SSL Certificates

Viewing:Browsing VTS Applications on the Web > VTS/IS (VTS Internet Server)

SSL Certificates

An SSL certificate is a digitally signed piece of authentication information that fulfills the following requirements:

• Identifies a host computer, organization, or individual, carrying with it an assurance (warranted by a Certification Authority (CA)) that the host computer, organization, or individual is whom they represent themselves to be, and providing an electronic means of verifying that a communication came from that individual, and not from someone else posing as them.

• Contains a public key and provides assurance that the key has not been tampered with.

Note: An SSL authentication certificate digitally-signed by a CA can be trusted on the basis that a CA will not digitally sign a certificate unless they have adequate proof that the host computer or individual has a right to represent itself by that information.

VIC to VTS/IS username/password authentication is all that protects access to the VTS/IS by the web browser or VIC over the publicly accessible Internet (unless the end user has employed other security mechanisms, such as VPNs). The web browser or VIC needs to be sure that it is communicating with a legitimate VTS/IS before transmitting a username and password. To protect these authentication credentials, SSL is used, with the VTS server providing an SSL certificate to the web browser or VIC.

Note: "SSL" is the acronym for the Secure Sockets Layer security protocol. SSL enables you to securely transmit private data over the Internet by creating a secure connection between a client and a server.

As mentioned above, an SSL certificate carries with it a public key that is secure and has not been tampered with. This public key is half of a pair of an asymmetric set of keys. One key is called the private key, while its mate is called the public key. Data encrypted using the private key can only be decrypted using the public key, and data encrypted using the public key can only be decrypted using the private key.

The private key is held securely by the organization that owns the SSL certificate containing the public key (e.g. your organization). No one, not even the CA who issues the SSL certificates knows the private key; rather, the CA knows only the public key, and digitally signs the SSL certificate to provide assurance that the public key it holds is the mate to the private key held by the party receiving the certificate.

Note: You must safeguard and keep backups of the private key, as well as the SSL certificate.

A user who has purchased a VTS/IS license must additionally purchase one SSL certificate for each VTS/IS host name that you wish to protect with SSL. VICs do not require the purchase of SSL certificates.

VTS enables you to automatically generate a request for an SSL certificate from a Certification Authority (such as VeriSign) using the SSL Certificate tab of the VTS Internet Client/Server Setup dialog. This request is formed and deposited on your Windows clipboard. You may then send this request to the CA, either by e-mail, or using an online form (if provided by the CA at their web site). The request is persistently lodged in VTS/IS' request store, and when the reply arrives from the CA, the VTS Internet Client/Server Setup dialog must be used again to process the reply from the clipboard into the VTS/IS' store. This processing phase removes the request from the request store and places the SSL certificate into the VTS/IS' certificate store, binding it to the correct private key.

Note: It is highly recommended that you use the Microsoft Management Console (MMC) to backup the certificate and private key. If the registry has to be restored or is lost, the private key will be permanently lost as well. If you do not have a backup of your private key, there is no way to re-generate it. If you irretrievably lose your private key, you will have to purchase a new SSL certificate. Therefore, you should ensure that you store your certificate request and subsequent certificate in PKCS $image\Number_Hatch.gif$ 12 (.PFX) format, and include the private key in the backup.

It is not essential to perform the certificate request on the same PC for which the request is being made. You can request a certificate for any PC; however, the CA's reply must be processed into the request and certificate store of the PC on which the request was made. After you've done so, you may back up the SSL certificate and copy it to the PC for which the request was made.

Note: The key will be encrypted to protect it during the backup process; you will therefore be required to enter a password.

The sections that follow provide instructions on requesting an SSL certificate, and processing it once it has been received.

Topics in this section:

Generate a Request for an SSL Certificate

Process a New SSL Certificate