What are the types of SSL certs?

c-h-r-i-s-t-o-p-h
c-h-r-i-s-t-o-p-h used Ask the Experts™
on
What are the types of SSL certs and what are their functions / relationships? (i.e. intermediate certs, etc)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Trusted,  ROOT
intermediate Root Signed and is there by trusted
end user "refelcts" the user/service. But the authenticity is based on the process the signing entity goes through to verify that the person applying for the certificate is who they say they are and represent what they say they represent.

I.e a person presenting a State issued document is presumed to be who they say they are given it is a State issued document.  If a person presents a school ID, the school is somewhat similar to an intermediate i.e. recognized by the State and thereby derives its credibility from the state.  If someone presents a school ID from a school you've never heard of, you will likely be more suspicious of whether the person is who they say they are.

As far as types, there are too many to enumerate, but can easily be found when searched.
Trusted, intermediate, subordinated.
Code, user, Web sites, etc.

The end result is the same to convey that who ever presents is who/what/and come from an entity represented in the certificate.
Top Expert 2014

Commented:
I agree with Mod_MarlEE, seems like a homework question.

TLS V1 standard: http://www.ietf.org/rfc/rfc2246.txt

Baed on SSL V3, SSL was developed by NetScape TLS is the RCF'ed public version of SSL.

Author

Commented:
Moderator- im troubleshooting an issue. Specifically, what would cause a server to fail to send a server hello in response to a client hello while using SSL but not TLSv1, SSLv2, or SSLv3...

All others- what are the relationships between the different type of certs? Do they interact together or do they serve different purposes?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

HonorGodSoftware Engineer

Commented:
Q: Do they interact together?
A: No

Q: do they serve different purposes?
A: No

All of the certs are used to identify the client and server in the communication.
It is similar in concept to using a "pass phrase" when a telephone call is made.
The Caller asks a question - the Recipient must respond correctly, then the Recipient asks a question, and the Caller must respond correctly.  That way, each side can have some level of trust that the "person" on the other end of the call is who they say they are...

Q: What's the difference between the different certs?
A: Consider the situation where multiple SSL certificate protocols are supported, each can have it's own certificate.

Author

Commented:
HonorGod - If I understand you correctly, then each different SSL cert is responsible for a different protocol.

Therefore, is it safe to assume that if TLSv1.0, SSLv2, and SSLv3 function normally, but the server fails to send a "Server Hello" in response to the client's "Client Hello" via SSL... then the certs responsible for TLSv1.0, SSLv2, and SSLv3 might be installed correctly, while the cert responsible for SSL is not correctly installed?
Top Expert 2014

Commented:
Then what is the server?

What is the client?
HonorGodSoftware Engineer

Commented:
Q: but the server fails to send a "Server Hello" in response to the client's "Client Hello" via SSL... then the certs responsible for TLSv1.0, SSLv2, and SSLv3 might be installed correctly, while the cert responsible for SSL is not correctly installed?

A: It is really had to say exactly what is occurring without a trace.  Are we talking about an application program (as the client) sending the "Client Hello" message to the server?

As giltjr said, "what is the client"?  Is it an application, or a browser?
And what is the server?  is it a web server, or an application, or an application server behind a web server?

Top Expert 2014

Commented:
If this is a trouble shooting issue, then you really should have one question.

Based on one of your responses in one of the other questions, there is not a whole lot you will be able to do.

Since you don't have the private key, you will not be able to run a sniffer program and truly see what is going on.

The server side has the they, they need to run the sniffer and the using the private key they can decode the trace and see what is going on.

Author

Commented:
The server is a Citrix Access Gateway 2010. The client is internet explorer and/or firefox running on end user laptops. The issue is reported via internet explorer more often than firefox... this could be an inaccurate observation or browser settings related... more below.

The only consistency that I have found (via packet capture) is that each and every "failed" connection begins with a Client Hello sent over SSL. The server sends an ACK, but fails to send a Server Hello via SSL. 30 seconds pass. The client sends a Client Hello via SSLv2. The server then sends an ACK, followed by a Server Hello via SSLv3. Traffic then passes as normal. To the end user, the initial login page attempts to load for approximately 30 seconds... when the client attempts via SSLv2, the page instantly loads and their experience is normal.

The other scenario (where the user has a normal experience), the connection begins with a Client Hello sent over TLSv1.0. The server sends an ACK, followed by a Server Hello via TLSv1.0.

Communication is breaking down when the client attempts to negotiate via SSL. I am trying to understand why this might happen.

I disabled TLSv1.0 on my browsers and left SSLv3 enabled as an initial test. Thus far, I have not experienced any issues while doing so.


Why would this behavior occur? What can be done to further isolate the issue?

Author

Commented:
It is an internal server and I have access to any of the certs that are installed on it.
Top Expert 2014
Commented:
If you have access to the private cert, then using wireshark you can see what if flowing back and forth.  You have to tell wireshark where it can read the private cert.

http://wiki.wireshark.org/SSL


Don't know if this link has been give before, but you can go here:

     http://en.wikipedia.org/wiki/Transport_Layer_Security

Then search for "Simple TLS handshake".

Basically,

Client says "client hello I support XXXX" where XXXX is the highest level of SSL it supports.

Server says "server hello and we will use yyyyy" where yyyy is the higest level of SSL it supports that is equal to or lower than what the client supports.

Sever then sends the public key for its server, and all of the certs in its signing chain.

Server then sends "I'm done".

The client now verifies the certs and if it trusts them (or the user says go ahead) then cipher negotiation starts.


Distinguished Expert 2017
Commented:
The certificate has no impact on the mode of communication (SSL/TLS).  It's like a license that identifies the party.  Often only the server has to have a Trusted Certificate.

The server either support SSL and TLS or it is misconfigured to accept only one.  Usually the clients default to both, and during the negotiation of the SSL connection they will agree on the one available to the server unless the client is also limited to a specific one.

There is no validation of the client unless the requirement on the server is that a pre-authorized certificate be presented by the client.

The echange of the public keys between the client and server are done so that the client can start sending requests to the server encrypted using the server's piblic key which the server using the private key can decode.  Similarly the server uses the client's public key provided in the earlier negotiation to send a message to the client which only the client using the private key can decode. The responses are what confirm the SSL connection is present.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial