Working with SSL Certificates and Automatically switch between https and http and vice versa Part I

I was working with a website recently (rossnut.com) thats sells items on the web. One of the core functionality i was working with is the shopping cart. it was an upgrade from ASP 3.0 to ASP.NET 3.5. One of the things i am excited about sharing is Working with SSL and how to aquire a trial SSL certificate for local development.

What is SSL and what role does it play on eCommerce?

SSL (Secure Sockets Layer) is a protocol or mode of communication between devices in a secure manner. By default it uses port 443 as http uses port 80. Secure means all data communication between the server and the client will be encrypted/decrypted so data will be obscured from a hacker sniffing on the network for sensitive information. SSL is never meant to be used on all of your webpages. It is only meant to be used on part of your webpages that requires users to input their sensitive information like credit card information. This way, when a user know that their privacy is not threatened by explaining to them that their sensitive information is encrypted upon submission,  a relationship of trust is established between you as a merchant and your users as the customers. Trust is very important in doing eCommerce. Customers may like what you sell on your website but they may be overshadowed by doubt if they do not know who you are or what your reputation is as a seller. Somehow you will need proof to vouch for your integrity. Thats where SSL Certificates comes in.

What is SSL Certificate, how it works and how do you aquire them?

In simple term, an SSL certificate is a proof of your identity as a merchant. Basically it contains information about you or your business or your website, validity dates and most importantly your public key and private key for encryption/decryption routines. This certificate is signed by a Certificate Authority or CA. Thawte and Verisign are examples.

Generally, SSL works these way,

1. 1.The web server sends its public key with its certificate.
2. 2.The web server sends its public key with its certificate.
3. 3.The browser checks that the certificate was issued by a trusted party (usually a trusted root CA),  that  the certificate is still valid and that the certificate is related to the site contacted.
4. 4.The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5. 5.The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6. 6.The web server sends back the requested html document and http data encrypted with the symmetric key.
7. 7.The browser decrypts the http data and html document using the symmetric key and displays the information.

Acquiring trial certificates for web development takes a few simple steps.

1. 1.Generate a CSR (Certificate Signing Request) on your web server. In this case since we are going to use it for local development i would be referring to IIS 7.0 in Vista (almost the same as doing this on IIS 5.xx on XP machine) web server throughout this article.

Steps on making a CSR for local IIS Server

Completing your Certificate Request

1. Go to http://instantssl.com and paste the content of your Certificate Request (See the last image on the List)
2. Do not forget to select which server your are using (IIS 5.x, IIS 7.x or Apache).
3. Complete the request by entering in your Personal Info (This will be the information that will appear on your SSL Certificate). They will send the certificate on your email.
4. Once you have the certificate, you are now ready to install this to your local machine for development.

Next Part, Installing the SSL Certificate and Automatically switching between https and http protocol.