How it works in a simple view
Several implementations are done with 2 way ssl certificates, but still wondering how it works? Let’s try to explain.
Two-way ssl means that a client and a server communicates on a verified connection with each other. The verifying is done by certificates to identify. A server and a client has implemented a private key certificate and a public key certificate.
Secure Sockets Layer (SSL) certificates, sometimes called digital certificates, are used to establish an encrypted connection between a browser or user’s computer and a server or website. The SSL connection protects sensitive data, such as credit card information, exchanged during each visit, which is called a session, from being intercepted from non-authorized parties.
Root certificates are a public key certificates that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI).
Encryption uses a private key/public key pair which ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. The public key is shared while the private key is kept locally.
The SSL connection can be established in two different ways: 1 or 2-way.
A one-way SSL: the SSL-client application is not verified by the SSL-server application. Only the server is verified.
In a two-way SSL connection the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application. Roughly the steps are like this:
Or in a different perspective:
What’s the process like, e.g. compared with a cash withdrawal:
The proces can be compared with a cash withdrawal, putting in your creditcard corresponds to sending a hello to the server. Your card will be accepted if your card is valid for that machine. You will be asked for your code.
A server has a private certificate which will be accepted by a client. The client also has a private certificate which will be accepted by the server. This is called the handshake. At that point it is safe to sent messages to each other.
With two way ssl, the server sent a code, the cliënt accept the code.
Back to the withdrawal machine, the display asks for your code and when typing in the right code, it will be sent to the server. The server accept the connection.
With the two-way ssl process the clients sents a thumbprint which should be accepted on the server. When this proces is ready on the withdrawal you might put in the amount you want to receive, on the two-way ssl connection a message could be sent. The withdrawal machine responds with cash and probably a revenu, the two-way ssl connections with a respond message.
Sending information to a http address is done in plain text, this is not likely for several internet traffic. You don’t want to communicate password in plain text over the internet as a prey for the hackers. So https and a certificate is necessary.
Let’s discuss this more in technical detail, with describing the basic components necessary for communicate 2-way SSL over https.
So the first part to describe, the public key.
A public key consists of a root certificate with one or more intermediate certificates. A certificate authority generates a root certificate and on top of these an intermediate certificate and on top of that certificate another intermediate certificate.
This is done to arrange a smaller set of clients who can communicate with you. A root certificate will be used in several intermediates, and an intermediate certificate will be used in other intermediate certificates, so using the root certificate will remain in accepting connections of all intermediates. A public key is not protected by password and can be shared.
The second part is the private key.
A private key is built like a public key but on top there is a private key installed, this key is client specific and protected by a password. This private key represent you as firm or as person, so you don’t want to share this key with other people.
What happens when setting up a two-way ssl connection
The first step in the communication is sent a hello from the client to the server and then information is exchanged. The servers sends a request to the client with an encoded string of the thumbprint of his private key. The authorization key of the public chain below is sent to ask if the client will accept the communication. When the public key of the request corresponds to a public key on the client an OK sign will be sent back.
The server asks also for the encoded string of the client, so the client will sent his encoded string of the thumbprint to the server. When the server accepts this in case of a match on his public key the connection between client and server is established and a message could be sent.
A certificate has an expiration date, so a certificate (public and private) will only works until the expiration date is reached. Normally it will take some time to receive a new certificate so do a request for a new certificate on time.
A certificate has a version within, for now version 3 is the standard version. Also the term SHA will be used, the start was with sha1 but still this one is achieved not safe enough anymore so we use SHA2 certificates or SHA256 as it will be shown.