Security Certificates Question

Alexandra

Alexandra

Lifetimer
Joined
May 29, 2006
Messages
1,577
Reaction score
2
Points
38
Location
Atlanta, Georgia
Dummy question....so I tried our developers and google on this one...my next course of action was to come here and try my luck .

We are replacing our certificates at work...I was told to call them signing certificates...all I know they do is keep 2 sites talking, if the certs dont match the connection breaks. My question what is the difference between signing and encryption. I am at a loss...the google response is way over my head.
 
Last edited:
Well, you mentioned your site, so I assume you mean a web site (other types of signing/encryption/key exchange are similiar, but I just want to focus on web for you). Your web site creates public/private key pairs - they MUST be created as pairs, btw. In general, a client retrieves the public key from your site and uses it for encryption. Not gonna go into symmetric/asymmetric keys in detail, just know that you end up creating a cipher text (symmetric key, using the public key that was sent from server to client) that gets sent to the server, and then the server uses the private key to decrypt that data (key). Now you both (client and server) have a symmetric key that is only known to you both, and that is then used to encrypt the communication between the two.

A certificate is information about the server, and the public key itself. Getting that 'signed' by a CA (Certificate Authority) validates that the public key is indeed valid for the site in question. Basically, a server creates a key and provides it to the CA with their information, the CA makes damn sure things are on the up and up, and then creates their OWN private key to pair with the public key for YOUR server - they keep that. They send the 'signed' certificate back to you. Browsers/OS's know who the CA's are, so you get a cert (key) from your server (on the client), and it then validates it by talking to the CA - since they have the private key of their own for that public key, then it will only pass if it's valid. Now your client knows the server didn't somehow get hijacked with some trick like DNS redirection or something. Once that's done, your system will put it in the 'Certificate Store' to keep, so it doesn't have to talk to the CA all the time. That lets you talk to the site, while already having the proper public key for that site in place and validated.

Hope that's not too muddy. I probably left something out, but that's the gist of it.

(Edit, for summary):

1) Client connects to server, over secure connection - requesting one.
2) Server sends public key to client.
3) If the cert is not in your local Certificate Store on the client, the client uses CA to validate the public key (if not, warning/etc. is issued)
4) If CA validates the cert (public key and info), it is added to your local Certificate Store.
4) Client uses the public key to create a new symmetric key, encrypts that with the (validated) public key, and sends that to server.
5) Server uses its own private key to decrypt that, and that now has the same temporary key you created, so now both ends have that temporary key (the symmetric key).
6) Server and client talk together encrypting the data using the shared symmetric key.

For Certificate(s):
1) Server applies for certificate from CA (data such as public key, organization, contact, etc.).
2) CA encrypts that with it their own private key - they create a document (X.509) that is digitally signed using that private key.
3) CA sends that certificate back to the server
4) Server installs the certificate

htw
 
Last edited:
htw said:
Well, you mentioned your site, so I assume you mean a web site (other types of signing/encryption/key exchange are similiar, but I just want to focus on web for you). Your web site creates public/private key pairs - they MUST be created as pairs, btw. In general, a client retrieves the public key from your site and uses it for encryption. Not gonna go into symmetric/asymmetric keys in detail, just know that you end up creating a cipher text (symmetric key, using the public key that was sent from server to client) that gets sent to the server, and then the server uses the private key to decrypt that data (key). Now you both (client and server) have a symmetric key that is only known to you both, and that is then used to encrypt the communication between the two.

A certificate is information about the server, and the public key itself. Getting that 'signed' by a CA (Certificate Authority) validates that the public key is indeed valid for the site in question. Basically, a server creates a key and provides it to the CA with their information, the CA makes damn sure things are on the up and up, and then creates their OWN private key to pair with the public key for YOUR server - they keep that. They send the 'signed' certificate back to you. Browsers/OS's know who the CA's are, so you get a cert (key) from your server (on the client), and it then validates it by talking to the CA - since they have the private key of their own for that public key, then it will only pass if it's valid. Now your client knows the server didn't somehow get hijacked with some trick like DNS redirection or something. Once that's done, your system will put it in the 'Certificate Store' to keep, so it doesn't have to talk to the CA all the time. That lets you talk to the site, while already having the proper public key for that site in place and validated.

Hope that's not too muddy. I probably left something out, but that's the gist of it.

htw
Click to expand...

Thanks htw!! So in essence for us to transfer data, if we change are certificate, they have to chsne their certificate? I guess this would really be our encryption cert right?
 
Alexandra said:
Thanks htw!! So in essence for us to transfer data, if we change are certificate, they have to chsne their certificate? I guess this would really be our encryption cert right?
Click to expand...
Do you mean a new one you installed that was issued by the CA? If so, then no - a client should receive the public key from you, see it doesn't match the CS, contact the CA for an update, and if there is one update the local CS - then use the new validated key to do what I mentioned before (symmetric key exchange, encryption).

Are you using a CA, or are you guys signing your own certs?

htw
 
htw said:
Alexandra said:
Thanks htw!! So in essence for us to transfer data, if we change are certificate, they have to chsne their certificate? I guess this would really be our encryption cert right?
Click to expand...
Do you mean a new one you installed that was issued by the CA? If so, then no - a client should receive the public key from you, see it doesn't match the CS, contact the CA for an update, and if there is one update the local CS - then use the new validated key to do what I mentioned before (symmetric key exchange, encryption).

Are you using a CA, or are you guys signing your own certs?

htw
Click to expand...

It is a premium extended validation ssl certificate. Yes, we are using CA.
 
htw said:
Well, you mentioned your site, so I assume you mean a web site (other types of signing/encryption/key exchange are similiar, but I just want to focus on web for you). Your web site creates public/private key pairs - they MUST be created as pairs, btw. In general, a client retrieves the public key from your site and uses it for encryption. Not gonna go into symmetric/asymmetric keys in detail, just know that you end up creating a cipher text (symmetric key, using the public key that was sent from server to client) that gets sent to the server, and then the server uses the private key to decrypt that data (key). Now you both (client and server) have a symmetric key that is only known to you both, and that is then used to encrypt the communication between the two.

A certificate is information about the server, and the public key itself. Getting that 'signed' by a CA (Certificate Authority) validates that the public key is indeed valid for the site in question. Basically, a server creates a key and provides it to the CA with their information, the CA makes damn sure things are on the up and up, and then creates their OWN private key to pair with the public key for YOUR server - they keep that. They send the 'signed' certificate back to you. Browsers/OS's know who the CA's are, so you get a cert (key) from your server (on the client), and it then validates it by talking to the CA - since they have the private key of their own for that public key, then it will only pass if it's valid. Now your client knows the server didn't somehow get hijacked with some trick like DNS redirection or something. Once that's done, your system will put it in the 'Certificate Store' to keep, so it doesn't have to talk to the CA all the time. That lets you talk to the site, while already having the proper public key for that site in place and validated.

Hope that's not too muddy. I probably left something out, but that's the gist of it.

(Edit, for summary):

1) Client connects to server, over secure connection - requesting one.
2) Server sends public key to client.
3) If the cert is not in your local Certificate Store on the client, the client uses CA to validate the public key (if not, warning/etc. is issued)
4) If CA validates the cert (public key and info), it is added to your local Certificate Store.
4) Client uses the public key to create a new symmetric key, encrypts that with the (validated) public key, and sends that to server.
5) Server uses its own private key to decrypt that, and that now has the same temporary key you created, so now both ends have that temporary key (the symmetric key).
6) Server and client talk together encrypting the data using the shared symmetric key.

For Certificate(s):
1) Server applies for certificate from CA (data such as public key, organization, contact, etc.).
2) CA encrypts that with it their own private key - they create a document (X.509) that is digitally signed using that private key.
3) CA sends that certificate back to the server
4) Server installs the certificate

htw
Click to expand...

thanks for the added detail!

so if we have an active SSO connection with say a 3rd party, if our server gets a new certificate, does our 3rd party need to update theirs to maintain connection (this is what I always thought?!)

Since we are exchanging data back and forth, I'm assuming then our certificate is the encryption cert as you noted above...gahhhh can't believe no one could answer this in my office...anyway I guess we just don't have an htw.
 
Last edited:
So...is this just an HTTPS site? When you say SSO (I assume Single Sign On), it sounds very webapp-ish. If so, once you update the website's SSL key pair (and ensure it is in the config that way), it should just work.

The only gotcha would be to make sure you have the current intermediate/chain certificate installed. I've had to update a few of them in the past year or so.
 
You must log in or register to reply here.

Similar threads

S
Calling All CodeCompiler scam vics
Replies
0
Views
445
General Chat
SupItsJ
S
I
MQ2BOT Questions
Replies
6
Views
1K
General Chat
maximoh
M
smith8454
Problems with root hotkey
Replies
5
Views
587
EverQuest General Chat, Requests & Questions
dewey2461
D
N
MQ2Map Questions
Replies
0
Views
479
EverQuest MacroQuest Downloads & Plugins
NeroMorte
N
B
Multibox issues: 54 characters (windows taskbar lag)
Replies
2
Views
701
EverQuest General Chat, Requests & Questions
bpt82282
B