How SSL works (tutorial)

Introduction

HTTPS Client Authentication is a secure method of authentication which uses HTTP over SSL (HTTPS). So the server authenticates the client using the client’s Public Key Certificate (PKC). Secure Sockets Layer (SSL) technology provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

You can think of a public key certificate as the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer.

HTTP + SSL = HTTPS

Certificate authority (CA)

The certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. So, the CA assures you that no one posses a certificate for a domain which is not their own.

This allows clients to rely upon signatures made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a third-party trusted both by the client and the server.

The certificate format

The certificates formats are based upon the X.509 standard. The structure of an X.509 v3 digital certificate is as follows:

  • Certificate

    • Version Number

    • Serial Number

    • Signature Algorithm ID

    • Issuer Name

    • Validity period

    • Subject name

    • Subject Public Key Info

    • Issuer Unique Identifier (optional)

    • Subject Unique Identifier (optional)

    • Extensions (optional)

  • Certificate Signature Algorithm

  • Certificate Signature

SSL negotation

During the SSL negotiation process, the server identifies itself to the client by sending the server certificate. The server certificate’s main purpose is to allow the client to determine that the server is indeed the server it claims to be.

To fulfill its purpose, the server certificate contains the server’s ID information (name, address, description, etc.) and its public key. It also contains a digital signature, signed by the CA, which authenticates this information.

The client must trust the CA in order to accept its signature on a certificate. Furthermore, the trust relationship between the client and the CA must be established prior to the communication session. Usually, client software (for example, Internet browsers as Google Chrome) include a set of trusted CA certificates.

This makes sense, as many users need to trust their client software. Therefore, once a trusted CA’s certificate is stored on the client, it will accept certificates signed by that CA from the SSL server it connects to.

Before using SSL connections with WiFi or 4G modules, you must make sure that the CA certificate is being installed to the module.

Last updated