from vsadx.com

 

Science & Engineering CSCE

SSL

WS

iOS

JS

*SH

...

Next

Do you need SSL, TLS, or HTTPS? Why might you use self-signed certificates? Are there risks, that you need to consider? How do I get started testing quickly?



Self-signed certificates are SSL certificates, just as you see on HTTPS websites. However, self-signed certs are not verified by Certificate Authorites (CAs).

— Many JavaScript APIs are disabled without certs. —

Usually, CAs will verify that you own a website domain, your website's name. They won't secure your LAN Minecraft server. They won't verify a certificate for your local IP. You'll want to use a self-signed certificate; it works for localhost servers, LAN (or intranet) servers, and anywhere that accepts your master key.



Circumstances SSL may be required?


• Add TSL/SSL to simple servers for web apps (SPA, PWA) or highly interactive web pages.
• Add HTTPS to use other HTTPS website content (without mixed content errors).
• Protecting your users' data from attacks (MITM, ISP).

— HTTPS opens up MediaDevices (Camera, Microphone) & Secure WebSockets (Streaming). —

In web apps, using client-accessible widgets or APIs might require HTTPS. Your site is on HTTP but some resource you want to use is hosted on a HTTPS server. For powerful web tool and web app developers, accessing a device's camera or microphone can be much easier through JavaScript also working on iOS, Android, Windows, & macOS. Without HTTPS, many devices won't enable these capabilities.



What do I need to make my own SSL certificates?


Simple tools for certs on macOS & linux (see Windows).

            🧮. http-server (simple testing server)
            🖤. openssl (create, edit certificate)
            🗞. makecert (all-in-one tool)

Your first self-signed certificate.


              openssl genrsa -out server-side.key 2048

              openssl req -new -out server-side.req -key server-side.key -subj /CN=192.168.0.3

              openssl x509 -req -sha256 -days 365 -in server-side.req -signkey server-side.key -out server-side.crt
        

How does it work?



These commands create two files, then use them to create a final file. This is your certificate!

The first command gives you a personal signature. The second makes a written request for a certificate, with the name of the server you would like to be certified.

The final command takes your first two files, and adds them together. It signs your request with yout signature, becoming a verified certificate. WARN: This cert is not verified by any official Certificate Authorites



How do I use my certificate and these files?



You'll need 2 of your 3 files, your RSA key server-side.key and the server's certificate server-side.crt these you can give your server program to enable HTTPS (apache, nginx, http-server, iis).



Advanced configuration



Line one:

openssl is a utility. If you don't have it on your system, you can download it through your package manager (brew install, apt-get, etc.).

genrsa is the command. You can use genpkey instead, but the point is to create a private key to use when creating our certificate.

-out is an option. The -out option specifies the name of the file to output. We call ours: server-side.req

What's 2048? This is your key length. 2048 is the minimum requirement for many browsers.


Line two:

openssl req creates a certificate request. You use it to create your official certificate.

-subj /CN=192.168.0.3, -subj is an option. It gives the "subject" datapoint for our certificate request. "CN=192.168.0.3" is a CN pointing to our LAN IP address. You can use a domain name, LAN IP, or public IP!

What is "CN"? It's an acronym for Common Name. You can use it to identify the name of the server this certificate if for. A subject line can be much longer, but it works best using the acronyms defined in the X.500/LDAP protocol. (C is country code, S is state name, E is full email)


Line three:

openssl x509 creates a certificate based on the X.509 protocol.

-sha256 is an option forcing the hash algorithym SHA 256 to be used. This can help protect your app, many browsers don't accept weak SHAs.

-days 365, -days is an option. This is how long your certificate will be valid from today. You can set the days for much longer, but more browsers won't accept your certificate.

-in & -signkey these options specify which request and key are going to be used to create your certificate!


Ask questions to relations for vsadx.com