Table of Contents
Advertisement
Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10
Overview of SSL certificates
The only way to securely access a web server is to encrypt the data stream that is
exchanged between the browser and the web server. This ensures that if data is
intercepted by a malicious third-party using a network analyzer on the LAN or the
Internet, it will be difficult or impossible for the data to be deciphered.
However, encryption does not solve another important security issue, namely how the
identity of a web server can be validated before a connection to it is established. The
solution to this problem is provided by digital certificates.
A digital certificate is a collection of information about a web server, digitally signed by a
certificate authority. A certificate authority is by definition an entity that can be trusted. It
may be an entity in your organization responsible for issuing certificates, a commercial
certificate authority such as Thawte or Entrust, or even yourself.
SSL is the standard for creating a secure encrypted connection between a web browser
and a web server. SSL relies on the exchange of digital certificates, which provide the
means for the web server and browser to authenticate each other.
SSL
The following sequence of steps illustrates how an SSL session is established.
1. A web browser attempts to open a web page via HTTPS.
authentication
2. The web server sends its digital certificate (as well as information needed to
3. The web browser attempts to validate the web server's certificate. This occurs as
4. The web browser and the web server agree on a symmetric key to encrypt the SSL
5. The SSL connection is started.
DNS and the
The host name in the currently installed SSL certificate is automatically assigned as the
CN3000's SSL
domain name of the CN3000. The factory default SSL certificate that is installed on the
CN3000 has the host name wireless.colubris.com.
certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 192 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
establish the SSL connection) to the web browser. The certificate is signed using the
private key of a certificate authority (CA). This is usually a well-known commercial
entity.
follows:
• The web browser checks that the server's certificate has not expired. The
certificate will contain the certificate's validity period which can be compared to the
current date.
• The web browser may be configured to check that the certificate is not in a
Certificate Revocation List maintained by the entity that issued the certificate.
• The web browser checks its internal list of trusted CAs to find the one that signed
the web server's certificate. Using the public key of this CA (which is also stored in
the web browser), the web browser validates the authenticity of the web server's
digital signature. This is possible because the web server's certificate is signed
using the CA's private key.
• The web browser extracts the domain name of the web server from the certificate.
(When the certificate was registered, this domain name was associated with the
IP address of the CN3000's Internet port.) It then compares this against the
domain name of the web server.
connection.
- Quick Links:
- Introduction
- Wireless Radio
- Logging in
- Reset Button
Hide quick links:
Advertisement
Table of Contents
