpenSSL: https://geekflare.com/san-ssl-certificate/
• How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?: https://stackoverflow.com/questions/19540289/how-to-fix-the-java-security-cert-certificateexception-no-subject-alternative^[45]
• Configuring SSL/TLS Connection Made Easy: https://dzone.com/articles/how-to-configure
• Digital Certificate -- How to Import JKS (.cer) or PKCS12 (.key) File into Truststore File: https://www.baeldung.com/import-cer-file-into-truststore
• How to Import a X.509 or JKS (.cer) Certificate Into a Java KeyStore: https://www.baeldung.com/java-import-cer-certificate-into-keystore
• How do I use an SSL client certificate with Apache HttpClient?: https://stackoverflow.com/questions/21223084/how-do-i-use-an-ssl-client-certificate-with-apache-httpclient
• SSL Socket Communication (Java code sample on creating an "SSL EchoServer"): https://sites.google.com/site/ddmwsst/create-your-own-certificate-and-ca/ssl-socket-communication?tmpl=%2Fsystem%2Fapp%2Ftemplates%2Fprint%2F&showPrintDialog=1
• SSL Handshake Failures: https://www.baeldung.com/java-ssl-handshake-failures

External Links

• wikipedia: Transport Layer Security
• wikipedia: Transport_Layer_Security#Web_browsers (listing of SSL/TLS version support by browser)
• wikipedia: Certificate signing request
• wikipedia: Certificate authority
• wikipedia: X.509
• wikipedia: Public key certificate
• wikipedia: Certificate Transparency (CT)
• wikipedia: HTTP Public Key Pinning (HPKP)
• Beginner's Guide to TLS/SSL Certificates (WHITEPAPER): https://www.digicert.com/resources/beginners-guide-to-tls-ssl-certificates-whitepaper-en-2019.pdf
• SSL and SSL Certificates Explained For Beginners: http://www.steves-internet-guide.com/ssl-certificates-explained/

^{[46] [47] [48] [49] [50] [51] [52] [53] [54]}

• DV, OV, IV, and EV Certificates: https://www.ssl.com/article/dv-ov-and-ev-certificates/
• A More Practical Approach to Encrypting Data in Motion: https://builttoadapt.io/a-more-practical-approach-to-encrypting-data-in-motion-f9ba481a27fa
• Why is nobody using SSL client certificates?: https://blog.pilif.me/2008/05/26/why-is-nobody-using-ssl-client-certificates/
• Google wants to reduce lifespan for HTTPS certificates to one year: https://www.zdnet.com/article/google-wants-to-reduce-lifespan-for-https-certificates-to-one-year/
• Microsoft Teams goes down after Microsoft forgot to renew a certificate: https://www.theverge.com/2020/2/3/21120248/microsoft-teams-down-outage-certificate-issue-status
• TLS 1.0 and 1.1 Removal Update: https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/
• Five Years of Lets Encrypt: https://www.infoq.com/news/2020/12/five-years-lets-encrypt/
• Why Let’s Encrypt is a really, really, really bad idea…: https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
• How Everything We're Told About Website Identity Assurance is Wrong: https://www.troyhunt.com/how-everything-were-told-about-website-identity-assurance-is-wrong/
• Russia creates its own TLS certificate authority to bypass sanctions: https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/

References

1. ↑ Certification Authority Authorization (CAA) now mandated by CA/Browser Forum: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
2. ↑ What is an SSL Certificate?: http://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/
3. ↑ What are certificates?: http://www.youtube.com/watch?v=LRMBZhdFjDI
4. ↑ What Are Certificates?: http://technet.microsoft.com/en-us/library/cc758348(v=ws.10).aspx
5. ↑ What is SSL and what are Certificates?: http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
6. ↑ Public key pinning update to Chrome and all Google web properties (04 May 2011): https://www.imperialviolet.org/2011/05/04/pinning.html
7. ↑ Where can I find all SSL CA certificates?: http://security.stackexchange.com/questions/42946/where-can-i-find-all-ssl-ca-certificates
8. ↑ Firefox certs: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
9. ↑ Chrome certs: https://support.google.com/chrome/a/answer/6080885?hl=en (NOTE: it uses the default certificates included with the OS)
10. ↑ Opera certs: https://certs.opera.com/ (installs the most used CAs while installing the application, you can find the rest in the Opera online root repository as linked)
11. ↑ iOS & Mac Safari certs: https://support.apple.com/kb/ht5012
12. ↑ Creating Self-Signed SSL Certificates for Apache on Linux: http://www.linux.com/learn/creating-self-signed-ssl-certificates-apache-linux
13. ↑ Apache Tomcat 9 -- SSL/TLS Configuration HOW-TO: http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
14. ↑ Tomcat Server/Client Self-Signed SSL Certificate: http://stackoverflow.com/questions/1180397/tomcat-server-client-self-signed-ssl-certificate
15. ↑ Self-Signed Cert configuration for Tomcat: http://www.trialdatasolutions.com/tds/howto/selfsignedcertificate.jsp
16. ↑ Create a Self-Signed Server Certificate in IIS 7: https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx
17. ↑ How to -- Create Temporary Certificates for Use During Development: https://msdn.microsoft.com/en-us/library/ms733813(v=vs.110).aspx
18. ↑ How to -- Create Your Own Test Certificate: https://msdn.microsoft.com/en-us/library/ff699202.aspx
19. ↑ Create and export a self-signed certificate: https://technet.microsoft.com/en-us/library/ff710475(v=ws.10).aspx
20. ↑ When to Use a "Java Keytool" Self-Signed Certificate: http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html
21. ↑ The most common Java "keytool" Keystore commands: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
22. ↑ Creating a Keystore File and Keystore Password for HTTPS Connections: https://docs.oracle.com/cd/E19636-01/819-1655/fapsf/index.html
23. ↑ Converting a Java Keystore (.jks) into PEM Format: https://www.baeldung.com/java-keystore-convert-to-pem-format
24. ↑ How to self-sign certificates: http://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Howtoself-signcertificates
25. ↑ Signed vs. Self-signed Certificates: http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm
26. ↑ 'keytool' is not recognized as an internal or external command: https://stackoverflow.com/questions/43720147/keytool-is-not-recognized-as-an-internal-or-external-command
27. ↑ Keytool is not recognized as an internal or external command: https://stackoverflow.com/questions/19431788/keytool-is-not-recognized-as-an-internal-or-external-command
28. ↑ Oracle/Sun guide to generating a Keystore, Certificate Signing Request & Certificate: https://docs.oracle.com/cd/E19636-01/819-1655/fapsf/index.html
29. ↑ keytool - Key and Certificate Management Tool: https://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html
30. ↑ Let’s Encrypt SSL Security Errors starting Sep 30, 2021 - your connection is not private: https://medium.com/@BraunDoug/lets-encrypt-ssl-security-errors-starting-on-sep-30-2021-your-connection-is-not-private-417ca007fe07 (fix could be as simple as removing expired “initial root cert” of LetsEncrypt then restart servers)
31. ↑ CSR creation using OpenSSL in Apache: https://www.digicert.com/csr-creation-apache.htm
32. ↑ When to use Let's Encrypt's webroot and standalone authorization: https://advancedweb.hu/2018/06/05/letsencrypt_webroot_vs_standalone/
33. ↑ Java SSL handshake with Server Name Identification (SNI): https://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
34. ↑ Use cURL with SNI (Server Name Indication): https://stackoverflow.com/questions/12941703/use-curl-with-sni-server-name-indication
35. ↑ PHP server-side SNI support: https://stackoverflow.com/questions/20865301/php-server-side-sni-support | DOCS
36. ↑ If You Can Read This, You're SNIing: https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing
37. ↑ F5 LoadBalancers -- SNI Routing with BIG-IP: https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348
38. ↑ C# (CSharp) System.Data.SqlClient.SNI SNIHandle Examples: https://csharp.hotexamples.com/examples/System.Data.SqlClient.SNI/SNIHandle/-/php-snihandle-class-examples.html
39. ↑ How to implement Server Name Indication (SNI): https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni
40. ↑ How to determine if OpenSSL and mod_ssl are installed on Apache2: https://stackoverflow.com/questions/1367545/how-to-determine-if-openssl-and-mod-ssl-are-installed-on-apache2
41. ↑ Cryptography With Google Tink: https://medium.com/coinmonks/cryptography-with-google-tink-33a70d71918d
42. ↑ Google Tink Example – Google Cryptography: https://www.javainterviewpoint.com/google-tink-example/
43. ↑ Guide to Google Tink: https://www.baeldung.com/google-tink
44. ↑ Invoking the Secure Protocol RestService from OSGI Client (AEM is in http protocol) not working: https://forums.adobe.com/thread/2328160
45. ↑ How to fix javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException -- No subject alternative names present: http://www.littlebigextra.com/how-to-fix-javax-net-ssl-sslhandshakeexception-java-security-cert-certificateexception-no-subject-alternative-names-present/
46. ↑ Everything (basic thing) You Need To Know About SSL Certificates: https://get-mobdro.com/everything-you-need-to-know-about-ssl-certificates/
47. ↑ Everything You Need to Know about SSL Certificates: https://brilliantinfo.net/ssl-certificates/
48. ↑ Everything You Need to Know About SSL/TSL Certificates: https://business.blogthinkbig.com/everything-you-need-know-about-ssl-tsl-certificates/
49. ↑ SSL certificate limitations: https://www.hostpapa.com/knowledgebase/ssl-certificate-limitations/
50. ↑ Google I/O 2014 - HTTPS Everywhere: https://www.youtube.com/watch?v=cBhZ6S0PFCY
51. ↑ Everything You Wanted to Know about SSL Certificates: https://luxsci.com/blog/everything-you-wanted-to-know-about-ssl-certificates.html
52. ↑ Everything you should know about certificates and PKI but are too afraid to ask: https://smallstep.com/blog/everything-pki/
53. ↑ Important Things to Know before Installing an SSL Certificate: https://www.hostgator.com/help/article/important-things-you-should-know-before-installing-an-ssl-certificate
54. ↑ SSL Certificate Explained -- EV, OV & DV explained - Everything You Need To Know About SSL: https://truehost.com.ng/ssl-certificate-explained/

See Also

HTTPS | TLS | Security | DNS