Certificates, what to know…

Certificates is a tough and complex world to be in.

Here are the main things to remember when renewing old certificates, or requesting new onesšŸ™‚

  • CAis a short for “Certificate Authority” and is usually a party that ‘Signs’ certificates on behalf of the requester. Because someone other then the party hosting a site signed the certificate it is assumed that dualism applies.
  • CSR is a short for “Certificate Signing Request” and contains the hash needed by any CA to create a “Signed” certificate.
  • Private Key Is the server keyportion of the certificate that enables the server to “Decrypt” traffic generated by a remote client using the provided certificate. This part of the certificate should always be kept save, and should never be exchanged with any 3rd party. He who has the private key can assume the identity of the server/service on which the certificate applies.
  • Public KeyIs the client keyportion of the certificate that allows a client to decrypt the traffic that is generated by the remote server. This key is exchanged encrypted using the certificate during connection time, and because only the server holds the server portion of the privatekey, he is the only one in the world who can theoretically decode this traffic containing the key.
  • Certificates CN (Common Name) should always comply with the url used by the visiting client. i.e. for google the CN would be http://www.google.com.
  • Certificates O (Organization) should match the company listed in the whois that is performed on the domain name. i.e. for google it would be “Google Inc.” http://www.whois.net/whois/google.com
  • When you want to use the Certificates for Mobile Devices, a special certificate should be used. Check ssl.nu for more information.
  • SAN – is a short for “Subject Alternative Name” not to be mistaken with “Storage Active Network”, it is a special certificate that allows for multiple CNs. (multiple sites) http://www.digicert.com/subject-alternative-name.htm, also used in a number of Microsoft products.
  • If you have an option on this point dont use certificates that use MD5 cryptographic hash . These are considered to be weak, and might be blocked by future browsers being insecure. Weaknesses allow hackers to create a ‘valid’ certificate and steal the identity of you site by applying it. (though read, for the wiz-kids http://www.win.tue.nl/hashclash/rogue-ca/)

This should help you on your wayšŸ™‚

this might also be usefull, CSR Checker that will also perform a few checks to make sure all the info inside the CSR adds up.
https://www.networking4all.com/en/support/tools/csr+check/

About Chris Gralike

Momenteel ben ik manager van de afdeling business continuity bij de zakelijke IT dienstverlener AMIS Services BV. Sinds 2003 ben ik actief in de ICT branche. Tussen 2003 en nu heb ik verschillende rollen vervuld. In de rollen: systeem- en netwerkbeheer, system engineer, servicemanager en nu practice manager ben ik in contact gekomen met uiteenlopende technologieƫn, methodologieƫn, ideeƫn, oplossingen en innovaties. Een rijke ervaring waarmee ik de klanten van Conclusion en AMIS elke dag probeer te ondersteunen. Mijn credo: 'Altijd opzoek een win-win tussen business en technologie.'

Posted on July 25, 2011, in Apache 2.2 Windows, Distributions, Tomcat, Tooling, Windows Compontents, Windows Server and tagged , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: