How to implement SSL or TLS secure communications



 Summary: This information is also available as a TechRepublic download. SSL (Secure Socket Layer) and its successor TLS (Transport Layer Security) are two technologies that enable secure communications on a massive global scale. To facilitate SSL or TLS encryption between any two computers, an X.509 Digital Certificate is required on at least one end of the [...]
This information is also available as a TechRepublic download.
SSL (Secure Socket Layer) and its successor TLS (Transport Layer Security) are two technologies that enable secure communications on a massive global scale. To facilitate SSL or TLS encryption between any two computers, an X.509 Digital Certificate is required on at least one end of the connection. The Digital Certificate is usually installed at the Server end because it makes it simple for any end user to make a secure SSL or TLS connection to the server without a Digital Certificate on the client end. A trusted third party called a CA (Certificate Authority) like VeriSign, Entrust,GeoTrust, or GoDaddy asserts the authenticity of the Digital Certificate with a Digital Signature so that the client knows that the Server isn’t fake. This trust comes from the fact that these Certificate Authorities have their Root Certificates with Public Keys pre-installed in every nearly every Operating System and Application on the market.
Therefore to enable SSL or TLS secure communications on a Server with the general public, Server administrators need to acquire a Digital Certificate from any trusted third party CA and this is usually done through an offline web-based request. Since I’ve gotten requests from Administrators who read my blog entry “A secure Wireless LAN hotspot for anonymous users” how to go about doing this, I’ve created the following procedure for buying a Digital Certificate. This procedure works on VPN Concentrators, Web Servers, RADIUS Servers, or anything that uses standard X.509 Digital Certificates.
The Certificate generated using this Windows-based procedure will work for any device or Operating System that uses standard X.509 Digital Certificates. No additional tools are needed if you’re running this procedure on Windows Vista computer. On any other version of Windows Client or Server OS, you will need to make sure that the Windows Server 2003 Admin Pack is installed so that the needed command line tools are available to you. You can download a copy here from Microsoft but it is also available on any Windows Server 2003 installation CD. There is an alternative procedure for doing this if Microsoft IIS is installed but this procedure will focus on the command line technique.
The first step is to prepare a text file that contains the desired parameters with the following format. You will need to put in your own server name with your DNS qualifier at the end of it. The “CN” field is the Common Name field and it is the key identifier for our Digital Certificate. If we were going to set up a secure server called secure.zdnet.com for example, the CN field will need to be secure.zdnet.com. If we were setting a secure RADIUS server for Wireless LAN authentication, we can call it something like RADIUS.zdnet.com. We can create a file called CSRParameters.txt and put in the following text.
[NewRequest]
Subject=”CN=MyServerName.MyDomainName.com,C=GB”
KeyLength=2048
MachineKeySet=TRUE
Silent=TRUE
Exportable = TRUE
Assuming you’re running Windows Vista or you’ve installed the Windows Server 2003 Admin Pack on Windows Server 2003 or Windows XP, you will need to start a command prompt. Windows Vista requires the following special procedure to start a command prompt in Administrator mode.
Start a Vista command prompt as Administrator:

Hit the “Start” button on the keyboard (CTRL-ESC) and type “cmd”. You’ll find cmd.exe returned on the top of the start menu where you will then right click on cmd.exe. Click “Run as administrator” and Windows Vista UAC will ask you for permission to escalate permissions. Click “Continue” and you’ll get a command prompt that’s running under the context of Administrator. If you’re running older versions of Windows, you just log in as any Administrator and hit the “Start” and “Run” command and launch cmd.exe.
Once you’re at the command prompt, type the following command to generate a CSR (Certificate Signing Request):
certreq -new CSRParameters.txt CSROutput.txt
Note that this is assuming CSRParameters.txt is in the directory that you’re running the command in. If it isn’t in the same directory, you’ll either need to move it there or type out the entire path of the file for the input parameters. After a few seconds, the output file called CSROutput.txt will be generated and you’ll be able to open it up like any text file.

0 comments:

Post a Comment