HTTPS - Gary-Moore/developmentwiki GitHub Wiki
Attributes
- Confidentiality - Keep contents of communication secret.
- Integrity - Ensure content is not modified.
- Authenticity - Client is communicating with correct host.
Certificate Authorities
certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 standard.
Certificate Authorities sign certificates used in HTTPS. Examples include Comodo and DigiCert.
Transport Layer Security (TLS)
The protocol that provide communications security over a computer network in a way designed to prevent eavesdropping and tampering. Since applications can communicate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. One of the main ways of achieving this is to use a different port number for TLS connections, for example port 443 for HTTPS.
Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure. The protocols use a handshake with an asymmetric cipher to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using a symmetric cipher. During this handshake, the client and server agree on various parameters used to establish the connection's security.
SSL was it's predecessor and is now deprecated.
Strict Transport Security
Http Strict Transport Security is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should interact with it using only secure HTTPS connections,and never via the insecure HTTP protocol.
The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named "Strict-Transport-Security".HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.As the HSTS HTTP Header is only recognized when sent over an HTTPS connection, websites can still allow users to interact with the website using HTTP, to allow compatibility with non-HTTPS user agents.
Check HSTS eligibility of a domain
Create a self-signed certificate for testing
Powershell command to create new certficate
New-SelfSignedCertificate -DnsName "www.fabrikam.com", "www.contoso.com" -CertStoreLocation "cert:\LocalMachine\My"
https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Convert the thumbprint into a secure string
$pwd = ConvertTo-SecureString -String "XXXXXXXXXXX" -AsPlainText -Force
Export Certificate to a pfx file
Export-PfxCertificate -FilePath C:\Cert\cert.pfx -Password $pwd -Cert cert:\localMachine\my\7D0BEC65172C0CBB7BE6E0440BD7FEE303D610EE
https://docs.microsoft.com/en-us/powershell/module/pkiclient/export-pfxcertificate?view=win10-ps