I’ve read plenty but i’m still very confused about the server certificate concept.
At what stage does it turn a glassfish server from HTTP to HTTPS and how?
I know how to create a certificate with keytool, but what happens to it after that? I read something about associating the certificate with a JAR file? What? Surely a certificate should belong to a server?
I’m using glassfish and netbeans.
Thanks for clearing up my confusion if you can!
Answer
There’s two different things happening here.
- Acquire/create SSL keypair & certificate
In order to use SSL for anything (SMTP, HTTP, IMAP, etc.) you need a public and private key.
The private key is stored on the server and the public key is made available to the world to allow data to be encrypted in such a form that the private key can decode it.
The distribution of the public key is accomplished via sending it during the SSL negotiation1 – this is an insecure approach vulnerable to MITM attacks.
An SSL certificate is a signature of the SSL public key by a third party that is trusted – the third party is responsible for authenticating the identify of the public key.
A self-signed certificate is generally used for testing and is still vulnerable to MITM. Using it is like presenting only a letter to your bank written by you and signed by you to verify your identity.
- Configure service to use SSL keypair & certificate
This is the part where you tell your service to actually use that keypair and certificate. Beyond the scope of this answer, but hopefully you understand SSL now 🙂
1: Though some cool things could be done now that DNSSEC is being implemented – we could put HTTPS certificates into TXT records or the like.
Attribution
Source : Link , Question Author : Community , Answer Author : MikeyB