During SSL communication, the web-server stores certificate with Asymmetric public/private key pair.
SSL Certificate contains
- Asymmetric public key
- Asymmetric private key
- Subject – Identity of website/owner
During SSL Handshake Session key is generated and exchanged for message encryption/decryption. The generated session key is always a symmetric key
Flow of communication between Server and client during SSL Handshake
- Client Hello
- Client first sends a request to the Server
- Sends SSL Version number , Cipher Settings, session-specific data
- Server Hello
- Server Shares the Asymmetric Public key and SSL certificate with the client
- Send SSL Version number, Cipher Settings, session-specific data
- Authentication & Pre-Master Secret
- Client first validates the certificate.
- Client then generates the Symmetric Session Key based on cipher and encrypts using the Server’s public key and sends it to the server.
- Decryption & Master Secret
- The Server decrypts the message using its asymmetric private keys to get the symmetric session key
- Encryption with Session Key
- Server then sends a acknowledgment message encrypted using the session key
- This session key is used for all future encryption/decryption of messages exchanged between the client and server and vice versa
Process to get a certificate
- Browser these days come with a list of trusted certificates signed by different CA authorities.
- Server first creates a CSR (Certificate Signing Request) which in turn creates public/private key
- The Server then sends CSR datafile + public key to the CA (Certificate Authority)
- The CA uses the data file to create the data structure
- SSL certificate is now issued to the server
- The server should now install the Certificate Authority Root Certificate
- Intermediate Certificate Authority certificates is also installed. This is required for establishing the credit-ability between SSL certificate and CA Root certificate
- SSL Certificate –> Digitally signed by CA Authority
- These are trusted by all major browsers.
Chain of Certificate
Root CA Certificate —> Intermediate Certificate –> SSL Certificate