PERSONAL WEBSITE
BENOIT CHENU

SSL Securisation

The installation of HTTPS protocol resolves a lot of security problems. However, if the configuration is bad, it will be useless because of inexistent security.

2.1. SSL certificates

An ssl certificate permits to establish with certainty the link in between the web page and its owner, to secure electronics exchanges between this server and connected clients. It permits to establish a confidence with clients by guaranteeing the confidentiality of exchanges.

2.1.1. Principle

The cryptography with public key usage, on a large scale, needs to manage an important list of public keys, for some entities often scattered on a network. For that, we have recourse to public key infrastructures (PKI). This one is composed of:

• Certification authority
• Recording authority
• A publication system giving certificates

To make this system operational, the certificate must be delivered by a third confidence person, the certification authority (CA). This authority will permit to establish with certainty the server identity.

The recording authority (RA) is charged to check the applicant. There are different checking procedures permitting to issue certificates of different classes. There are 3 classes of certificates proposed:

• Class 1: the weakest protection level does not ensure any identity check. Only the address email of the applicant is checked. It is advised not to use these certificates solely for demonstrations.
• Class 2: Reasonable level of protection, the information contained in the certificate is checked with a copy of the applicant identity card signed.
• Class 3: The highest level of protection, more significant checks on the applicant identity are made. Material proofs are required by mails, meetings. These certificates can be used for electronic trades.

For information, the prices vary overall between 70€ to 700€ according to the type of certificate.

The certificates are generally in the X.509 format, containing the following information:

• The X.509 version
• The serial number of the certificate. This number is unique, in the event of certificate revocation; this one will be inserted in the revocation list.
• Algorithm Identifier of certificate signature
• The name of the certification authority which issued this certificate
• The domain name to certify
• The name of the certificate holder
• The holder's public key permitting to crypt information
• The uses list authorized by the certification policy
• The emitting date and expiration date
• Optional extensions introduced with version 3 of X.509
• Alternate identifier of the transmitter, if the CA has a DN common to one or more users
• Alternate identifier of the transmitter, if the owner has a DN common to one or more users
• The certificate signature by the public key of the certification authority. This makes it possible to check the certificate authenticity

When a client is connecting to a secured server, he takes note of the certificate. He then enters a validity checking mechanism of the certificate for which the stages are the following:

• Signature checking of the certification authority. The recipient making confidence with CA, signatory of the issued certificate.
• He deciphers the signature of the certificate with the coding algorithm mentioned in the certificate and the public key of CA to obtain the certificate's print.
• He carries out the certificate's print himself with the hash algorithm mentioned in the certificate and checks the coherence of the 2 results.
• He then checks the validity date of the certificate.
• Lastly, He makes sure the job number of the certificate isn't in the revocation list of up to date certifications held by CA.

2.1.2. Process of obtaining a certificate

5 principal stages are necessary in order to obtain a certificate:

• 1. To generate the server's private key. It is necessary to be placed in the directory where we wish to generate this key and to type the following order:

openssl genrsa 1024 -rand /var/log/messages > www.domain.com.key

In order to improve the key quality, the parameter -rand is useful to introduce random numbers.

• 2. To generate the certificate file request (CSR). With the private key, it is possible to generate the CSR with the following order:

openssl req -new -key www.domain.com.key > www.domain.com.csr

The system will require information to seize such as country, city, company, domain name and email address.

• 3. Transmission of the CSR with certification authority. According to the class of certificate chosen, the process of validation proceeds differently.
• 4. Recovery of the certificate signed (.crt file)
• 5. Configuration of apache. It is sufficient to initialise two variables defining the received certificate and the private key. Those must be placed in a virtualhost on port 443:

<VirtualHost www.domain.com:443>
	SSLCertificateFile    /etc/httpd/conf/ssl.crt/www.domain.com.crt
	SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.domain.com.key
</VirtualHost>