Gist of SSL/mTLS

Secure Sockets Layer (SSL) ## Mutual TLS (mTLS) ## Why use mTLS when we already use TLS? ## How to Setup mTLS ## KeyStores ## TrustStores ## CSR (Certificate Signing Request) ## CER / CRT (Certificate) ## PKCS12 (.p12 or .pfx) Objective of writing down this post is to just recollect the concept overview of mTLS and to easy in explaining to any new intern in order to enable for kafka or other system. SSL is a protocol that is used to protect communication between clients and servers over the Internet. SSL provides such features as server authentication, client authentication, and data encryption. Authentication confirms the identity of a server or client. Encryption converts data into an unreadable form before the data is sent. The scheme of a URL that uses SSL is https. For example: The latest version of SSL is called Transport Layer Security (TLS). The Internet Engineering Task Force (IETF) maintains the TLS standard. What is TLS? Transport Layer Security (TLS) is an encryption protocol in wide use on the Internet. TLS, which was formerly called SSL, authenticates the server in a client-server connection and encrypts communications between client and server so that external parties cannot spy on the communications. Normally in TLS, the server has a TLS certificate and a public/private key pair, while the client does not. There are 3 important things to understand about how TLS works: Public key and private key To perform authentication, TSL uses a technique called public-key cryptography. Public-key cryptography is based on the concept of a key pair, which consists of a public key and a private key. Data that has been encrypted with a public key can be decrypted only with the corresponding private key. Conversely, data that has been encrypted with a private key can be decrypted only with the corresponding public key. The owner of the key pair makes the public key available to anyone, but keeps the private key secret. we can use two tools for generation of this key pair The keytool program is a security tool included in the bin directory of the JavaTM SDK. The OpenSSL Project is an effort to develop an open-source toolkit that implements the SSL and TLS protocols, as well as a cryptographic library.The toolkit includes the openssl command-line tool, which enables you to use various functions of the cryptographic library. TLS certificate A TLS certificate is a data file that contains important information for verifying a server's or device's identity, including the public key, a statement of who issued the certificate (TLS certificates are issued by a certificate authority), and the certificate's expiration date. You can obtain a certificate from a Certificate Authority (CA) such as VeriSign. Alternately, you can create a self-signed certificate, in which the owner and the issuer are the same. An organization that issues certificates can establish a hierarchy of CAs. The root CA has a self-signed certificate. Each subordinate CA has a certificate that is signed by the next highest CA in the hierarchy. A certificate chain is the certificate of a particular CA, plus the certificates of any higher CAs up through the root CA. TLS handshake A TLS handhsake process works like below Mutual TLS or mTLS for short, is a method for mutual authentication. mTLS ensures that the parties at each end of a network connection are who they claim to be by verifying that they both have the correct private key. The information within their respective TLS certificates provides additional verification. mTLS is often used in a Zero Trust security framework to verify users, devices, and servers within an organization. Zero Trust means that no user, device, or network traffic is trusted by default, an approach that helps eliminate many security vulnerabilities. In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair. The mTLS handhsake process works like below 1. Client connects to server 2. Server presents its TLS certificate 3. Client verifies the server's certificate 4. Client presents its TLS certificate 5. Server verifies the client's certificate 6. Server grants access 7. Client and server exchange information over encrypted TLS connection TLS is one-way authentication in which the client verifies the server's identity only which provide protection like ensure not spoofed websites, keep private data secure and encrypted as it crosses the various networks that comprise the Internet and to make sure that data is not altered in transit where as mTLS helps ensure that traffic is secure and trusted in both directions between a client and server. mTLS provides additional protection by preventing various kinds of attacks like Malicious API requests A setup a mTLS we need to follow couple of below steps keystore stores private key entries, certificates with public keys, or just secret keys that we may use for various cryptographic purposes. It stores each by an alias for ease of lookup. Generally speaking, keystores hold keys that our application owns, which we can use to prove the integrity of a message and the authenticity of the sender, say by signing payloads. Usually, we’ll use a keystore when we’re a server and want to use HTTPS. During an SSL handshake, the server looks up the private key from the keystore, and presents its corresponding public key and certificate to the client. A truststore is the opposite. While a keystore typically holds onto certificates that identify us, a truststore holds onto certificates that identify others. In Java, we use it to trust the third party we’re about to communicate with. Take our earlier example. If a client talks to a Java-based server over HTTPS, the server will look up the associated key from its keystore and present the public key and certificate to the client. We, the client, then look up the associated certificate in our truststore. If the certificate or Certificate Authorities presented by the external server isn’t in our truststore, we’ll get an SSLHandshakeException, and the connection won’t be set up successfully. Java has bundled a truststore called cacerts. For Java versions before 9, it resides in the $JAVA_HOME/jre/lib/security directory, and for Java versions after 8, it’s in $JAVA_HOME/lib/security. It contains default, trusted Certificate Authorities. A CSR (.csr, .req) is a Certificate Signing Request is a file that you create and send to Certificate Authority (CA) when you want an SSL/TLS certificate from a CA. It’s like an application form for a certificate. What it contains: Your public key + details like domain name, organization. A file that holds the actual certificate issued by a CA after verifying your CSR. CER vs CRT: Both are certificate files, just different extensions (often .cer or .crt). What it Contains: Your public key + metadata + CA signature. A text-based file format (Base64 encoded) for certificates and keys. What it contains: Often used to store CSR, CRT, private key or both. A bundle format that can include certificate + private key + chain in one file. Easy to transport and import into systems/applications. You create this after you have your certificate and private key. How to generate Will cover the detailed steps to generate the using keytool and openssl in another follow up post. To be continued Content in this post is extracted from different sources of internet. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: https://dev.to/ Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: https://dev.to/ CODE_BLOCK: https://dev.to/ - Public key and private key To perform authentication, TSL uses a technique called public-key cryptography. Public-key cryptography is based on the concept of a key pair, which consists of a public key and a private key. Data that has been encrypted with a public key can be decrypted only with the corresponding private key. Conversely, data that has been encrypted with a private key can be decrypted only with the corresponding public key. The owner of the key pair makes the public key available to anyone, but keeps the private key secret. we can use two tools for generation of this key pair Keytool The keytool program is a security tool included in the bin directory of the JavaTM SDK. OpenSSL The OpenSSL Project is an effort to develop an open-source toolkit that implements the SSL and TLS protocols, as well as a cryptographic library.The toolkit includes the openssl command-line tool, which enables you to use various functions of the cryptographic library. - Keytool The keytool program is a security tool included in the bin directory of the JavaTM SDK. - OpenSSL The OpenSSL Project is an effort to develop an open-source toolkit that implements the SSL and TLS protocols, as well as a cryptographic library.The toolkit includes the openssl command-line tool, which enables you to use various functions of the cryptographic library. - TLS certificate A TLS certificate is a data file that contains important information for verifying a server's or device's identity, including the public key, a statement of who issued the certificate (TLS certificates are issued by a certificate authority), and the certificate's expiration date. You can obtain a certificate from a Certificate Authority (CA) such as VeriSign. Alternately, you can create a self-signed certificate, in which the owner and the issuer are the same. An organization that issues certificates can establish a hierarchy of CAs. The root CA has a self-signed certificate. Each subordinate CA has a certificate that is signed by the next highest CA in the hierarchy. A certificate chain is the certificate of a particular CA, plus the certificates of any higher CAs up through the root CA. - TLS handshake A TLS handhsake process works like below Client connects to server Server presents its TLS certificate Client verifies the server's certificate Client and server exchange information over encrypted TLS connection - Client connects to server - Server presents its TLS certificate - Client verifies the server's certificate - Client and server exchange information over encrypted TLS connection - Keytool The keytool program is a security tool included in the bin directory of the JavaTM SDK. - OpenSSL The OpenSSL Project is an effort to develop an open-source toolkit that implements the SSL and TLS protocols, as well as a cryptographic library.The toolkit includes the openssl command-line tool, which enables you to use various functions of the cryptographic library. - Client connects to server - Server presents its TLS certificate - Client verifies the server's certificate - Client and server exchange information over encrypted TLS connection - On-path attacks - Spoofing attacks - Credential stuffing - Brute force attacks - Phishing attacks - Malicious API requests - Generate a private key (RSA or EC) - Generate CSR → send to CA. - Get it signed by a CA (or create a self‑signed cert for tests) CA issues CRT/CER → your certificate. - Assemble the certificate chain (server cert + intermediate(s) + root). - Store private key + cert chain into a PKCS#12 or JKS Keystore. - Convert formats if needed (PEM ↔ PKCS12 ↔ JKS). - Truststore holds CA certs to validate incoming connections. - Verify with OpenSSL and keytool.