How SSL Certificates Work
SSL certificates are used to initiate secure communications over computer networks, usually referred as HTTPS traffic. Organization Validated (OV) and Extended Validated (EV) Certificates provide both encryption and identification: user can check the name of the organization from a certificate and can be sure that a reliable third party (Certificate Authority – CA) has validated the organization. Domain Validated (DV) certificates give only encryption as the organization has not been validated at all. The actual name and protocol is TLS (Transport Layer Security) but I will use the term SSL (Secure Socket Layer) because it is still better known and more commonly used.
SSL/TLS Handshake and Key Exchange
If two parties want to transmit data over network securely, they need to encrypt it. In order to be able to read (decrypt) the other part’s encrypted data, both need to know/have the same encryption secret (key). How do the two parties exchange keys securely? The answer to this is Public Key Infrastructure (PKI).
Let’s take Web Server as an example here. When you request for a Web Server certificate, you generate a CSR (Certificate Signing Request) which holds the requester’s basic identity information. During the CSR generation also, a key pair is formed – a public key and a private key. If data is encrypted with private key, it can be decrypted with public key of the key pair – and vice versa. The public key is sent to Certificate Authority (CA) along with the CSR and it is embedded on the actual SSL certificate. The private key needs to be secured on the web server for future decryption needs.
- Client connects and sends a ClientHello to a web server
- Web Server sends a copy of its SSL Certificate, including a public key and some identity information. This way the Web Server Authenticates itself to the Client.
- Client validates the certificate against a list of trusted CAs and that the certificate is valid, unrevoked, and that its Common Name or Subject Alternative Name matches for the website that it is connecting to. If the certificate validates OK, the Client creates a symmetric session key and encrypts it with Web Server’s public key and sends it to the Web Server.
- Web Server decrypts the symmetric session key using its private key and sends back an acknowledgement to start the encrypted session.
- Client and Web Server use the symmetric session key to encrypt all traffic during the session. When the session ends, the symmetric keys are deleted on both ends.
For more detailed information, contact us firstname.lastname@example.org