JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 21

https://

Jiri Barton

2 of 21

3 of 21

4 of 21

5 of 21

6 of 21

7 of 21

8 of 21

9 of 21

Problem

server

browser

internet

10 of 21

Share a secret!

Encode(Decode(SYMMETRIC)) == SYMMETRIC

server

browser

11 of 21

Share half of secret!

Encode_Public(Decode_Private(ASYMMETRIC)) == ASYMMETRIC

Encode_Private(Decode_Public(ASYMMETRIC)) == ASYMMETRIC

server

browser

https://....

here's my public certificate!

encode_with_public

decode_with_secret

12 of 21

Who are you?

server

browser

here's my public certificate!

13 of 21

Certificate Authority (CA)

Verisign

Thawte

Geotrust

Godaddy

...

PostSignum

TELE3

...

14 of 21

Signed certificate

server

browser

https://....

here's my public certificate!

Okay!

encode_with_public

15 of 21

Server certificates already!

server public cert, signed

server secret cert

SSLEngine on

SSLCertificateFile /etc/ssl/certs/www.praguecityhostel.cz.crt

SSLCertificateKeyFile /etc/ssl/private/www.praguecityhostel.cz.key

listen [::]:443 default_server ssl;

ssl_certificate /etc/ssl/certs/www.praguecityhostel.cz.crt;

ssl_certificate_key /etc/ssl/private/www.praguecityhostel.cz.key;

16 of 21

HOWTO

1. key

2. csr

3. (let) sign csr

4. get crt

5. install key & crt

key

crt

csr

17 of 21

1. key

cd /etc/ssl

mkdir -p private requests certs

openssl genrsa -out private/www.praguehostel.cz.key 2048

18 of 21

2. request

openssl req -new \

-key private/www.praguecityhostel.cz.key \

-config /etc/ssl/openssl.cnf \

-out requests/www.praguecityhostel.cz.csr

cat requests/www.praguecityhostel.cz.csr

19 of 21

3. sign

20 of 21

4. install

openssl rsa|req|x509 -in FILENAME -noout -text

21 of 21

Shoot the messenger