E-commerce is enabled by the use of cryptographic protocols to:
The SSL protocol, invented by Netscape, implemented the cryptography is a very convenient form for programmers. Internet programming and Unix is dominated by a socket model of network communications. A socket is a communications endpoint. It's like one tin-can in a tin can telephone. The sock model is where the two communicating programs create sockets on their local machines, and then connect them, typically with TCP/IP. Then there is a stream of bytes that can flow between the sockets, very much modeled after keyboard and terminal input/output.
The SSL protocol adds a layer of encryption to sockets. The network model slices communication protocols into seven standard layers. At the bottom is the physical layer, where standards regulate the physical phenomena that transport information. As information flows away from the wires and towards the application, there are the Network Layer, i.e. IP, and the Transport Layer, i.e. TCP. Each layer has a role to play in the networking stack. The SSL maintains this entire infrastructure while adding security by interveneing in the Session Layer, which is above TCP but below the application. The application, with minimal changes to the code, now enjoys security for any socket based program.
Each SSL session has a handshake phase in which protocols are negotiated, and keys and credentials are exchanged, followed by the actual application data transport. Confidentiality of the application data is assured by using standard, symetric encryption using secret keys dynamically generated during the handshake phase. Integrity of this data is assured by using cryptographically strong hash functions combined with a secret key also generated during the handshake phase.
The handshake phase uses Public Key cryptography, either RSA, based on factoring, DSS, based on discret logs, or Diffie-Helman. A session can be resumed, and if so, the handshake phase is recalled from the old session. RSA and DSS use certificates to authenticate the server and optionally the client. Typically, the server needs to be authenticated, that is, the server's identity will be verified. In this case, the client will request a certificate from the server. This certificate should be signed by a well-known and trusted Certificate Authority. It is also possible to authenticate the client, the client can be asked to send a certificate as well, but this is not hardly done in e-commerce since the client, that is, individual consumers, do not have certificates.
-----------FROM RFC 4336 THE TRANSPORT LAYER SECURITY (TLS) PROTOCOL VERSION 1.1----------------
The TLS Handshake Protocol involves the following steps:
- Exchange hello messages to agree on algorithms, exchange random
values, and check for session resumption.
- Exchange the necessary cryptographic parameters to allow the
client and server to agree on a premaster secret.
- Exchange certificates and cryptographic information to allow the
client and server to authenticate themselves.
- Generate a master secret from the premaster secret and exchanged
random values.
- Provide security parameters to the record layer.
- Allow the client and server to verify that their peer has
calculated the same security parameters and that the handshake
occurred without tampering by an attacker.
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1. Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent.
Client Server
ClientHello -------->
ServerHello
[ChangeCipherSpec]
<-------- Finished
[ChangeCipherSpec]
Finished -------->
Application Data <-------> Application Data
Fig. 2. Message flow for an abbreviated handshake
The PKI (Public Key Infrastructure) used b SSL is X509, and the certificates are called X509 certificates. The certificates are stored in a file format called PEM. There are alterntatives formats, in particular PKCS#12 (Public Key Cryptography Standard number 12). Openssl allows the import and export of certificates from and to PKCS#12., For more information about all you can do with openssl see the OpenSSL Command-Line HOWTO
For test purposes, a key and certificate are created. The certificate is self-signed, meaning that it is signed with the private key of the public key that is being signed. The client can verify the public key using the public key, but this obviously implies nothing about the authenticity of the certificate. Anyone can self-sign anything. But it is good for testing purposes.
This command requests a self-signed x509 certificate ( req -x509 ) of 365 days duration. Using nodes means there will be not encryption on the keyfile, so it must be protected by proper filesystem permissions (no read except by root!). It also asks for a 1024 bit rsa key generation (this could have been done in a separate step) and provides output file names for the key (server.key) and the certificate (server.crt). These names must correspond to the files specified in the Apache httpd.conf file.
grant# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt
Generating a 1024 bit RSA private key
................................++++++
...............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Florida
Locality Name (eg, city) []:Miami
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Miami
Organizational Unit Name (eg, section) []:Department of Computer Science
Common Name (eg, YOUR name) []:web.cs.miami.edu
Email Address []:web@web.cs.miami.edu
The certificate looks like this:
grant# more server.crt
-----BEGIN CERTIFICATE-----
MIIEDTCCA3agAwIBAgIJAMJZ2p7G9ecCMA0GCSqGSIb3DQEBBAUAMIG2MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxHDAaBgNV
BAoTE1VuaXZlcnNpdHkgb2YgTWlhbWkxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2Yg
Q29tcHV0ZXIgU2NpZW5jZTEZMBcGA1UEAxMQd2ViLmNzLm1pYW1pLmVkdTEjMCEG
CSqGSIb3DQEJARYUd2ViQHdlYi5jcy5taWFtaS5lZHUwHhcNMDcwNjA1MTYzODA2
WhcNMDgwNjA0MTYzODA2WjCBtjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3Jp
ZGExDjAMBgNVBAcTBU1pYW1pMRwwGgYDVQQKExNVbml2ZXJzaXR5IG9mIE1pYW1p
MScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxGTAXBgNV
BAMTEHdlYi5jcy5taWFtaS5lZHUxIzAhBgkqhkiG9w0BCQEWFHdlYkB3ZWIuY3Mu
bWlhbWkuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOa/ffe7nmr64i
x3tWUuzqtRzB5gywV1BM3FJz5jmQurOmqhRRAgvyiDufCaR26UCwhUynKG+WnJ0u
AHgLmBochYpNq/gWYg0cWWHuTYO2QNTnxgrZHPs2ydU+JrXvdZepuPUiXtu+eVA2
TXq0VqYON9zw1vTGMYM4ZZ2HGUwN2QIDAQABo4IBHzCCARswHQYDVR0OBBYEFBBR
LaIURXAYNInyu/iVRAfV5S8mMIHrBgNVHSMEgeMwgeCAFBBRLaIURXAYNInyu/iV
RAfV5S8moYG8pIG5MIG2MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEO
MAwGA1UEBxMFTWlhbWkxHDAaBgNVBAoTE1VuaXZlcnNpdHkgb2YgTWlhbWkxJzAl
BgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEZMBcGA1UEAxMQ
d2ViLmNzLm1pYW1pLmVkdTEjMCEGCSqGSIb3DQEJARYUd2ViQHdlYi5jcy5taWFt
aS5lZHWCCQDCWdqexvXnAjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GB
AH9KywikHmYWx4pmOecKdKRW1TJlMaf+lszwEMapJhBnlp5uhWvOUtxPPOlwPhFM
g2onTizOpJlR415q8+1zH62Kqk9GwFRUXAmk2ebbOvFYmFe81OZq97SYhPDSxVvP
roS7bSWM/ML0DNAJca2LjzYbwk9w1mv1CzWzd9b3C6Mh
-----END CERTIFICATE-----
Well, that doesn't look like a certificate! Here is how to use openssl to parse this file:
grant# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:59:da:9e:c6:f5:e7:02
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Florida, L=Miami, O=University of Miami, OU=Department of Computer Science, CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
Validity
Not Before: Jun 5 16:38:06 2007 GMT
Not After : Jun 4 16:38:06 2008 GMT
Subject: C=US, ST=Florida, L=Miami, O=University of Miami, OU=Department of Computer Science, CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ce:6b:f7:df:7b:b9:e6:af:ae:22:c7:7b:56:52:
ec:ea:b5:1c:c1:e6:0c:b0:57:50:4c:dc:52:73:e6:
39:90:ba:b3:a6:aa:14:51:02:0b:f2:88:3b:9f:09:
a4:76:e9:40:b0:85:4c:a7:28:6f:96:9c:9d:2e:00:
78:0b:98:1a:1c:85:8a:4d:ab:f8:16:62:0d:1c:59:
61:ee:4d:83:b6:40:d4:e7:c6:0a:d9:1c:fb:36:c9:
d5:3e:26:b5:ef:75:97:a9:b8:f5:22:5e:db:be:79:
50:36:4d:7a:b4:56:a6:0e:37:dc:f0:d6:f4:c6:31:
83:38:65:9d:87:19:4c:0d:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
10:51:2D:A2:14:45:70:18:34:89:F2:BB:F8:95:44:07:D5:E5:2F:26
X509v3 Authority Key Identifier:
keyid:10:51:2D:A2:14:45:70:18:34:89:F2:BB:F8:95:44:07:D5:E5:2F:26
DirName:/C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
serial:C2:59:DA:9E:C6:F5:E7:02
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
7f:4a:cb:08:a4:1e:66:16:c7:8a:66:39:e7:0a:74:a4:56:d5:
32:65:31:a7:fe:96:cc:f0:10:c6:a9:26:10:67:96:9e:6e:85:
6b:ce:52:dc:4f:3c:e9:70:3e:11:4c:83:6a:27:4e:2c:ce:a4:
99:51:e3:5e:6a:f3:ed:73:1f:ad:8a:aa:4f:46:c0:54:54:5c:
09:a4:d9:e6:db:3a:f1:58:98:57:bc:d4:e6:6a:f7:b4:98:84:
f0:d2:c5:5b:cf:ae:84:bb:6d:25:8c:fc:c2:f4:0c:d0:09:71:
ad:8b:8f:36:1b:c2:4f:70:d6:6b:f5:0b:35:b3:77:d6:f7:0b:
a3:21
-----BEGIN CERTIFICATE-----
MIIEDTCCA3agAwIBAgIJAMJZ2p7G9ecCMA0GCSqGSIb3DQEBBAUAMIG2MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxHDAaBgNV
BAoTE1VuaXZlcnNpdHkgb2YgTWlhbWkxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2Yg
Q29tcHV0ZXIgU2NpZW5jZTEZMBcGA1UEAxMQd2ViLmNzLm1pYW1pLmVkdTEjMCEG
CSqGSIb3DQEJARYUd2ViQHdlYi5jcy5taWFtaS5lZHUwHhcNMDcwNjA1MTYzODA2
WhcNMDgwNjA0MTYzODA2WjCBtjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3Jp
ZGExDjAMBgNVBAcTBU1pYW1pMRwwGgYDVQQKExNVbml2ZXJzaXR5IG9mIE1pYW1p
MScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxGTAXBgNV
BAMTEHdlYi5jcy5taWFtaS5lZHUxIzAhBgkqhkiG9w0BCQEWFHdlYkB3ZWIuY3Mu
bWlhbWkuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOa/ffe7nmr64i
x3tWUuzqtRzB5gywV1BM3FJz5jmQurOmqhRRAgvyiDufCaR26UCwhUynKG+WnJ0u
AHgLmBochYpNq/gWYg0cWWHuTYO2QNTnxgrZHPs2ydU+JrXvdZepuPUiXtu+eVA2
TXq0VqYON9zw1vTGMYM4ZZ2HGUwN2QIDAQABo4IBHzCCARswHQYDVR0OBBYEFBBR
LaIURXAYNInyu/iVRAfV5S8mMIHrBgNVHSMEgeMwgeCAFBBRLaIURXAYNInyu/iV
RAfV5S8moYG8pIG5MIG2MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEO
MAwGA1UEBxMFTWlhbWkxHDAaBgNVBAoTE1VuaXZlcnNpdHkgb2YgTWlhbWkxJzAl
BgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEZMBcGA1UEAxMQ
d2ViLmNzLm1pYW1pLmVkdTEjMCEGCSqGSIb3DQEJARYUd2ViQHdlYi5jcy5taWFt
aS5lZHWCCQDCWdqexvXnAjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GB
AH9KywikHmYWx4pmOecKdKRW1TJlMaf+lszwEMapJhBnlp5uhWvOUtxPPOlwPhFM
g2onTizOpJlR415q8+1zH62Kqk9GwFRUXAmk2ebbOvFYmFe81OZq97SYhPDSxVvP
roS7bSWM/ML0DNAJca2LjzYbwk9w1mv1CzWzd9b3C6Mh
-----END CERTIFICATE-----
The connection to https is at port 443 (by default) and will execute the SSL handshake. It is always useful to connect simply to a web server for testing purposes. Telnet to port 80 is good for standard http. However, this will not work for SSL connections, telnet does not know how to speak ssl, unfortunately. Openssl has an s_client option which does this.
[burt@lee conf.d]$ openssl s_client -connect web.cs.miami.edu:443
CONNECTED(00000003)
depth=0 /C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
i:/C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDTCCA3agAwIBAgIJAMJZ2p7G9ecCMA0GCSqGSIb3DQEBBAUAMIG2MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxHDAaBgNV
BAoTE1VuaXZlcnNpdHkgb2YgTWlhbWkxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2Yg
Q29tcHV0ZXIgU2NpZW5jZTEZMBcGA1UEAxMQd2ViLmNzLm1pYW1pLmVkdTEjMCEG
CSqGSIb3DQEJARYUd2ViQHdlYi5jcy5taWFtaS5lZHUwHhcNMDcwNjA1MTYzODA2
WhcNMDgwNjA0MTYzODA2WjCBtjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3Jp
ZGExDjAMBgNVBAcTBU1pYW1pMRwwGgYDVQQKExNVbml2ZXJzaXR5IG9mIE1pYW1p
MScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxGTAXBgNV
BAMTEHdlYi5jcy5taWFtaS5lZHUxIzAhBgkqhkiG9w0BCQEWFHdlYkB3ZWIuY3Mu
bWlhbWkuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOa/ffe7nmr64i
x3tWUuzqtRzB5gywV1BM3FJz5jmQurOmqhRRAgvyiDufCaR26UCwhUynKG+WnJ0u
AHgLmBochYpNq/gWYg0cWWHuTYO2QNTnxgrZHPs2ydU+JrXvdZepuPUiXtu+eVA2
TXq0VqYON9zw1vTGMYM4ZZ2HGUwN2QIDAQABo4IBHzCCARswHQYDVR0OBBYEFBBR
LaIURXAYNInyu/iVRAfV5S8mMIHrBgNVHSMEgeMwgeCAFBBRLaIURXAYNInyu/iV
RAfV5S8moYG8pIG5MIG2MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEO
MAwGA1UEBxMFTWlhbWkxHDAaBgNVBAoTE1VuaXZlcnNpdHkgb2YgTWlhbWkxJzAl
BgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEZMBcGA1UEAxMQ
d2ViLmNzLm1pYW1pLmVkdTEjMCEGCSqGSIb3DQEJARYUd2ViQHdlYi5jcy5taWFt
aS5lZHWCCQDCWdqexvXnAjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GB
AH9KywikHmYWx4pmOecKdKRW1TJlMaf+lszwEMapJhBnlp5uhWvOUtxPPOlwPhFM
g2onTizOpJlR415q8+1zH62Kqk9GwFRUXAmk2ebbOvFYmFe81OZq97SYhPDSxVvP
roS7bSWM/ML0DNAJca2LjzYbwk9w1mv1CzWzd9b3C6Mh
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
issuer=/C=US/ST=Florida/L=Miami/O=University of Miami/OU=Department of Computer Science/CN=web.cs.miami.edu/emailAddress=web@web.cs.miami.edu
---
No client certificate CA names sent
---
SSL handshake has read 1605 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 69A232A369C0B286F21A22F23A86A09B86CDB09B5B31914256BBFEF29224A28C
Session-ID-ctx:
Master-Key: 54EC0C31457B5AEC14522D752E9CD8B0D91A253F3D2ACCE96848C980838B095FC3974DCF3D03682ADDB0B1E6AAFF8F70
Key-Arg : None
Krb5 Principal: None
Start Time: 1181061693
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Note the Cipher information: DHE-RSA-AES256-SHA. This means that:
To get a certificate, you create a Certificate Signing Request and then send it to a Certificate Authority for a signature.
burt@grant$ openssl req -new -key psy.metri.us.key -out psy.metri.us.csr Enter pass phrase for psy.metri.us.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Florida Locality Name (eg, city) []:Miami Organization Name (eg, company) [Internet Widgits Pty Ltd]:iMetrius Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:psy.metri.us Email Address []:web@psy.metri.us Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: burt@grant$ openssl req -in psy.metri.us.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Florida, L=Miami, O=iMetrius, CN=psy.metri.us/emailAddress=web@psy.metri.us Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cf:a4:5b:67:2f:4c:61:48:a6:7a:8a:2c:e8:92: 01:b0:4b:2b:7c:f4:f7:ea:36:dd:97:59:55:59:71: a1:0b:ac:87:75:4f:fd:b9:99:42:71:b0:cc:28:fd: fa:7d:fb:0b:8c:2c:1d:bd:f5:5f:40:d9:09:ed:7f: 8f:4f:5e:4c:92:1e:68:f7:2a:41:98:a3:c9:0b:3d: 14:51:ae:38:5c:e1:ec:02:65:b6:6b:b2:34:b6:26: fe:cd:2c:59:a4:af:6d:b5:02:25:52:ca:c4:b2:4e: 2c:de:88:60:38:fd:ce:2f:65:22:38:94:45:9a:00: 20:1d:a3:51:13:82:4c:28:25 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 99:2a:a6:1e:b3:96:7a:eb:f1:f1:fb:0d:81:6b:65:08:d8:8d: de:c1:22:49:7f:2a:d8:4b:52:84:3a:61:d6:40:89:25:09:96: 4b:c2:07:49:51:44:66:a4:ef:2a:aa:6a:14:57:28:2d:96:16: c6:e3:5f:9d:7b:be:de:44:2a:96:3b:5c:81:4f:fe:a6:99:64: e4:ae:71:5e:6c:4a:04:6a:2f:a4:f1:e8:cc:68:14:a4:fd:c7: f9:50:d5:61:e8:47:34:cd:be:24:3c:03:26:86:f6:55:ac:d3: 2b:e6:e6:45:3a:d8:68:34:48:78:4a:4f:c2:f7:00:82:ee:1c: 10:db
For this example I am using the website psy.metri.us, an e-commerce site for the delivery of tests (or tutorials) over the Internet. I have registered the domain metri.us with a handy service, go-daddy, which very cheaply provides the DNS service as well as certificates to go with the DNS names. To get a cert, I present them with the following PEM encoding of the csr:
burt@grant$ cat psy.metri.us.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBujCCASMCAQAwejELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAM
BgNVBAcTBU1pYW1pMREwDwYDVQQKEwhpTWV0cml1czEVMBMGA1UEAxMMcHN5Lm1l
dHJpLnVzMR8wHQYJKoZIhvcNAQkBFhB3ZWJAcHN5Lm1ldHJpLnVzMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDPpFtnL0xhSKZ6iizokgGwSyt89PfqNt2XWVVZ
caELrId1T/25mUJxsMwo/fp9+wuMLB299V9A2Qntf49PXkySHmj3KkGYo8kLPRRR
rjhc4ewCZbZrsjS2Jv7NLFmkr221AiVSysSyTizeiGA4/c4vZSI4lEWaACAdo1ET
gkwoJQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAmSqmHrOWeuvx8fsNgWtlCNiN
3sEiSX8q2EtShDph1kCJJQmWS8IHSVFEZqTvKqpqFFcoLZYWxuNfnXu+3kQqljtc
gU/+pplk5K5xXmxKBGovpPHozGgUpP3H+VDVYehHNM2+JDwDJob2VazTK+bmRTrY
aDRIeEpPwvcAgu4cENs=
-----END CERTIFICATE REQUEST-----
And then, within a few seconds and a few email messages confirming that it is really me requesting the cert, I get the following data blob:
burt@grant$ openssl x509 -text -in psy.metri.us.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4212778 (0x40482a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
Validity
Not Before: Jun 5 21:08:09 2007 GMT
Not After : Jun 5 21:08:09 2008 GMT
Subject: O=psy.metri.us, OU=Domain Control Validated, CN=psy.metri.us
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cf:a4:5b:67:2f:4c:61:48:a6:7a:8a:2c:e8:92:
01:b0:4b:2b:7c:f4:f7:ea:36:dd:97:59:55:59:71:
a1:0b:ac:87:75:4f:fd:b9:99:42:71:b0:cc:28:fd:
fa:7d:fb:0b:8c:2c:1d:bd:f5:5f:40:d9:09:ed:7f:
8f:4f:5e:4c:92:1e:68:f7:2a:41:98:a3:c9:0b:3d:
14:51:ae:38:5c:e1:ec:02:65:b6:6b:b2:34:b6:26:
fe:cd:2c:59:a4:af:6d:b5:02:25:52:ca:c4:b2:4e:
2c:de:88:60:38:fd:ce:2f:65:22:38:94:45:9a:00:
20:1d:a3:51:13:82:4c:28:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
URI:http://certificates.godaddy.com/repository/godaddyextendedissuing.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com
CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt
X509v3 Subject Key Identifier:
A9:C5:72:0E:F2:9E:D9:22:86:DC:B6:16:1B:0A:87:A2:D8:AB:C9:3C
X509v3 Authority Key Identifier:
keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
X509v3 Subject Alternative Name:
DNS:psy.metri.us, DNS:www.psy.metri.us
Signature Algorithm: sha1WithRSAEncryption
b8:7d:0d:5c:a5:35:e6:09:b6:21:22:b3:04:62:b4:c4:62:7d:
fa:02:de:6b:e0:46:76:e5:4c:29:02:0e:05:22:bd:7a:d8:36:
60:ca:0a:45:af:e9:c6:17:1b:a9:b3:39:ea:5a:4b:57:ce:bb:
60:37:2b:6b:34:1d:44:9b:08:68:00:24:d5:4a:5a:1f:45:47:
33:ba:92:6b:bf:ab:de:e5:f1:9b:82:99:82:de:b4:d0:4a:b8:
78:a6:fb:ff:6c:bb:97:22:c2:a5:f4:1c:ff:ba:b3:6e:71:16:
53:99:69:4f:4e:d8:2c:1e:bc:b4:68:7d:16:38:7a:e5:6c:2a:
81:95:b6:7b:40:57:68:15:09:0d:4c:0c:eb:a9:c8:43:07:cf:
0f:12:80:45:7a:79:16:30:f0:3d:54:6b:11:aa:64:75:a3:ed:
90:32:36:7c:e1:f3:fe:c8:8d:b5:c4:1a:c2:dc:8e:2a:12:da:
03:7a:d0:c8:a6:14:e4:cf:8a:ee:71:cf:9f:e9:f2:7a:9b:77:
40:2c:ae:24:36:ce:06:b7:d9:88:eb:ea:0e:83:32:4a:c7:3d:
19:0d:7b:2a:e2:b3:38:85:b6:e3:da:1b:5e:7e:b4:6b:93:a4:
1c:ae:77:5c:0a:9a:d6:5d:3d:83:75:52:0c:97:35:2f:82:ae:
c8:2d:e2:da
-----BEGIN CERTIFICATE-----
MIIE6jCCA9KgAwIBAgIDQEgqMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UE
ChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzAe
Fw0wNzA2MDUyMTA4MDlaFw0wODA2MDUyMTA4MDlaMFExFTATBgNVBAoTDHBzeS5t
ZXRyaS51czEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRUwEwYD
VQQDEwxwc3kubWV0cmkudXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM+k
W2cvTGFIpnqKLOiSAbBLK3z09+o23ZdZVVlxoQush3VP/bmZQnGwzCj9+n37C4ws
Hb31X0DZCe1/j09eTJIeaPcqQZijyQs9FFGuOFzh7AJltmuyNLYm/s0sWaSvbbUC
JVLKxLJOLN6IYDj9zi9lIjiURZoAIB2jUROCTCglAgMBAAGjggHTMIIBzzAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5
LmNvbS9yZXBvc2l0b3J5L2dvZGFkZHlleHRlbmRlZGlzc3VpbmcuY3JsMFIGA1Ud
IARLMEkwRwYLYIZIAYb9bQEHFwEwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5MH8GCCsGAQUFBwEBBHMwcTAj
BggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wSgYIKwYBBQUHMAKG
Pmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9p
bnRlcm1lZGlhdGUuY3J0MB0GA1UdDgQWBBSpxXIO8p7ZIobcthYbCoei2KvJPDAf
BgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zApBgNVHREEIjAgggxwc3ku
bWV0cmkudXOCEHd3dy5wc3kubWV0cmkudXMwDQYJKoZIhvcNAQEFBQADggEBALh9
DVylNeYJtiEiswRitMRiffoC3mvgRnblTCkCDgUivXrYNmDKCkWv6cYXG6mzOepa
S1fOu2A3K2s0HUSbCGgAJNVKWh9FRzO6kmu/q97l8ZuCmYLetNBKuHim+/9su5ci
wqX0HP+6s25xFlOZaU9O2CwevLRofRY4euVsKoGVtntAV2gVCQ1MDOupyEMHzw8S
gEV6eRYw8D1UaxGqZHWj7ZAyNnzh8/7IjbXEGsLcjioS2gN60MimFOTPiu5xz5/p
8nqbd0AsriQ2zga32Yjr6g6DMkrHPRkNeyrisziFtuPaG15+tGuTpByud1wKmtZd
PYN1UgyXNS+Crsgt4to=
-----END CERTIFICATE-----
And now, after configuring the web server to connect psy.metri.us port 443 with this key and cert, we have an SSL protected web site.