- a server in order to enable SSL
Why ? Because when a application (for instance a browser) connect to a server (for instance a web server), it can authenticate the server via its certificate (cert-based authentication) and the SSL handshake can then take place.
This certificate usage is also known as the SSL/TLS Web Server Authentication or server authentication for short.
In the handshake, the client can also authenticate itself to the server if it presents its certificat known as the client certificate but this is optional.
To enable ssl (https) on a server, you need:
- It's a private entity and should not be shared (only the owner should have access)
- However, it must be readable by the web server process in order to:
- It was used to create the certificate signing request
- The private key may be stored in its own file or alternately in the same file as the certificate
- A server domain validated certificate.
- It's a public entity and can be shared
- It is sent to every client that connects to the server in order to verify the server identity
- The size should be at minimum 2048 1)
- It must present the DNS name of the server in the Subject Alternative Name extension of the certificate. 2)
- It must have the usage
For test purpose or for internal use you can be your own CA and self signed your certificate
Once you got the signed certificate and the private key, you can configure your server:
For HTTP server:
- Nginx: Nginx - Https configuration
How to see the server certificate in the browser ?
You can see the certificate of the web site in the browser
What happens when the certificate is bad ?
Example (when the certificate is open with portecle)
If you access this website with the above certificate, you got a warning (Example below in firefox)