In certain instances, it is desirable to employ secure network communications. Consider web browsing, for example, and more specifically, instances where sensitive information, such as credit card information, is transmitted from a client (e.g., web browser) to a server (e.g., web server), for instance on e-commerce websites. In such cases, a secure communication channel between the client and the server can be established to prevent electronic eavesdropping, among other things. Typically, a protocol such as secured sockets layer (SSL) or transport layer security (TLS) can be employed along with a digital certificate to secure communications.
The SSL, or its decedent TLS, protocol can establish a secure connection beginning with a handshake procedure in which a client and server, for example, negotiate and agree upon various parameters used to secure the connection. The handshake procedure, or negotiation, begins when a client connects to a server requesting a secure connection and provides a list of supported cipher suites (e.g., set of authentication, encryption, and message authentication algorithms). The server selects one of the cipher suites and notifies the client of the selection. In addition, the server sends back identification information in the form of digital certificate that includes the server name, a certificate authority signature, and the server's public encryption key. After confirming the certificate is valid, the client can generate a pseudo-random number, encrypt the number with the server's public key, and send the encrypted number to the server. Upon receipt, the server can decrypt the transmitted number utilizing its private key. From this number, a session key can be generated for encryption and decryption. Subsequently, the client and server can exchange data over the established secured channel in which messages are encrypted utilizing the session key.
Prior to establishing a secure connection, a server needs to acquire and bind a digital certificate. More specifically, a trusted certificate authority (CA) is contacted and provided requisite information. Upon verification of provided information, the certificate authority will issue a certificate including the server's name, public key, and expiration date, among other things. Subsequently, the server will copy the certificate, import the certificate into a local repository, and explicitly bind the certificate to an IP (Internet Protocol) address and port combination, or more simply to a host, such as a website.