Introduction to SSL

Article: Introducing SSL and Certificates using SSLeay

The article, Introducing SSL and Certificates using SSLeay was originally published in Web Security: A Matter of Trust, the World Wide Web Journal, Volume 2, Issue 3, Summer 1997. The author,Frederick Hirsch, was at the Open Group Research Institute at the time. It is available in online form here.

This article was also used as the basis, with revision by Ralph Engelschall, as introductory information for the Apache web server mod_ssl module documentation.

Since the article was published, some changes have occured in browser technology, simplifing the process. Some corrections have also been noted.

Changes

Since the article was written is has become much easier to import client certificates into a browser, eliminating much of the need for the complicated Javascript and Perl code to perform this function. Both Netscape Navigator and Internet Explorer support directly importing certificates.

In Internet Explorer (e.g. 5.0), the certificate import wizard may be accessed by selecting the Internet Options menu item in the Tools menu, then selecting the content tab and pushing the certificates button in the certificates section. This brings up the Certificate Manager pane. Pushing the import button starts the import wizard which allows importing a single client certificate stored in a single file at one time, in one of the following formats:

PKCS#12 format
CMS standard PKCS#7 format
Microsoft Serialized Certificate Store format

Netscape Navigator (e.g. 4.5) supports a similar facility. Selecting the Tools menu item in the Communicator menu, and then the Security Info menu item in the side menu causes the Security Info pane to appear. Clicking on the Yours link in the Certificates section causes the import pane to appear. Pushing the Import a Certificate button makes it possible to import a client certificate stored in PKCS#12 format in a file.

Corrections

Ralph Engelschall mentioned the following corrections:

The article should refer to TLS 1.0, not "TLS 2.0".
The misunderstanding was due to the document being revision 2, not that the protocol is at that revision (tls-xxxxx-02.txt)
The CN of a DN is only a wildcard pattern, not a regular expression.
The example has to match the term: it's *.xxx.dom and for a regex it has to be at least .*.xxx.dom. But because it's a pattern *.xxx.dom was correct. Only the term "regular expression" was not quite correct.
There is once the typo "Transaction Layer Security", it should be "Transport Layer Security".
RSA refers to both algorithm and company, depending on the context.
"RSA DSI" should be used to refer to the official name of this company.
"NULL encryption" should be "Null encryption".
"Browser client" can be just "browser", since client is implicit in the context of the web.

Please send additional comments or corrections to fjh@alum.mit.edu.