Skip to main content

SSL Certificate

SSL stands as secure socket layer, of the main protocol which is used to secure the data transmission.  In this article I am trying to discuss how this SSL certificate is used in client server architecture. First of all you should know the difference of "Authentication" and "Authorization". 

Authentication means validate the correct user, for instance most of times when you tried to log to the system, it will ask user name and password to log it. That is called as authentication. Only user who is given correct user name and password allow to log to the system.

When you log to a particular site what are the things you are allowed to do and not to do, in other words the privileges that you have in that site called as Authorization. These two concepts are used when client (your browser) requests from server through SSL protocol. 

You may wonder what is the reason of having such a system. This all about trust. Once you type your favorite site, www.facebook.com in your browser, how do you know that loaded login page is truly owned to real facebook site or not. Because some one else can send same appearance of login page of facebook, and when you type your user name and password that login page they can easily hacked your facebook account. To avoid this type of misuse there is a mechanism to Authenticate the server.  

There is person (CA) who guaranteed or issued a certificate to the web sites telling others (Browsers), this is a real man (server) who owns this site( facebook). This certificate is in digital format and it is there with the web server which is hosted that particular site. Once you type the URL, your browser asks from response server's certificate and its Certified Authority. Then browser asks from that CA, weather that given certificate is valid or not. then only browser will accept the response. Keep in mind, the certificate issued authority should be trusted one by your browser, otherwise it will inform you to choose  the response from server accept or not. That is how authentication is happen between client and browser.

I know what is the question you have, how are we trusted that Certificate Authority? Before giving a answer for that, I ask a question from you, how are you trusted the judgment that given by a judge?  Both are same. You had to trust him because everybody can not be judge and there is legal body behind that, same way everyone can not issued certificates for web sites even they do it, no one trust it. 

When that particular web site has a valid certificate they can use https protocol to communicate  with their clients. I think all of you are having a good experience with this process. But how can we use this process to authorization purpose? Thats the question most of them are  didn't know.

As browser ask certificate from server, server can ask certificate from browser.And that certificate can be used to authorize the client by the server. In this case both server and client's certificate should be signed by same certificate authority. And manually we should install the client's certificate each and every machine's browser. 

In my next article I wish to discuss how we should generate those certificates and configure apache web server to enable the https communication with the browser.

 






Comments

Post a Comment

Popular posts from this blog

IP based vertual hosting in apache2

I think most of the people used ubuntu as their linux OS. There will be a little bit conflict when you are trying to use virtual hosting in apache2 according to centOS. In this article I will try to explain how it should done in ubuntu apache2. Anyway there is a few more things to know before you start. 1. httpd.conf  file is equal to apache2.conf in /etc/apache2/ 2. In apache2.conf includes some other conf file so that necessary settings should be done those files. e.g. changing port numbers should be done in ports.conf I will explain step by step vertual hosting using apacge2. I take /etc/var/www as a DocumentRoot any way if you want to change it, Change the default file which locate in /etc/apache2/sites-available/default file. To easy access create a folder called www.bict.lk (any choice)  and create htdocs and logs two folders inside www.bict.lk. Don't forget to create index.html file in htdocs folder. (html file which shows www.bict.lk ). These folders should b...
4 comments
Read more

Creating a custom logs in apache2

In this article I try to explain how to create our own log file in apache2. Log files are there to keep records about the details of users ,time , host's IP  etc.. These details are used to analyzed about the users who visits web sites. First of all you had to create a web site and should host in apache server.Following guidelines will help to you.According to your document root create a directories to keep your index file. In my case I keep it /var/www/www.mypage.lk/htdocs. If you are not define custom log file to your site it will go to default place in /var/log/apache2 .And I create a log directory in side the www.mypage.lk to keep records of www.mypage.lk. Normally log files are keep in /var/log/apache2. This is the default directory where apache log files are keep.  In this scenario I create log directory inside the www.mypage.lk directory. So my log file path will be /var/www/www.mypage.lk/logs. go to /etc/apache2 and edit ports.conf file ( you can use an editor l...
1 comment
Read more