SSL Certificate chaining and

2:21 PM
SSL Certificate chaining and - through authentication

SSL authentication mandates the server before establishing the session and this is done in SSL handshake initial. Each resource that is in the service of any content or service must have its SSL server certificate that is used for authentication with the client. This may sound weird to start if the client initiates the connection still server must authenticate his identity necessarily the customer. Here's how the SSL trust model has been defined and managed today ...

Now the question is where you get the server certificate from? Well, you can create your own certificate using OpenSSL base and use to service tools. But how customer authenticates and approves the certificate ?? A certificate created by self has a transmitter (local), which is certainly not known to the customer and therefore the chain of trust can not be established. Thus, we have global certification authority issuing the final certificate and accumulate trust model that customers trust these CAs. If you check your client browser, there are a trusted certificate store where you will find ROOT and Intermediate CA certificates that customers trust.

So what is a chain of trust? This is the key ingredient of the full SSL authentication model. A customer said that if I know and trust the issuer of the server certificate, I can not establish the chain of trust so it can not trust the server certificate. A client can choose to ignore the chain of trust, but then you end up compromising the whole value offered by SSL. Anyone can forge a certificate for a different service and get connect to customers if the chain of trust is not validated.

You might wonder why I call trust "string" all the time. When the first trust model started each certificate was issued by the root or top-level Intermediate CA. Thus, the customer can trust your server certificate if it was issued by a CA level best because it has the CA in the trusted store. As the need and requirement of server certificates have increased, most of the key authorities created several levels Intermediate CA and end server certificate can be issued via CA at all levels. Now, customers only have high-level certificates and your certificate has been questioned by an intermediate CA that is five levels in the chain of trust. Unless you have the server certificate and the intermediate CA can complete the chain with this customer, confidence will not be established. This becomes a case scenario and common use since the certificate request.

On NetScaler you can add the server certificate and any intermediate CA certificates manually and then connect them to create a chain. This string must be manually created, which mostly is in configuration issues as:

- Server Separation and intermediate CA from flat file

- not the Certificates right format PEM

- one of the intermediate CA is placed in the wrong order

more, it is a tedious exercise to link the certificate to NetScaler. What we have done recently is to allow you to specify a package certificate that the server certificate and any intermediate CA certificates to complete the chain of trust. This improvement makes it very easy to get all the certificates together in a single flat file, and you chose to group them with a new option " YES -bundle" command in "add ssl Certkey". This new option reduces the effort and combines the following steps:

- Added a server certificate and key

- Added more intermediate certificates CA

- Bind the server certificate to the intermediate CA issuer

- Creating another link between the intermediate CA

More configuration, it takes a lot of effort to ensure that you build the correct channel so that the control of the trust is on the client end. This improvement allows you to get this complicated configuration performed in easy and simple steps ...

Previous
Next Post »
0 Komentar