Normal web traffic is sent unencrypted over the Internet. Anyone with access to the right tools can spy on all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and the web client (the browser).
SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created; one public and one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.
If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary; the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certifying Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.
Public Key Infrastructure (PKI) is the entire system that supports the implementation and operation of a certificate-based public key cryptographic system.
The RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component that you distribute (via your Certificate file) which allows people to encrypt those messages to you. A Certificate Signing Request (CSR) is a digital file containing your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate. A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by your CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. This enables them to send messages that only you can decrypt.
Digital Certificates contain the owner's public key, the owner's name, an expiration date, the name of the Certifying Authority that issued the Digital Certificate, a serial number, and perhaps some other information.
A Certificate does not have to be signed by a public CA. You can use your private key to sign the Certificate which contains your public key. This is commonly referred to as a "self-signed certificate". Client browsers will display a warning dialog indicating that the signing certificate authority is unknown and not trusted when trying to connect to an HTTPS server that uses a self-signed certificate. Users can eliminate this warning dialog by manually installing the certificate into their browsers.
The following OpenSSL command will create a self-signed certificate named MYCERT.PEM. This command uses a configuration file, XB2NET.CNF that is included with the Xb2.NET OpenSSL distribution package. The generated certificate expires after 90 days and is not encrypted:
openssl req -new -x509 -days 90 -nodes -config xb2net.cnf -out mycert.pem -keyout mycert.pem
Here is a step-by-step description:
D:\OpenSSL>openssl req -new -nodes -keyout mykey.pem -out mycsr.pem -config xb2net.cnf -newkey rsa:2048
Loading 'screen' into random state - done
Generating a 4096 bit RSA private key
......................................++++++
............................++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:ON
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cool Software Inc.
Organizational Unit Name (eg, section) []:
Common Name (server domain/host name) []:coolsoftware.com
Email Address []:admin@coolsoftware.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
D:\OpenSSL>
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCquFagDY6vXyrqGEmg5jNMy8cgWm9HeaKUoz5JPqGRV9KoWMDe
0MFG1iBobMzsuWv+FdWEv8wneVhSJGTrLJJ5XY5vZVxK9Q3DUl9Sl7/VAund2VI1
3udB67ta9+H7+j42d8zW8SejSkCLsilnHLsBMmDt2tfj9cPc2Ge+GKIXRwIDAQAB
AoGAVSB8GW0JNAtpU7dup2uCMw39qfVOPb66QhGwUkeHuvim00kGS1Seu5q0KD3w
ZS4EWns6r+oPe7N3ReZd6CKemlLUgRKDdVGCYCOT8vp03p/KVnv6yQ7GbK5hO3Hx
/muP5VIzg85ZFdvscsHlrAWz6tRLhcoygjJa5GF998t47tkCQQDiarzfi1DHPlhU
cnPUz2OA/WU+G+s3ztkk2mlF/x877QRfAdxT5k/KRnWi7xS+fCyxgI5mteMxbNTo
k/KHqwUFAkEAwQaigqW2bsUylsz9e30RH5YsDVkcyhXGCBx5b+odDevp6Gepiyj2
JQw/Uzq+0ugRHJfw69ajk9EdWfLinBtc2wJAMbNgdmmsd7AVz6O4DXTg0MXO3Y1f
WsbLH63aAgV4o7zpgrlz1e7ugOZqmDOHCDFV1jj0CVPP5V+QdOVVDbbayQJADD5c
fob+XGZbwB7+kR+sv2EqKCqX3eWlqwwLU+L4ttJZAunYYkBV5KGzPpdCVWRs+XBV
0s/Jjm28O+FhKF+/8wJBALOvzUkUxhOVDtZdStwhKaLaRsDtCiKvI6zAAeF1g3rN
/W69ZgvRaUsta9I19jDl1kiidDScnvypsg7cmh2UMeE=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDOTCCAqKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQGEwJDQTEQ
MA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEQMA4GA1UEChMHWGIy
Lk5FVDESMBAGA1UEAxMJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0
QHhiMi5uZXQwHhcNMDUwMTA3MTcwMTQzWhcNMTUwMTA1MTcwMTQzWjB3MQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEQMA4G
A1UEChMHWGIyLk5FVDESMBAGA1UEAxMJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkB
Fg9zdXBwb3J0QHhiMi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKq4
VqANjq9fKuoYSaDmM0zLxyBab0d5opSjPkk+oZFX0qhYwN7QwUbWIGhszOy5a/4V
1YS/zCd5WFIkZOssknldjm9lXEr1DcNSX1KXv9UC6d3ZUjXe50Hru1r34fv6PjZ3
zNbxJ6NKQIuyKWccuwEyYO3a1+P1w9zYZ74YohdHAgMBAAGjgdQwgdEwHQYDVR0O
BBYEFEhcvVIyTaJpZ5x/Vz1VvUuv5rkcMIGhBgNVHSMEgZkwgZaAFEhcvVIyTaJp
Z5x/Vz1VvUuv5rkcoXukeTB3MQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJp
bzEQMA4GA1UEBxMHVG9yb250bzEQMA4GA1UEChMHWGIyLk5FVDESMBAGA1UEAxMJ
bG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QHhiMi5uZXSCAQAwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBzYzdwpbuMH6hIWtOFuVLd3R9M
bw0h4xAEIhLmR82g8UgR5c6fxGIz/igod1XkNCvSaB1BXOA4aSGirYEqjuty1/HS
jaoG9Yd2AsccTBxrLVmy7I2LRdoxHoc1P9lmw/KUVDUlqgjOpF1imtBf6y50DpoY
39Fz7R54S85jzRGdOw==
-----END CERTIFICATE-----
Assuming that your certificate and private key were created as described above, you should have a file called MYCERT.PEM. You can reference this file as follows within your Xb2.NET application:
// define SSL context
oSSL := xbSSLContext():new( TLS_server_method )
// if the private key is password protected, you can supply the password using this method:
// oSSL:SetDefaultPassword("xYq9h750eL3")
oSSL:UseCertificateFile(".\SSL\MYCERT.PEM")
oSSL:UsePrivateKeyFile(".\SSL\MYKEY.PEM")
// check private key
if ! oSSL:CheckPrivateKey()
MsgBox("Private key does not match certificate!" + chr(10) + xbSSLGetLastError())
endif
// attach SSL context to HTTP server instance
oHTTPS := xbHTTPServer():new(INADDR_ANY, 443, oSSL)
oHTTPS:start()