0

What I need: A secure TLS/SSL communication between a server an a client over a LAN Network. The authentication must be a one way-authentication :

SSL One way authentication

What I have already done: I have created a server and a client which are able to communicate over a Wi-Fi network. I have implemented the SSL sockets but the authentication is missing ... so it won't work :)

Where I need help: I'm a beginner at TLS/SSL, and at network security as well.

  1. Is a CA mandatory or can I "emulate" it ? (It gives the server its certificate, right ?)
  2. Should the server create its own certificate or should I gave one (hardcoded)?
  3. How the client can verify this certificate ?
Jean
  • 1,707
  • 3
  • 24
  • 43

1 Answers1

1

  1. A CA is not mandatory per se. The alternative to CA-signed certificate is a self-signed certificate, but unless a particular self-signed certificate is explicitly trusted by a client program, authentication (verification) of the peer will fail.

  2. You should create or request a server certificate, and configure the server to use that certificate. The details of how to configure the certificate and other TLS settings depend on what server software or TLS library you are using.

  3. Typically, a client has a collection of trusted root CA certificates. An end-entity certificate is signed either by a root CA, or an intermediate CA which is signed by some superior certificate, all the way up to a root. Servers present a certificate chain of end-entity certificates and any intermediate certificates, up to but (usually) not including a root certificate.

    During verification, the client validates that there is a valid chain of signatures down from any of the root CAs it trusts. If so, and provided none of the certificate in the chain are expired or revoked, the server certificate will be accepted and the session will proceed.

    Root certificates of public CAs are usually installed and trusted by default in most browsers and operating systems. But you needn't use a public CA; you can create private CA for signing certificates. If you do this, clients will need to be configured to trust its root certificate (details differ by software).

    Whether you use a public or private CA, as long as the clients trust the root CA and you have configured the server to present the (chained) server certificate, everything should work!

frasertweedale
  • 5,424
  • 3
  • 26
  • 38
  • I don't need to connect to exiting server or application on the web (yet). I just need to set up a local secure connection. If I understood what you explain above, I must : – Jean Mar 12 '15 at 10:15
  • @JeanRene you can create a private CA to use, and configure your client to trust its certificate. Or you could configure the client to explicitly trust a self-signed certificate that the server will use. I have updated my answer (part 3) to clarify. – frasertweedale Mar 12 '15 at 10:18