What is an SSL certificate?
Un certificado SSL es el elemento principal del protocolo de seguridad SSL, y se utiliza para que las transmisiones de información entre dos elementos conectados a través de Internet sea totalmente segura, siendo el caso más extendido el del protocolo HTTPS que sirve para conectar de forma segura con un servidor web. Los certificados SSL constan de dos partes, una pública y una privada. La parte pública será la encargada de cifrar la información, y la privada de descifrarala.
SSL certificate on Google.com
Al ser un protocolo abierto, puede ser empleado con la mayoría de los servicios de comunicación más extendidos de Internet, como pueden ser HTTP, FTP, SMTP, IMAP o POP3, entre otros, a los que SSL le añade una capa de seguridad (HTTP → HTTPS, FTP → FTPS, etc.) Por ejemplo, el protocolo puede ser utilizado cuando un usuario accede a un sitio web, o cuando un cliente de correo como Outlook o Thunderbird se conecta a un servidor de correo, o cuando dos aplicaciones conectadas establecen una comunicación, además de otros muchos.
SSL certificates to implement the HTTPS protocol
In this case, an SSL certificate provides security to the visitor of a web site. Its mission is to identify a server to any visitor, and provide an encryption communication allowing to preserve the confidentiality and integrity of data. It is formed by several codes that make up various files and serve to implement the SSL/TLS Protocol to a web site, and thus establish the HTTPS protocol in the communication between the client and the server.
In this way, an SSL certificate allows that communications cannot be intercepted and modified by unauthorized elements. It is composed of three main parts:
- SSL certificate: is the public part. It is composed of a file, and when someone connects to a server over HTTPS, is what you will receive in the first place. Contains the name of the domain, and credits that you are effectively communicating with who claims to be.
- The private key: is essential to be stored securely and that under no circumstances give out. It functions as a seal, it is "sealed" communication, and is credited to the server is, in fact, who claims to be.
- Intermediate certificates: AC or certification authorities are trusted (by the operating systems and browsers) third parties, and are responsible for issuing certificates, and will only do so if they can verify that the person or organization requesting it is the owner of the domain that you want to certify. This intermediate certificates that are those that signed the server certificate are issued.
SSL certificates for e-mail protocols
Los servicios de correo electrónico más extendidos, tienen una versión que soporta la utilización de un certificado SSL, dando lugar a la versión segura de los protocolos. De esta forma, los protocolos IMAP, SMTP o POP, darían lugar a sus versiones seguras, que pasarían a llamarse IMAPS, SMTPS y POP3S respectivamente. Es necesario que el cliente de correo, permita este tipo de conexión. Para que se produzca correctamente, el servidor de correo deberá tener instalado el certificado válido y para el dominio correcto. Los puertos de conexión para el protocolo que habitualmente se utilizan son los siguientes:
- SMTPS: 465
- IMAPS: 993
- POP3S: 995
However these ports can be set up in a personalized way by the server administrator. The implementation of SSL on a mail server will allow the information of all the e-mail that travels from the server to the client, do it in a secure way, so that it can not be intercepted or modified by anyone.
It serves to identify correctly to the server, and thus ensure their identity. So if the domain for which the certificate has been issued is different from the server, you get an error in identification. This fact also limits to that mail server should be appointed with a public domain (not valid local domain. local, etc.), so that entities issuing SSL certificates to verify your identity.
Alert message that displays Outlook when the domain name does not match the certificate installed on the mail server
SSL certificates for implementing the FTPS Protocol
The FTP Protocol is the most widespread for the transfer of files between connected systems, and FTPS secure version, allows that they be made safely. For its implementation, is placed a SSL/TLS layer below the FTP standard which allows to encrypt the transferred data, so they can not be intercepted or modified by unauthorized elements.
FTPS is executed by default on port 990, although it requires some other ports for its operation. Specifically port 989 for the transmission of data, as well as other ports if you need passive connections.
Certificate SSL installed on the Redalia web site.
Already knowing the parts that makes up an SSL certificate, we will detail below, how it works.
Operation of the protocol HTTPS SSL certificates
In a first step, an encrypted communication will be established using asymmetric encryption (with a public key and a private key). The SSL certificate is public, and is available to anyone who accesses the website. It has a public key that will allow the browser that is accessing the website to encrypt information that only the server can decrypt with its private key (which must always be stored privately). Specifically, the information that will emit the browser, will be the symmetric key with which to carry out the rest of the communication. This ensures that this key is only known by the two parties authorized to establish the communication. From that moment the information that travels in both directions will be coded by that key, and will guarantee its confidentiality and its integrity.
In the whole process, none of the intermediate certificates has been mentioned. What are intermediate certificates for? Strong> Its usefulness is to ensure that the person or organization behind the certificate is who you say you are, and you are authorized to use that domain. The intermediate certificates are issued by the certifying authorities or CA, and are third parties recognized by the browsers and are responsible for sealing the SSL certificate to validate and validate it.
Intermediate certificates on the Redalia web site.
Does it mean that an SSL certificate can only be issued by a recognized CA? No, a certificate can be self-signed, or signed by an authority that is not recognised. The problem is that the vast majority of web browsers will show a clear error, and will apply to users that access the site, authorization, under their own responsibility to access the same.