I don’t work in this area, but I keep seeing mention of SSL certificates in my browser so I wanted to find out what they were. I didn’t realise you also had SSL certificates in iPhones, but that was dumb of me because it of course has a browser. I get it now you’ve explained it. I’d like to request that article you’re planning on SSL, as it would certainly be of interest. Thanks very much Peter You are a patient teacher and very kind for taking the time. Great website.

No problem – this happens to be a topic of significant interest to me, so it’s quite good to have the opportunity to talk about it. I’m considering writing a separate article explaining SSL certificates, the “trust hierarchy” etc. when I get the chance – you might want to watch out for that.

“So, if I’ve got this right, the SSL certificate is produced by a Certificate Authority, who would be the trusted source. And the iPhone (or whatever) is designed by Apple (or whoever) to look for these and trust them when they are set up right. And the End Entity says that the iPhone can trust the certificate (and person who holds it) to provide certain things, such as Internet banking or keeping personal data. Is that right?”

Almost there – the phrase “End Entity” might have confused things a little here. This is Internet Explorer’s way of saying that the boolean flag for “Certificate Authority” is not set on the certificate – Firefox is more clear when it says “is not a Certificate Authority”. In fact, iOS itself is pretty clear when you do get to view certificate properties (as far as I can tell, this is only when there’s an error) – it has a section in the certificate properties marked “Certificate Authority” with a “Yes” or “No” against it.

A Certificate Authority is a top-level authority that is “trusted” to sign certificates. If you look even deeper into your browser settings (again, exactly how will vary with your browser), you should be able to find the list of Authorities your browser inherently trusts (this includes the likes of Verisign, Comodo, Thawte and a large number of others you may not have heard of). Each of these may have “Intermediate” certificates which are also classed as “Certificate Authorities”, as there is a “chain” or “hierarchy” of trust involved. When a Certificate Authority signs a certificate destined for an SSL server, it marks the “Certificate Authority” section of the “Basic Constraints” section to “No”, meaning that the certificate is not trusted to sign others (and thus create a longer “chain”).

So, taking the CLAS Consultants site I mentioned before as an example:

1. GlobalSign Root CA is the top-level Certificate Authority – this certificate is pre-installed in your browser (or in the system beneath it, such as iOS, Windows or anything else) as a “trusted” Authority. Under Basic Constraints, this certificate is a Certificate Authority.
2. GlobalSign Domain Validation CA – GlobalSign has chosen to create a sub-authority (intermediate certificate) for the purposes of their “Domain Validation” service (this means they have only checked that I officially administer the domain that the SSL certificate applies to). Again, this intermediate certificate is a Certificate Authority.
3. www.clasconsultants.net – this is the certificate I received to install on my server once GlobalSign had finished their verification. This certificate is not a Certificate Authority – it is an “End Entity”, and therefore is not authorised to sign other certificates.

The difficulty arises because technically any certificate can be used to sign any other (well, strictly, it is the associated private key that is used to sign, but that’s detail for another day!). So, even though GlobalSign has said I shouldn’t use my certificate to sign any others, there’s no reason why I can’t – for example, I can use the certificate to sign a new certificate for www.peterbance.co.uk and start using SSL for this site. If I did this, though, pretty much every browser would complain about an invalid certificate. In your example, the responsibility for making sure this check is made lies with Apple (who produce both iOS and the built-in Safari browser).

“I really do appreciate you taking the time to explain all this to someone you just ‘met’.”

As I say, no problem! Watch out for a future article that will cover this in a lot more detail, and go into exactly how the “trusted” Certificate Authorities become trusted.

So, if I’ve got this right, the SSL certificate is produced by a Certificate Authority, who would be the trusted source. And the iPhone (or whatever) is designed by Apple (or whoever) to look for these and trust them when they are set up right. And the End Entity says that the iPhone can trust the certificate (and person who holds it) to provide certain things, such as Internet banking or keeping personal data. Is that right?

I really do appreciate you taking the time to explain all this to someone you just ‘met’.

The contents of the Basic Constraints section are presented in different ways in different browsers (within the certificate itself, it’s actually just a boolean, or yes/no value):

• Internet Explorer: End Entity
• Firefox: is not a Certificate Authority

The Certificate Authority (CA) sets this flag because the validation process they employ when issuing a single server certificate is not highly rigorous – it does not infer sufficient trust in the server’s owner to allow them to become a Certificate Authority themselves (and thus be able to sign other certificates).

You can check this out for yourself – compare the following, for example:

• CLAS Consultants Online Services – Basic Constraints set correctly; and
• Recurity Labs Proof of Concept – you’ll be warned by your browser (unless you’re using an outdated version of iOS!).

View the certificate details for each of the above sites (you’ll have to look through the detailed “Certificate Properties”), and you will see that the Basic Constraints section is correctly set on the first one, whereas on the second it is not – that test certificate has been created specifically to test for this problem in iOS.

I hope this helps, but do drop another comment back to me if I haven’t explained it clearly!