Using SSL security, certificates and verify peer etc

Introduction

This is a brief discussion about how SSL Security works at a conceptual level – it does not cover technical issues.

In principle it is quite simple you have two encryption keys: A Private Key that you never share with anyone, and a Public Key that you share with everyone. Anyone who wants to send you an encrypted message will encrypt it using your public key, and only you can decrypt the message using your private key. This way only you can read the message that is being sent to you.

However public and private keys are not enough unless you know the person you are communicating with. In reality we want to communicate with people that we don’t know and find out who they are, and we want those people to find out who we are too. To know who we are communicating with we Private Key Certificates, and a Public Key Certificates that contain keys and information to confirm our identity. These certificates are issued by official Certificate Authorities that verify the identity information in the certificates. Then to establish encrypted communication we between two parties we can share Private Key Certificates that contain keys and identity information.

The final step is the Verify Peer option. This simply means that you check the validity of the certificate someone (the “peer”) sends to you. And if they are smart they will check your certificate too. Basically this confirms that the certificate the person is sending to you officially approved and was actually issued by the by an official Certificate Authority. To do this the Public Key Certificate contains the CA root certificate that can be used to automatically checked against against a Certificate Authority file (that contains the certificates for known valid CAs). So please always use the Verify Peer option it makes things much more secure.

Note: The Iguana install contains a sample Certificate Authority file in the <install>/ca-bundle/ directory. This certificates were extracted from Mozilla’s root certificates file (certdata.txt).

Issues [top]

  1. Should I use SSL Security?
  2. Should I use the Verify Peer option?
  3. How can I add my CA to a Certificate Authority file?

Solutions [top]

Ideally you should definitely use SSL security with Verify Peer option enabled if you want your communications to be private.

  1. Should I use SSL Security? You should definitely use SSL security if you need your communications to be private.

    You will need to purchase a Private Key Certificate, and a Public Key Certificate from an official Certificate Authority. Then you will need to supply these in Iguana when you are using SSL.

  2. Also should I use the Verify Peer option? When using SSL you should always select the Verify Peer option for the best security.

    You will need to supply a valid Certificate Authority file when using the Verify Peer option in Iguana.

  3. How can I add my CA to a Certificate Authority file? We suggest that you get a valid Certificate Authority file from your CA (or another reputable source) rather than changing the file yourself.

    Most reputable CAs should already be included in the a Certificate Authority file like the mozilla based sample that is supplied with Iguana. If you need to add your CA to this file perhaps you should be asking if they are a reputable CA and considering if you should get your Certificates from another source.

    1. You can add a PEM format CA certificate to a certificate file by copying it from the Public Key Certificate supplied by your CA.

More Information [top]