C: Networking and Security
EDS Device Servers User Guide 160
When a Web browser accesses a domain secured by SSL, an SSL handshake
authenticates the server and client, and establishes an encryption method and a unique
session key. Once this handshake has been completed, the client and server can begin a
secure session that guarantees message privacy and message integrity.
SSL uses Digital-Certificate technology to identify target servers reliably and uses
encryption to protect the confidentiality of information passing between client and server.
You can configure the EDS to use an SSL certificate for the HTTP server. The certificate
can be created elsewhere and uploaded to the EDS, or it can be automatically generated
as a self-signed certificate on the EDS. For more information about uploading a new
certificate or create a new self-signed certificate, see SSL on page 101.
Note: When uploading the certificate and the private key, be sure the private key
is not compromised in transit.
The following steps summarize how SSL works:
1. A client contacts a server secured by SSL.
2. In response to the client request, the server sends its certificate to the client.
3. The client generates a master key, which it encrypts with the server's public key and
transmits the encrypted master key back to the server.
4. The server recovers the master key and authenticates itself to the client by returning
a message authenticated with the master key. Subsequent data is encrypted and
authenticated with keys derived from this master key.
Digital Certificates
Authentication with SSL is achieved with a Digital Certificate issued and signed by a
Certificate Authority (CA) and stored on the server. Without a certificate signed by a CA,
the server cannot be reliably identified to the client, yet a connection can still proceed if
allowed.
The Digital Certificate resides on a secure server and is used to encrypt data and identify
the Web site. The Digital Certificate verifies that a site belongs to who it claims to belong
to and contains information about the certificate holder, the domain that the certificate
was issued to, the name of the Certificate Authority who issued the certificate, the root
and the country it was issued in. In addition to proving the veracity of a site, the Digital
Certificate provides the receiver with a way to encode a reply. Digital Certificates come in
40-bit and 128-bit versions.
There are two principal ways to obtain a Digital Certificate. It can be bought from a
certificate vendor or a user can "self-sign" his or her own certificate. With the latter
method, a user can use various tools, both open source and proprietary, to sign his or her
own Digital Certificate, saving the time and expense of going through a certificate vendor.