SSL Concepts

2020-03-01 17:05 #commit

I need to get https working on my development environment to test PWAs. But, how does https work? The main concepts here are key pairs, signing request and certificates. I had some trouble at first with these, so let’s start with an example.

Imagine that the Internet didn’t exist and you wanted to sell expensive tickets for an event. There are multiple vendors, and on other times it's been found that people are selling fake tickets. What could you do? A possible way to do it would be this: first, you would need a previous process to prove that you can sell the tickets:

1. You fill out a form with the event’s data and put your signature on it.
2. You send that form to a notary public.
3. The notary public checks that you can sell tickets.
4. The notary fills out a new form with the data you send to it, maybe modifying some fields, and signs it. That new form contains a copy of your signature.
5. The notary sends that form to you.

Now you can sell tickets this way:

1. A client wants to buy a ticket, and ask you for identification.
2. You send a copy of the form that the notary sent to you.
3. The client checks the notary signature, to see if it’s authentic.
4. The client then sends you the money.
5. You send back the ticket signed by you. The client is sure that is an authentic ticket because she trusts the notary.

(Note that we are not addressing the payment issues here: you could get the client’s money and never send her the ticket)

The key point here is that the client must trust the notary signature, or you could fake it. The client doesn’t trust you, only trust the notary. But the notary told her that you can be trusted on this, so the client trust you.

There is a problem: the client can’t trust every notary in the country. But maybe it trusts the Mayor of his village. So the notary would need a paper signed by the mayor trusting that notary (I think that’s called an “apostille”) using the same system as you did with the notary.

Given this system, what would be the equivalent concepts in SSL?:

• Your signature (and notary’s signature) would be a public-private RSA key.
• The form you send to the notary would be a Certificate Signing Request
• The notary is a Certification Authority
• The form the notary sent back to you, signed by her, would be the Domain’s Certificate
• The notary has a certificate too, but nobody has trusted it. It’s a self-signed certificate. It’s only valid if you already trust the notary.

So, to test https in development, we should:

1. Generate a self-signed certificate for a Certification Authority and configure the browser to trust it.
2. Generate your signature (a RSA key pair)
3. Generate a certificate signing request for your development’s domain.
4. Create a certificate from that request, signed by the certification authority.
5. Use that certificate in your development’s browser.

I hope that the concept is clearer now. Time to get back to code.