What IS a Certificate?

(Also read, Web Server Considerations for Hosting SSL Certificates )

It is a mapping of an entity name (organization or individual) to a PUBLIC KEY. How that public key is created is independent of the certificate or the Certificate request (CSR).

Obtaining a certificate is a two step process

  1. A CSR is the first step. It includes YOU (the requester aka the SUBJECT) generating a key pair. What is sent to the CA is YOUR public key and the CSR encrypted using YOUR private key. Your private key never leaves your system.
  2. The CA performs the next step. Using IT’S own key pair, it issues a certificate, that contains :
    1. a) INFO about the SUBJECT
    2. b) Info about the SIGNER (the CA)
    3. c) The entire certificate signed with the CA’s public key

What is the encryption algorithm? AES 256 (Symmetric)

For in transit encryption, a symmetric algorithm is used (for performance purposes). For the initial session establishment, an Asymmetric algorithm (RSA) is used.

What is x.509?

It is actually a format.  509 is a standard defining the format of public-key certificates.

What is the encoding scheme? (either DER or PEM)

DER (distinguished encoding rules) – Raw Binary Format. Each encoded value is represented as a type (e.g. integer is type 2, OID is type 6), the length of the field and the actual value.

PEM- text encoded format.

What is the PKCS12 file format?

PKCS12 files are a standard way of storing multiple keys and certificates in a single file. Think of it like a zip file for keys & certificates,

What is SSL Termination?

when the traffic ends at the Load Balancer – and further traffic is unencrypted, this is called termination at the Load Balancer. This means that you need a way to proxy the terminated traffic to the backend instances.

How do I proxy terminated traffic?

  1. Create an instance group that has at least 1 live instance
  2. Create http load balancer with the following:
    1. Upload a SSL certificate
    2. Create a backend service to point to the instance group. Make sure the protocol is HTTP
    3. Create a target https proxy with the certificate you uploaded
    4. Finally, create a global forwarding rule that points HTTPS to the target proxy you created before.

What happens during the handshake?

Are private keys exchanged during the handshake?

Not always

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin