[Cialug] SSL Key ?

Josh More morej at alliancetechnologies.net
Tue Jun 5 15:14:04 CDT 2007 

Here's basically how it works (I'm skipping a lot of detail here, if you
care, read up on Diffie-Hellman (D-H) key exchange).

1) Web browser connects to https://www.example.com
2) Browser looks up name and initiates a connection to 208.77.188.166
on port 443, using the https protocol.
3) Server connects and offers the browser the certificate.
4) Browser looks at the cert and accepts it
5) Browser uses the cert to encrypt data to the server.
6) Server uses the key to decrypt the data and encrypt for outbound.
7) Browser and server then communicate securely.

See, the key and cert apply to the encrypted session, not to the server
itself.  However, due to the encryption problem I mentioned earlier, the
smallest level you can really use it on is ip/port.  In other words, the
private key is used to unlock the data the the certificate encrypts
(sorta).

So, from a file-level sysadmin perspective, you never regenerate the
key unless the certificate expires or is compromised.  You have a
separate key (and cert) for each site you run.  Thus, you'll have
/etc/apache2/ssl.key/www.example.com.key and
/etc/apache2/ssl.key/www.demonstration.com.key, if you are running
those two sites.  You would also have matching certs.

Where it gets confusing is that there are actually two layers of
encryption at work, the key-cert encryption is used as a master level
within Diffie-Hellman, over which the browser and server exchange
randomly-generated session keys.  Luckily, you never actually have to
worry about that.

Hope that clarifies it a bit.

Should we have an encryption discussion at the next LUG meeting?


 

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701



>>> "albus" <albus at iowaconnect.com> 06/05/07 2:48 PM >>> 
That's what I'll do I'll move them around to the /etc/httpd/conf
dir so they can't be hosed by me or anybody else for that matter.

And then repoint httpd.conf to the new local.

I'm still abit confused as to how the private key bit works but
I'll finger it out I guess when I go to add the other cert for the
other
virutal E- Comm site.

I just don't want to hoark my E- Comm site when I do.

Is a different private key generated every time you run openssl for
the
new site. If so what happens to the old one and what does that do to
the cert that checked against it.

Sorry for the stupid questions.

_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list