Digital certificates

Written on 9 February 2015, 09:33pm

Tagged with: , ,

TL;DR:
A digital certificate binds an individual’s identity to its public key; it proves the ownership of a public key. Digital certificates are like passports, and they are a fundamental part of the PKI (Publick Key Infrastructure).

Class of certificates (this might differ according to the issuer):
class 1: individual (email + domain verification)
class 2: software developer (physical ID verification)
class 3: company (face to face verification)

Creation, storage and distribution of digital certificate
CA – Certificate Authority – issues and verifies the digital certificates
RA – Registration Authority – verifies the identity of users requesting a digital certificate

The RA verifies the identity of the certificate requestor on behalf of the CA.
The CA generates the certificate using information forwarded by RA

Root certificate
All web browsers come with an extensive built-in list of trusted root certificates.
certificate root

X.509 is a standard – for the structure of the digital certificate

Types of certificates
A certificate provider can opt to issue three types of certificates, each requiring its own degree of vetting rigor. In order of increasing rigor (and naturally, cost) they are:
– Domain Validation
– Organization Validation and
– Extended Validation ->Activates the green address bar đŸ™‚

ev-ssl-browser-bar-safari

ExtendedSSL is an Extended Validation Certificate, the highest class of SSL available today.

ExtendedSSL activates the green address bar and displays your organization name in the browser interface. These prominent security indicators increase user trust in your website and increase its credibility, leading to more sales conversions.
From €679/year
https://www.globalsign.com/en/ssl/ev-ssl/

Digital certificates can also be used for client authentication.
client authentication
You can install a certificate in the browser and authenticate with it on certain websites. However, it is your responsibility that no one else gets physical access to your workstation (3rd law of security).
More about this

Encryption algorithms

Written on 9 February 2015, 05:36pm

Tagged with: ,

A quick note about the 2 types of encryption algorithms:

1. Symmetric encryption

Oldest, fastest and more common
Key management is critical
– Best encoding algorithms: the ones that are public
Public algorithm, private key. “Good security systems rely on the private key for security, not on the algorithm itself”

Suppose you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldn’t really matter how strong the lock is, would it?
10 Immutable Laws of Security

2. Asymmetric encryption (Public key cryptography)

– uses both public and private keys
– the key management is part of the algorithm
– it’s slower than the symmetric encryption
– it can be used for both encryption and digital signature (digital signatures: hashing + asymmetric encryption)
– relies on digital certificates

(more…)

CFHTTP calling HTTPS urls

Written on 6 February 2015, 02:46pm

Tagged with: , ,

To use HTTPS with the cfhttp tag, you might need to manually import the certificate for each web server into the keystore for the JRE that ColdFusion uses.
Adobe

Here is how to do that:
1. Load the HTTPS url in your browser and export the certificate as a .cer file (see link above for more details)

2. Copy the .cer file on the CF server

3. Locate the path of ‘Java Home’ in CF Admin. It should be something like /usr/java/jre1.7.0_51, usually with a symlink to /usr/java/default.
The keystore location should be {Java Home}/lib/security/cacerts and it’s password protected.

4. Import the .cer file into the keystore:

#/usr/java/default/bin/keytool -import -keystore 
/usr/java/default/lib/security/cacerts -alias thomas 
-file thomas.cer -storepass changeit

5. Check that the certificate was installed:

#/usr/java/default/bin/keytool -list -keystore 
/usr/java/default/lib/security/cacerts -storepass changeit -alias thomas 
# thomas, Feb 6, 2015, trustedCertEntry, Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

6. Restart ColdFusion server

See also this and that.