Skip to main content

Secure Sockets Layer (SSL) Fundamentals


Intro Video

Photo of Anthony James

Anthony James

Training Architect







Course Details

The backbone of securing network communications through encryption are Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS). SSL and TLS are the standards widely used today to secure many communication types: websites, email, and many others. This course is designed to give you a high-level understanding of how to implement and maintain an environment that supports SSL and TLS.

Interactive Diagram:


Getting Started

Course Introduction


Lesson Description:

Welcome to our SSL Fundamentals course! Have you ever visited a secure website and wondered what it is that makes it secure? That's the exact topic we intend to tackle with this course! SSL — or, more appropriately, TLS (Transport Layer Security) — is how we secure those communications. We're excited that you're here! With all of that being said, let's get started! Make sure to give this video a thumbs up below and mark it complete when you're ready to move on to the first lesson.

About the Training Architect


Lesson Description:

Hello! I'm Justin Mitchell, the author of this course. In this video, you'll learn a little bit about me. As you progress through the course, if I can assist you in any way, please don't hesitate to reach out. You can reach me a few different ways:On LinkedIn Via email at Join the Linux Academy Community Slack, and follow the #security channel

Getting Started

Introduction to Cryptography


Lesson Description:

To understand SSL, it's vitally important to understand what cryptography is and why we use it in our computing environments. This lesson covers a high-level understanding of some of the key concepts associated with cryptography.

Introduction to Asymmetric Encryption


Lesson Description:

Now that we have a good understanding of what cryptography is and what it's used for, let's dive into asymmetric encryption. In this lesson, we'll establish how asymmetric encryption is used to mitigate the key issue with symmetric encryption: key distribution.

Introduction to Public Key Infrastructure (PKI)


Lesson Description:

Asymmetric encryption uses two keys: one to encrypt and the other to decrypt. This is especially prevalent in a public key infrastructure, or PKI. In this lesson, we'll take a look at how PKI works.

Using Encryption to Protect Network Communications

Secure Protocols Overview


Lesson Description:

To get a better understanding of SSL, it's first important to understand how we use the different protocols to facilitate communications. Let's dive in and look at some of the protocols, as well as discuss the methodology around how SSL secures those protocols.

The Use of Hybrid Encryption in SSL


Lesson Description:

As we discussed in Section 1, both symmetric and asymmetric encryption come with their own respective drawbacks. Thus, we use hybrid encryption to mitigate these issues. In this lesson, let's take a look at how hybrid encryption is used in our everyday work to ensure secure transmissions of data.

How a Public Key Exchange (PKE) Works


Lesson Description:

Now that we understand what hybrid encryption is and how it works, let's take a look at how we can then use it to encrypt data in transit between a web server and a client. In this lesson, we'll learn how a web server shares its public key with a client to enable secure communications. This is often referred to as the TLS handshake.

How (and Why) TLS Superseded SSL


Lesson Description:

The terms SSL and TLS are often used interchangeably in today's computing environment. However, there are some key differences between the two. In this lesson, we'll cover those differences, as well as some of the history involved that led us to use TLS today.

Real-World Use Cases

Requesting and Setting Up a Web Server Certificate


Lesson Description:

We'll start our real-world use cases off with one of the more common uses for SSL: setting up a web server certificate. For this lesson, we're using a Ubuntu 16.04 box with Nginx installed, but the same would work on CentOS 7. If you want to follow along, here's what we accomplish below: Install Nginx:

sudo apt-get install nginx
Or (if on CentOS):
sudo yum install nginx 
Create the public and private key pair:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/test.key -out /etc/nginx/ssl/test.crt
Modify the Nginx configuration file to redirect all HTTP traffic to HTTPS, listen on port 443, and add the certificates:
sudo nano /etc/nginx/sites-enabled/default
Under where you find HTTP traffic, or listening on port 80, add the line:
return 301 https://$server_name$request_uri;
If lines already exist for listening on port 443, simply uncomment them — otherwise, add them. Then add lines under that to make Nginx use your newly created certificates
server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/test.crt;
    ssl_certificate_key /etc/nginx/ssl/test.key;

Setting Up a Private Docker Registry Using SSL


Lesson Description:

As part of our practical, real-world use cases, let's look at setting up a private Docker registry using SSL. In this example, we're going to use a CentOS 7 machine with Docker installed. Here are the steps we're going to take: Update the system and install Docker Engine:

yum update
curl -fsSL | sh
systemctl start docker
Add server IP to OpenSSL config file before creating certs:
vim /etc/pki/tls/openssl.cnf
Add line:
Then, create the certificates:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /certs/test.key -out /certs/test.crt
Create the Docker registry:
docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.crt -e REGISTRY_HTTP_TLS_KEY=/certs/test.key registry:2
Add certificates to Docker's trusted certs, and then reload Docker:
mkdir -p /etc/docker/certs.d/<serverIP>:5000
cd /certs
cp /certs/test* /etc/docker/certs.d/<serverIP>:5000/
cd /etc/docker/certs.d/<serverIP>:5000/
mv test.crt ca.crt

Encrypting File System (EFS) Overview


Lesson Description:

EFS is a built-in Microsoft Windows utility that allows us to encrypt data stored within Windows OS. EFS provides another method in which we can demonstrate how hybrid encryption works. In this lesson, we'll take a look at how EFS works, as well as walk through a demonstration of how to encrypt a folder with EFS. To mimic the lesson, on a Windows server, just right-click on a file or folder, and select Properties > Advanced > Encrypt.

Setting Up OpenLDAP to Use SSL/TLS


Lesson Description:

OpenLDAP is an open-source tool that provides LDAP (Lightweight Directory Access Protocol) services. Traditionally, secure LDAP connections used the LDAPS (LDAP-Secure) protocol that communicates via port 636. However, this approach has been deprecated and replaced with a STARTTLS function that rides over the LDAP port 389. For this example, we're using a CentOS 7 machine with OpenLDAP installed. If you want to follow along, here are the steps to accomplish: First, update your system, configure your hostname, and then install OpenLDAP:

sudo yum update

vim /etc/hosts 
Update to your new hostname — should be formatted: IP FQDN short server name. For instance: ldapsrv.local ldapsrv. Then, install OpenLDAP:
sudo yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
Go ahead and start and enable the slapd service, and then reset the slap password. Make sure to copy the generated password hash for use later.
systemctl start slapd.service
systemctl enable slapd.service
Configure the OpenLDAP configuration to use your domain name established when you changed the hostname and the username/password combination you just changed with slappasswd:
cd /etc/openldap/slapd.d
vim init.ldif
Then, paste the following, modifying dc=____ to your domain name. So, for instance, if you changed the hostname to ldapserv.local, then dc=local. But if you changed it to, then line 4 should read olcSuffix: dc=local, dc=com. Then, on the last line, make sure to copy and paste your newly generated password hash, or else authentication will fail when trying to commit changes to the configuration.
Dn: olcDatabase={2}hdb, cn=config
changetype: modify
Replace: olcSuffix
olcSuffix: dc=local

Dn: olcDatabase={2}hdb, cn=config
changetype: modify
Replace: olcRootDN
olcSuffix: cn=ldap, dc=local

Dn: olcDatabase={2}hdb, cn=config
changetype: modify
Replace: olcRootPW
olcRootPW: {SSHA}AmuhKv7p8YuN/JYHV0ph1kFOQRkQhpYm/
Commit those changes:
ldapmodify -Y EXTERNAL -H ldapi:/// -f init.ldif
Generate your key pair, and give the ldap user ownership of the location where you store them:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/openldap/certs/ldaptest.key -out /etc/openldap/certs/ldaptest.crt

chown -R ldap:ldap /etc/openldap/certs/
Create an ldif file that modifies the OpenLDAP config to use the certs we just created:
vim certs.ldif
Copy the below changes to the ldif file (of course substituting the appropriate directory and file names into lines 4 and 9):
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldaptest.key

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldaptest.crt
Commit those changes to the configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
Note: You can test the configuration at any time by running:
slaptest -u
You can always check your current configuration by opening the cn=config.ldif file:
vim cn=config.ldif

Wrapping Up

The DMV Model of Acquiring a Certificate


Lesson Description:

Acquiring an SSL certificate is much like visiting your local Department of Motor Vehicles (DMV) to obtain your driver's license or a license plate for your vehicle. This lesson is designed to show the similarities between the two to help you correlate acquiring this certificate with something you have most likely done before.

What's Next?


Lesson Description:

Now that you've completed the SSL Fundamentals course, let's take a look at some of the other Linux Academy offerings that may be of interest to you.

Take this course and learn a new skill today.

Transform your learning with our all access plan.

Start 7-Day Free Trial