How to Perform SSL Certificate Validation, Secure Server Trusted SSL Certificates

How to perfrom SSL certificate validation? Did I correctly install SSL certificate? Could you please kindly review whether I correctly set up the SSL certificate or not? Though I activate the SSL certificate and configure it with Plesk Control Panel, I am not sure whether I have completed its installation or not, since the installation process is complicated to me. Please kindly take a look, Did I correctly install SSL certificate? Thank you.

Godaddy Dedicated Server Support Staff Response: We have reviewed the installation of the SSL Certificate for ‘iflove.com’ on the server. We have added the certificate to the set up for the domain and the site can now be viewed using https://iflove.com. Please let us know if you have any further questions, comments, or concerns by replying to this email. Our service departments and telephone lines are open 24 hours a day, 365 days a year to accommodate your needs anytime. Godaddy Server Support Technician

Your application must build a certificate chain, collecting the issuing CA certificate for all CAs up to a trusted root. For externally issued certificates (ones not issued by your own CA), this is done by downloading the certificate from the Authority Information Access (AIA) URL found in the certificate itself. Each certificate in the chain is validated. The validity of each certificate can be determined based on a variety of tests (must have all standard X.509 fields, must fit a format for a specific version, critical extensions, specific OIDs, revocation check, root check, DNS check, signature check, and time validity check). For SSL, the root check, DNS check, time validity, and revocation check are standard.

The root check of external certificates is perfomred by checking whether the chain (for example, from the web server, to an issuing CA, to another, to the root CA) connects to a trusted root (which is one eitherinstalled by default in IE or Mozilla or one you manually choose to import into the store to trust). Basically if you’re talking about
validating third-party web servers on the Internet, rely on the Versign, Thawte etc. commercial CA root certificates in your store by default (you don’t need to add a root CA). If these are internal web servers issued certificates by an internal private CA, then you’ll need to install the root CA’s certificate.

The revocation check occurs by checking the Certificate Revocation List found at the URL stored in the certificate to make sure the once-valid certificate you’ve been presented wasn’t revoked since it’s issuance (because of a key compromise, CA compromise, superseding, decommission of the server, or a temporary hold).

As far as being for MiTM prevention only, certificates are used for many services:
* Digital signatures: for client authentication and data-origin
validation
* Non-repudiation: proving a signer DID sign a package
* Key encipherment: The public keys (assymmetric encryption) can be used for symmetric key exchange.
* Data encipherment: The public key itself can be used to encrypt data, but this never happens because it’s so inefficient.
* Key Agreement: The public key can be used for key transport (like in
Diffie-Hellman)
* Signature verfication: The public key can be used to verify a
certificate or CRL’s signature.

PKI is used to help provide confidentiality, data-integrity, AND
authentication.

I’m sure there is a tool to perform certificate validation in the method you need, but I don’t know of one and it would depend on your platform (Windows?, Linux/UNIX?).

For Windows, look into:
* CertUtil (a utility in the Server 2003 Admin Pack). For example, “certutil -verify -urlfetch example.cer” verifies the certificate chain of example.cer, printing output for every URL in every certificate in the chain. It prints out when a URL is validated, can’t be reached, and prints a summary of errors at the end. I’m sure you need something
simpler than that though, and I believe it’s usually used by PKI administrators to check on the health of their own MS CS PKI.
* CAPIMON: “CryptoAPI Monitor (CAPIMON) allows an administrator to monitor an application’s CryptoAPI calls and the results.”
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en
* Generally speaking, the CryptoAPI

This book has a bit of information about certificate services in general, but is primarily geared toward installing your own CA using MS Certificate Services: “MS Windows Server 2003 PKI and Certifcate Security”.

There is a product called as Microdasys SCIP, for SSL Verification, can check for self singed certificated, This will come in handy as a great tool for SSL.

I am working on implementation of LDAP client where in there is requirement to validate the server’s ssl certificate. This is similar to what browser does in case of ssl enabled website. After reading few articles over net I came to know that following checks needs to be done for verfication of ssl certificate.

1) Check if certificate is not expired.
2) Common name on the certificate matches the DNS name of the server.
3) Checks if the CA is trused.

I don’t know how to perform the check for 3rd step. How can we ensure that CA is trusted? One of my colleague told that I have to store all trusted root certificates and then compare incoming certificate with existing ones..Is there any better way to check this SSL Certificate Validation? How to Perform SSL Certificate Validation? Also I was told that certificate validation is done to prevent the SSL-MITM attack Is this the only reason or is there any other reason for which the SSL certificate validation is done? It will be great if you can throw some light in this matter. Any links to relevant websites will do as well.

Web Hacking, like any art, will take years of dedicated study and practice to master. We can’t teach you to hack. But we can teach you what we’ve learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we’re about at SSL Certificate Installation Tutorial.

How to perfrom SSL certificate validation? Did I correctly Install SSL certificate? Could you please kindly review whether I correctly set up the SSL certificate or not? Though I activate the SSL certificate and configure it with Plesk, I am not sure whether I have completed its setup or not, since the setup process is complicated to me. Please kindly take a look, Did I correctly set up SSL certificate?

Donate for Kindness

Hi man, if you find this article useful, please donate a few bucks to help the one in need.

Donate

Topics: ,,,,