Postgresql Database Full Encryption & SSL Certificates | Mohammed Al Saadi | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Postgresql Database Full Encryption & SSL Certificates

teacher avatar Mohammed Al Saadi, Cyber Security

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

15 Lessons (2h 60m)
    • 1. 1 Presentation Postgresql Database

    • 2. 2 Precompiled Package Install Postgresql Database

    • 3. 3 Source Code Install from Sudo Postgresql Database

    • 4. 4 Source Code Install From ROOT Postgresql Database

    • 5. 1 Presentation SSL Client Server Connection with Ubuntu Server 18 & Postgresql

    • 6. 2 Openssl

    • 7. 3 ROOT Certificate SSL Client Server Connection with Ubuntu Server 18 & Postgresql

    • 8. 4 Intermediate Certificate SSL Client Server with Ubuntu Server 18 & Postgresql

    • 9. 5 Server Certificate SSL Client Server with Ubuntu Server 18

    • 10. 6 Client Certificate SSL client Server Ubuntu Server 18

    • 11. 7 Client Machine SSL Client Server with Ubuntu Server 18

    • 12. 8 SSL Concept SSL Client Server with Ubuntu Server 18

    • 13. 9 SSL Concept One SSL Client Server with Ubuntu Server 18

    • 14. 10 Custom Config SSL Client Server with Ubuntu Server 18

    • 15. 11 SSL Concept Two SSL Client Server with Ubuntu Server 18

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

Learn how to  encrypt entire Postgresql databases cluster(not just few columns) using the Data-At-Rest encryption technique.

Learn how to create the SSL certificates (Server-Client) like the ROOT,Intermediate,Trust-Chain,Server & Client , and verify the certificates against the Trust-Chain certificate.

Configure the Server-Client connection security correctly from both sides ....not just from the Server side !

Meet Your Teacher

Teacher Profile Image

Mohammed Al Saadi

Cyber Security


Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. 1 Presentation Postgresql Database: reference this video number one off, new serious citizen back to the installation of the postal SQL Server, the video. But I will show you how you can install the possible scale server from a very compact package where you can find this package and how toe sold them. And I will show you how you can use the PGA correcting package to encrypt certain comes off any database inside the cluster off the possible skill set in the number three. I'll show you how you can do the installation of the hospital field server using a customized source code. Then we will use the latest technique to encrypt the entire cluster off database in this POSCO skill set which is the latest technology and we will leave in this video, I think the use of the super User in the you know before we will do the same thing that we have done in period t number T. But we will use the route user and show you what are the differences in these videos? Thank you very much. 2. 2 Precompiled Package Install Postgresql Database: Hello, Friends. This is video number one off our new serious installation off the Posco SQL database. Now there are two types off installation. Either you make the insulation from a pre compiled package off from a source package. I will focus basically on the installation from a source quote for reasons that I will explain to you later. But for those of you who are wish to make the insulation from our pre compiled Beckett, I will show you how to do that in this video. Now there are two ways to make the installation from a pre compiled package. The first way is here You have to mention the version. The current version. I'm choosing number 10 now. This is the line of code. When you enter it a new presenter. There's something called package Manager. This package manager will be used with the pre compiled packages and this package manager will take care off the entire installation process. And also there is will be any updates for this package in the future. The package manager also will handle the updates even it can make the removal of the package from your system. So once you hit, enter after you writing this line of cold, the package manager will handle the entire installation process and then it will create you a default user by the name off post Chris and this pasta Chris default user, you can use it later on to create other users and other databases. This is the first way to install the POSCO Skill Database server on your you boon to server . There is another way. I'll show to you how you can, which can give you the same result exactly the same using task cell. Now as you can see here in this list, there are many programs used programs, some of them you can install with your you boon to server 18.4 One of these programs is this one the POSCO Skill Database. If you check this box and you hit okay, then they package manager will start the installation of the pasta scale database own years . You're going to server and the final result will be exactly the same one as we used with the previous line off coat. And also you will get a default user by the name of forced grace from which you can create other data base by using this ups cule so that that default user with a soupy SQL you can create other databases. Now, having explained this two ways off installation packages, let's go deeper with the details. Now, once you have completed the installation, you can use this line of court system control, start postal Service, and this will start the entire instance off the post. Chris killed database, and you will have, Ah, an instance that from which you can with your posts. Chris Default user. You can create other databases, tables, whatever you want. No, why? I prefer why I don't prefer this way, although it is a very easy way. And the package manager can handle everything for you because later on, when you want to encrypt the data bees, you will have one way to encrypt the data base, which is using the PGA Crypto packaged. Now, the PGA Crypto Package can increase decrypt only one or maximum two columns off any database so it is limited with the encryption capabilities. It cannot include the entire database maximum one old where one or maximum two columns off any database table. It can encrypt secret. And for some businesses. It it's like, not be sufficient or even possible to handle because they need to encrypt the entire database. Now, if you go alone with this pre compiled package installation using the PD crypto package, you need to take care or you to focus on two points from two important points. The first point is that your database should be encryption enabled. It has to be encryption inaudible. Otherwise, you cannot encrypt or decrypt your database. Columns on the second way is that these columns that you will encrypt or decrypt they have to be on Lee Onley off type bite array So the PGA encrypt crypto cannot encrypt other types off columns like string type like type, object or integer. Whatever the vehicle to canon gripped, only columns off type bite A. Now for the 1st 1 that the doctor be should be encryption enabled. You can do that simply by. So do you. Posca risks P SQL. This is the default user. You create another that the base, which is a new database you change to that database and this new database you just add to it this line of code create extension PGA crypto once you have added this extension P J corruptly, to that new database. Then you will have a database that is encryption enabled, and you can later on with your application. You can encrypt and decrypt your columns. Supposedly, these columns have to be about off type byte array. Now, if you have complied, let me say with these two things, which you have just said no. Then you will have to motor functions that you can use for the encryption. The first mornings. The PGP encryption functions and the 2nd 1 is the Roe encryption function in the second row . The second type is, ah, easy to factor, but it's highly under committed because it's have a lot of problems and it's very weak. The PGP is, ah, more secure, more strong in encryption, but it has more parameters, toe doctor. So it's, ah, kind off, not easy to handle and to process, but in general it's more secure. If you can do it, then it's a more secure and it's more recommended, then the rowing correction function. But for those of you also wish to know more about the Roe encryption functions. It's a very easy thing just for the encryption. This is the way it is and toward it. Ana Bite every and for the decryption. The same thing in Angela can also a bite. All right. No, this data means the column, that data that you want to encrypt or decrypt, And the key is that the user key you have tow select a key, which will be considered as them side turkey and also should be a bite Already. You have to change it to make it a bite early, and he vic type is school takes this second system three parameters. Algarve in the mold and the pat. The algorithm you can use to loggers in either Blowfish or a years, which is either 1 28 bit, 1 92 bit or 2 56 bit. And the mode is either CBC or CBR. I believe you might have a good or at least some idea about the moments off the encryption , and there is the pad, depending whether the bed is like an eight byte. If the entire bite, you'll you will encrypt or there will be some bite. It's are not encrypted, I believe. Also the padding, which is called the bedding you have some idea about it, and there are two types off padding, which you can use in here. Either it's speaking because years or there none. It should be used in here. No in your application in your application. Now we're talking about in your application. If you want to encrypt decrypt any column, you can apply this lines for the encryption or dis lying for the decryption. And let's suppose that you want to insert or update one column so it's a desert into some table column one and call him, too. COLUMN. One is an integer with a valley one column two is the one that you want to encrypt. Use this encrypt. This is the value that you want to encrypt, which is in some column, and it has to be in a buttery and then the key, which you have to select and you entered. And also it's an and Valtteri. And then this is the third about a meter, which is consist of three perimeter. It's the algorithm, the key, and the type here is a years you will write it like this way. Of course, you can select whichever we want. A spurs a mode or a spear, The petting a years. But in general, this is the way years the CBC slash bad. You can use the petting and for the decryption you select. Call among be crypt column To hear you have to add the column If you want to decrypt. And also the key which you have selected in here should be biter in the same thing with the third parameter. This is the general way for the first type off installation for the Poskus Cure old database. It is from a pre compiled package the package manager will handle. The entire installation will handle any a bit in the future and even the removal of the package from your system. There are two ways, as I showed you when you get the package from, and you can install directly once you complete the installation just at this coat. To start the Poskus Cure instance, both installation way will give you a default user by the name of Post Chris, from which you can create other that the basis and users once you have started your post grayscale instance. That's it. You have already Paszkowski l server to use as for the encryption. As I have mentioned all in here, this is the reason why I don't choose the pre compiled package busy because the PGA crypto is limited with the encryption capabilities, it can encrypt one or maximum two columns off each database in the next video. I'll explain to you how you can install the postal SQL package from the source scored. And in that video I will tell you about the new technique, which is called that addressed encryption. With the data threats in corruption, you can increase the entire cluster off that a basis. Plus, there are some other benefits from the data address encryption. Thank you for watching. 3. 3 Source Code Install from Sudo Postgresql Database : my source code in this installation process, we will make use off the new technique for the encryption called the Data Tristen. Corruption. So let's get some ideas about this installation when you make the installation from a pre compiled package. Usually have a package manager, and this package manager is responsible for the entire installation process and the configuration. Also, this package manager updates the package in the future whenever there is a update and can also remove the package from your system whenever needed. The data trips in corruption the W I P, which is also called full post presence, still instance in corruption. What does it mean? What does it do? The cluster of the databases will be saved securely on disk in encrypted format, and then we can take blocks off that cluster to work them out. And what is the benefits of this technique? No. First of all, the full Poskus Cheol cluster will be encrypted entirely. Remember, in there become files package, we can encrypt one or maximum two columns off each database using the PGA cryptic package Here using that that addressed encryption, we can in crib decrypt the entire cluster of that basis except for two things Which is the piece? A statement extension and the temporary buffers. The second benefit is that whatever you need to process any debtor in that cluster, you don't have to decrypt the entire cluster. You just go to Where is this that I take that Look off, better decrypted. Process that and make any changes on the data. Then send the block back to the cluster. Once it is back in the closer, it will be in corrupted automatically. Obviously, this is a very convenient way in terms off security and time. Now, when you install a POSCO skills server and usually when you start the server, it will prompt you. You'll get another prompting you that you need to install few packages. A few more packages. So here I'm installing this package up front tow. Avoid getting that error later on. But first of all, let me update my system. You just okay the update have been done. Now let's take these five packages what these packages and what they do these packages contains some tools in these tools make the compilation in the building off the Moscow skills ever easier tools such as the GCC compiler, which is Ah can compile the see program coat tools such as the make. Now this is built a Seychelles, which is the collection of tools such as I told you, the GCC compiler make tool to make tool that we will use later on in here. Or it says, Ah, some other tools like the PS kill As you can see a PS cure Pierre skill. You can find it from downloaded from the Sports Cresskill client common for these tools, these packages make the compile Asian in the building of the sever. The possible feels ever easier, so let's start installing them. As you can see, I already have installed them. Let's clear. No, let's keep forward. There are two points I want to highlight now. The first thing is that I will do the installation using two options off the number one, we will make the installation using a customize possible escape package using gets to do use their on the current user. The second option is that we will use a root user on unions. Now if you're I am sure that you have worked. Ah, did you number six The installation of the you want to serve in this court? Did you number six which tells me, what is the user? How to add to use their own server. What is the sea views of What is the root user all mentioned in video number six at the installation of people to server in this course, The second point is that also in that installation process of the you want to set up I told me that it is highly recommended that you do not use the root account the root user, because it's you could say it's a dangerous account. Any mistake When you do any common task on the server using the root account, it might corrupt your entire server. So why we are using this option in option number two Why we are raising their root account . Maybe thought some off you for whatever reason, they won't use the root account. I'm just giving them Ah, the way how they can use it but still highly advising you to stay away from the using their root account. Now, in this video, you will talk about the first option the installation using a pseudo user on current user and these are the steps off the installation. I will go through them one by one to explain, to watch each step do, and then we will start the practical and solution using command line. Obviously, the first step is that we need to download the customize source code off the prosecutor, feel server, and you can find this in this, uh, link, which is this one, and you can download package from here. Once you have downloaded, you can unzip it and thought it and you'll get directory by. This name is active. Contained the entire source code off the customize Moscow rescue. Now, before we move on to the next step which is this step, I need to tell you one thing. The things that if you proceed directly with the steps when you reach you this step, you'll get an earth saying that there is a name complexion in the files off the off this package conflict in names when you reach to this step. So I will do their some changes on the name off one of the files in this package so I can avoid getting that error later on and do it file. Is this one copy, Fitch Toe. See you open. Now. The error happens because off this name copy filed range. What you need to do is that you need to add this world relying just prior to the name. And this happens in four places. This one, this number two in this number three. And that last place is this one. Once you have done this, you just save the file. And that's it. By the way, this file is protected, so you need to change the mode off it, make it triple seven. Then after you make the changes and save them, then you can go back to the same Modoff it. Seven 600. Okay, Once we have done these changes on the package, you start, we start the installation process. The first step is this one. The second step is that we need to configure the package and you can use many options in here. Many attributes. But for me, I always only one which is the PG port 5432 by default. Possible scale use 5432 Okay, configuration done without any errors. Let's do the make step now. This is world it can download the documentation off the now that possible skill. If you want it, you can use it. If you don't want the documentation, you can omit this. Think now. In my case, I will download it now. This is a very ah, long step. Okay. Now Ah, documentation and the country. The possible scale successfully made ready to install. Now we will do the step installation of the possible skill server. As you can see here at the last line post correct scale contraband documentation installation complete. Okay, so now we have finish the installation process. Let's move forward with another step. We change the directory and then we need to kick one thing, which is these files, These holders. If we see these folders in the installation, that means our installation is complete correctly. Okay. As you can see these four folders, that means our installation is done. Ah, let's change the directory in now. We thought to make this directly by the name of data in this that of the entire cluster of databases will be saved in so whatever that the basis, whatever information Oh, this ever will be reside in this. That directory The next step is that We need to change the owner off this directly off the data directory and we make it to the current user. This user, the current user. So we need to use here the user name off this current user. We need to change the name off it too. The madman. Now, this user will be the owner of all the files as well as the database service. This user will be the owner of the entire files as well as the service that database service. The next step is that we need to initialize the database in that data directory. Okay, now everything is done. As you can see, we have completed the installation of the Posko CEO Sever End as well as we created the ah initialize the database in the directory off with the name off data. Now we can start our several using disk amend. Now the server is started. The next step is that we need to create for this user or the current user. A look file and I will show you how you can make the local logging in the post Gaskill dot com file. And the logging is very important because you can track every step. Whatever happens in the server, you can see it. There's any mistakes. If there's any errors you can see in the lock files. Okay. Now we have created ah, logging the look file. Now we can start creating a database by whatever name you wish. We use this command. We will create the database using the create db on. We will give it whatever name you wish. I'm using tests. Okay? The database have been created. No, we can connect to the death of it using the PS kyo. I commend. Okay, I guess we know we are connected to our database. And let's see that l Because here we have two databases in this. The default database by the name of Bus Chris. An hour test. That is that we have just created it. Notice that the post Cresskill databases owned now by the current user, it's not owned by the Post Chris default user. This is one of the differences between the pre compiles package and customize package in the pre compiled package, you will see here that the possible skill default database owned by the Post Chris default user in our case here the possible skilled people database owned by our current user. And we have one user, which is the owner off the cluster owner of the data directory. No, it's flask. You get out. If you want to connect to the prosperous, it's the same will be, as you can see here and you can check it also the same things when you connected a prosperous Just get, though now the next step of the installation process, which is the final step, is this step. Now, Why do we need this now? Usually when you if you don't do this step and when you start Ah, later on, when you start running the the databases, you will get an error. The error says error while loading shared libraries. No wonder that mean usually when you sell a new package in your system, this new package have shared libraries. These should libraries have to be shared with the system, and the system should knows about them and use them. So you need to do this step so you don't get that error later on when using the database. Now, remember, if you get this error error while loading chair libraries that you mean you have missed doing this step. Okay? Now, as permanent installation, it's all done making the databases and everything is done. Now we need to make a few things in terms of the Posco's killed dot com file and the HB a PG underscored HB a file, and I'll show you a few things which is are important Now the first thing is that you need to see the directory where this file which is the server configuration file. This one possible scale dot com is the server configuration file. As you can see in the package in pre compiled package, the location is different. Entirely different comes out the E t C S o. I believe that SSL directory. But here with customers package, it comes under this location. You know, this is the server configuration file. One of the things that we need to give notice to them is that we need to make this server listen to I p addresses whether they r i p four or I p v six. So now, by default, it's set to listen only to our local host. So we will change this. You have two options. Either you do the star, which will accept all the I P addresses from anywhere. It is kind, not recommended This way. I prefer this way. 0.0 dot 0 to 0. This one will accept all I P addresses from the I P before Still, it's up to you, whichever you prefer. Then you have to un comment the port because Moscow scale use 5432 and ah, super user connection. Now, once you have done these three things control x yes into then you go to the second file, which is PG. Underscore h b A. This is a client off indication file. Whenever the server want to authenticate any Klein that want to connect to the server, it will go to this file. So let's try adding one client. I want to show you one thing hosts. That means this user is a TCP I p user. It's a removed T p i. P. Client. Here, we can add the databases that this client will connect to, Let's say, um, one or my kind of score db here the user that will connect C plus Ah, user one. Now, if you add the plus sign, that means This is a group of users. Then you add the I P address, which is 0000 zero. This is the I P before it will accept from any nappy before. And this is the Sydor mask, which you have to set it to zero. In this case, this host will accept any connection coming from an I p four. No, The last thing is that the the method the method off of indication of their password usually ah, and as per the possible feel documentation, they Ah, I recommend that you use that. Scram. It's a 2 56 This is the preferred way, and it's recommended way by the possible skilled manuals. And, ah, if you use a pre compiled Pakistan, you have to use this one instead. Off using the MD five. The MD five belongs through the possible Ask you about the scram A. It's ah, more public. It's a more secure way. So Boskovski or recommended to use this Graham S a. J 2 56 But I have noticed when I use this ah, customized stress Could I get some errors on get some exceptions when using this crime is H 18 56 4 reason that I'm known. So in this case, I advise you when you make the installation from the customized source code, you stick with the MD five, you will get no errors. But if using a pre compiled back, you know you can do for the scram Dash s such a dash to 56. Okay, now let's say control eggs. Yes. Okay, Now, let's start our sever. So the changes that were made on the server configuration file and the client authentication file should take place. I thought, Let's check our connection. Okay, We are going to go. Let's see. Control L again. We are good to go. Enemy are having no issues off connections. Ah, this is the main things about the installation of the prosecutorial server using ah customized source code to get using to get an encrypted, entirely encrypted cluster. Now remember, at this stage we have a cluster off databases that is entirely in corrupted. All of it is encrypted. Now there's no more anymore one column or two columns off any databases encrypted decrypted ? No. Now the entire cluster that belongs to this user, this entire cluster that contains just database this database or whichever that obviously want to create. Later on, all this cluster will be encrypted and owned by this user. And whenever you want to use apart off this data in that cluster, you just get a block off it decrypted, make any changes to the debt and send it back to the colossal rent will be encrypted automatically. So this is the benefits off using the data, Tristen. Corruption method. Some other details I wish to tell you about Is that when you need to Ah, no. The status off your server if it's working or not. You can use this with this command only if it's up and running or it is offline. No, there is Coat this coat. No, for this killed. If you are not very qualified that I base and operating systems guy. Then don't do this coat because it might corrupt your entire database. And not only that, it might have corrupt your entire system. So don't approach to this coat unless you are very qualified person. Know what you are doing so you have to do it on your own risk This code What could do this coat? Start the server at the device starting usually when any. I want to Ah, make the system start to use this commence. But in this case, if we want to make the server, Poskus killed server start whenever the device start. Then we can go for this coat again. You have to be very qualified. And you have to do it on your own risk. Because there is any mistake. Your database, your operating system will be corrupted. Okay, now, having said that Ah, well, okay. And the final thing I want to show you is that as I told him for how you can set up the look files, the local is very important in terms off tracking. What events happened with your ah savour and also tracking what errors happens with your silver so you can debug them. And the way to do that is that you go back again to the your Poskus kill, file this file and you go all the way down error reporting and looking here. So you need to comment this line and also you change this value to on. And here this is the directory where you will save all your files off the logging files in this directory. You can find it when you go to the data directory. If you enter to the data directory, you will find a director by this name off Older by this name PG. Look, in this folder you will find these files these files set by the date off the creation. And you can track whatever events happen with your server and whatever errors. And you also said the mode and the look. This is up Totally. If you wish to do what you can do, it can make it on. And the rotation is This will delete the previous logs everyone single day and, uh, can take whatever size for this. Ah, creation for this look files. And that's it. Once you have done this, you can control X Yes, enter and then you need to restart your Oh, maybe you don't need even though to restart. I think now, if you go to your 15 user local PGS kill on the data directory here. You will see later on when you do the first transaction or first usage first errors that will happen. You'll see Ah, folder by the name PG. Look in that folder you will find the files off the logging off. Any all the events that goes in with the server. Okay. And that will be the end off district deal. I thank you very much for watching. And in the next video, as I told you, you will see how you can do this option. Thank you very much. 4. 4 Source Code Install From ROOT Postgresql Database: Hello friends. And this video will do the installation of the customers Poskus care package from source code using the root user. And I told there's no much differences in the when we use the root user. Andi, I'll show you what are the differences? The first thing is you need to enter as a route and the way to do that issue do s you you enter the password now as you can see that you are as a route and this is the name of the server. You change that and that's it. You can start following the same procedures in here except that one thing. Since you are a route now, since you are a route, then you don't need to use the suit. Do government? You don't have to use this CD because this year used with the suit the user and now you are a root root can do anything in the server. That's why it is a very dangerous account because any mistake when you do any task on the server, it might corrupt. If you do it wrong, it might corrupt your entire Posca skill. Sever. So there's no need afternoon from now. to use their pseudo commend. You just follow, download, create the directory, change it and follow all these steps, and the user as well is, will be a route and started server and every other step almost identical. That's the only one thing difference when you use the root user. Thank you very much for watching. 5. 1 Presentation SSL Client Server Connection with Ubuntu Server 18 & Postgresql : Hello, friends. This is a presentation video for new Serious the SSL client said connection and this serious, which consists 10 active videos starting with this video presentation video. The video between is an important one Big which will be configured the open SSL, Dorsey and a file most of the cult irrigation configurations that we will use later on in creating this as a cell client server connection, The number three in this video will create the root certificates. Now you will learn how to create the rupkey. How you create the root certificates. What are the conditions that you need to meet when you create the roof certificate and then we will move to the video number four. Well, we create our intermediate certificates, this intermediate certificate that we will create from the root certificates. This is the one that we will use later on to create all the remaining certificates. Now, once we could get the intermediate certificates, we need to how we can check it and out indicated that it was created from the certificate. Once we have do that, then we need to create the chain off trust which is the root certificate concatenation to the intermediate certificates. Then we will move to the server certificate that we will create from the intermediate certificate. And again we will have to authenticated with the chain off trust, then declined certificates which will create for on the intermediate certificate as well. And we will also indicated the chain off trust how we will verify this. And then we will move to the client machine. You'll use their machine and this machine we will move declares certificates along with the intermediate certificate, how we can move them to the client machine and how we can install them there to create our connection with the server and which type off which type off server certificate that we need in this case. Because in the service certificate we will have we can make either a self signed certificate or global certificate authorities certificates which one we need in reality, in the practice world and over the Internet. We will discuss this as well. No, here we will discuss a very important issue. Now there are two types off people. People who configured the server certificates configure the server security side and they don't configure the client site does post Chris considered this way A secure Is this secure ? We just configure the silver sight. We will see this in this video and then we'll see. How can we make a truly fully secure connection SSL connection between the client and the server in this video based on the Poskus cure recommendation in here we will see how can we make ah fully secure SSL client server connection based on the post? Kresk, your recommendations. And here we will apply this fully secure SSL in our application or in your application. This is the entire serious that we will talk about the SSL client server configuration. I appreciate your registration this serious And I thank you so much in advance and hope you have useful times in your career using this serious Thank you very much. 6. 2 Openssl: hell offense is your number one off are serious. The SSL client server connection. In this video we will configure the open SSL doxy Anna filed. It's very important that you configure this file of prior you create your root certificates . Now, before we start the configuration, fire on that while I need to draw attention that we will do this configuration using the pseudo user, we will not go and use the root account The root user. As I said before, it's highly not recommended that you use the route account to do any common task on your server. So it is in my case I'm using the pseudo Jozef now, having said that, let's go and start the configuration of the openness, albeit Sienna file. The first thing is that we need to change the directory. No, we're not know. Now the file The name of the file is open. SSL does CNF into your password. Okay, Now there is one section off that file is which is very important Which is this section? The sea. A default from the beginning to the end of it, we will work on this section only in the section we will start giving information about the root certificates, service of dedicated client certificate and the intermediate certificate. So we will not create it. No, we will just give some information about these seven kids. The first thing in the directory in this directory. Now, as you can see here, I'm choosing this Article three UTC slash ssl It's up to you totally to select whichever directory you wish to save all these certificates that we will create. Now here we will not change here. I selected the certificate. The root certificate name I selected with this name Roots Cert, It's up to you totally to select whichever name suitable for you. Here we will add just this CRL folder later on the root key. I gave it this name route KIIS totally up to you to select your suitable name for it for the root key. Now here is an important issue. The X 509 extensions. No each certificate that we will create later has its own extension. So for the root certificates, we will use this extension later on in this 16. I will show you the extension for each certificate. What is the name off it? So for the root certificate. We will use the d three underscore CIA. The default hashing we at this line is we will use Ssh 18 56. We proceed with this file until we nothing changes in here until we reach to the user. Sirte. This year's assert is the extension that we will use to create the client certificate here . This line of court was committed by default. Phil, I un commented these two lines by default available. I have added this through lines. Okay, how you can see at the this is a victory certificated request which will not do anything. What it here. We reached to the V three on discourse e eight details for the root certificates. This is excision off it. I have only changed. Altered this line. Only the key usage. I added critical and digital signature. But there is really important point. I want to draw your attention to Now You see this basic constraints? It says see a true what does that mean? If it is true, that means this certificates can sign interest. Other certificates Now this is a root certificate, which means it can sign interest. Other certificates. That's why the C A is through. If you remember in the client certificate here, which is this one The client certificate. Here it is. See, A is false because the client said if you get cannot sign and trust other certificates only the root certificates, this one and the intermediate certificates. Okay. Now, once we have changed this root certificate only this line we added this critical and digital signature. We proceed. No, here. These three things is not available by default. We have to add them. The 1st 1 is the V a tree on intermediate. See A This is extension that we will create we will use to create the intermediate certificates. The service ERT is extension to create the service certificates in the S E S p which is not that much important. You add these lines totally in here. A gay noticed that the intermediate certificates the CIA is through because it can sign and trust other certificates. This is the server certificate All these lines you have to add them. Notice that the CIA here is false because the server certificate cannot sign and trust other certificates. Okay, Once you have done all these lines, this section has ended up here so you can save it as spare. The are CSP. This l CSP is a replace mental. It's called the online certificates status Protocal. It's a replacement for the CRL. The certificated location list the certificate Trouble question list. Particle has had some problems. They have created the number particle that replace the CRL. You can add it all thing here. Now, once you have done all these changes in this section, you control X and you saved this file. Now, once we have completed this configuration on the openness ourselves, our CNN file In the next video we will start creating the root certificates. Thank you very much. 7. 3 ROOT Certificate SSL Client Server Connection with Ubuntu Server 18 & Postgresql : Hello, friends. This video number three off our serious SSL client server connection. And this you will talk about the root certificates. That's entrant. Understand What's the object is no dural certificate. The only purpose of the root certificate is to create one or more intermediate certificate . These intermediate certificates signed and trusted by the root certificates these intermediate certificates will sign. Entrust other certificates on behalf off the root certificate. Now, why would would do this? Multi steps. This is the best way to do to protect your root key. Now protecting off the root key and the Stroot certificates, we just use them once that wants to create the intermediate key. After that, the root key will not show up at all. It will be offline. It will be saved in a very safe place because if the root certificate is being compromised , whatever certificate you have made with this would key whatever certificate afterward, they will all be compromised. So it's paramount that you keep your rookie in a very safe place once you have created the rookie, even at the time of creating their root certificates, the environment where you create the roof, the root key is very important. Like the device where you create this route key should be completely isolated. You should disconnect it from the WiFi disconnected the land cable from the device. If the land cable have, you can unclip you can plug it the entrance of the cable of the land cable with the device , you can plug it with something and close it. The system you are using, like in my case, you boom to server. It should be in corrupted with L V M encryption. So many steps you should take to make sure that when you will create the root key, it will be entirely protected and no one can exist through it. Once you created it, you create the intermediate certificate. Then you have to take it out and save it in a very safe place, like in a thumb drive or whatever, wherever place suitable. Now, having said that, let's start creating the root certificates. The first thing is that we need to change to our main directory. Now remember, we are using a pseudo user that means who do command. Let's create few directories and files that we need them and we will use them later on. Let's create one touch file. This will in this pile will keep truck off each and every certificate that had been used. Now we need to make some entry in this while. Okay? Now, another file we need to create by the name of cereal. Now, each certificate we will create, we will give it a serial number. We will save all these serial numbers in one file that is called cereal. So let's create it. This is a number I choose for the first certificate. You can choose whatever number suitable for you. Okay, Now we have created the folders and the files that we need for our work later on. Let's jumping into start creating the root certificate. The first thing we need to create, of course, is the road key. I'm using a day is to have 26 algo. I'm saving the key. The private holder and I'm using a 4096 bit for encryption. This is a code to create your root key. Give it a pass phrase as throwing one. Confirm it now. Your rookie have being created. Now you know it. You limit the access to this route on Lee for the root key have to limit access to it only for the root. And the way to do that is ch mode 400. Sorry. 400 private root key. Look then. Okay. Now some people use 600. Which means read route can read and write. I'm referring 400 which is root can only read. It's up to you. Totally. Okay, now, the next step is that we start taking a look off how our private key looks like So if you do less private root key not been okay, this is your root key. As you can see, this is a very long one because we're using a 4096 bits or encryption. The next step is that we create our root certificate and the way to do that is should do. Openness is so requests that's come thick. Now I will let you know about this flag that's going in a minute hoping SSL, the CNF and the key that we have just created it. Then, like new like ex fighters in our nine, the hashing. They're such 18 56 and the extensions, which is a very important one. The three C A. Remember in the previous video, he said that for each active get we will use a particular extension in the root certificates. We will use this extensions which is really three underscore CIA and finally is the output file which we will put it in the Certs folders under the name off root cert Ah, CRT. And we will give it a period off 10 years. Let's say 3650 days. This is the line of code that from which you can create your root certificate. Now why we used this flag. That's convict. Now, if you don't use this flag when you create its fruits, it'd get you will get the configuration. The default configuration that is available in here, the default ones. But if you use this, come pick. You can give your these configurations. You can adjust them, put them as what you wish. You will not be used. The default configuration that is available in this you can adjust them to whatever you wish, just showing you how you can use unaltered configuration rather than the default one which is available in this file. So this is the key. Your key and these are the expect Little nine for the extensions. And, uh, such A to Texas will support the passion and the extensions and the file. Let's create our certificated this case. Okay, Sorry. It is the's. No day Enter the pass phrase. Now you have to enter the details off your root certificates. No, it is your details you should do now. Here we come to the common name, which they're an important in the issue. Either use your server fully qualified domain in or your name. If it's a client's certificate, then you use your name. If it's a server certificates or root certificate, use Ah, fully qualified domain name. How you can create the fully qualified domain name. You open another terminal if you do. Pseudo nano slash btc slash hosts until your password. Okay, now here You can see this. Your server name your host name. Here. You need to enter that fully qualified domain name off your server. Your website, whatever registered in your name for your entity, you have to entertain. In my case, I will show you that I have one fully qualified domain name which is registered for me. Okay. Once you have entered this F Q D in you can save it and close it. Inter. Then close this line. And now you enter your fully qualified domain name in here until your e mail. That's it. Your root certificate is done. Next thing you need to do is to limit the access to the roost. This root certificates by see each moment, make it triple hunt Triple four or whichever you wish Surks on route. Certain the few. Yorty, Once you have limited the access to this root certificates, let's take a look about it so we can see how the roots it'd get. Looks like usually shooting openness. This cell expired. 09 No out fix in file is shirts root, cert. Not CRT. Okay, let's see, What are the basic things that we need to notice when we'll see a root certificate? The first thing is that the issue are this is the T A in this case, and this belongs the common name belongs to this entity. Issuer is this entity and the subject is to whom have been issued this certificate. In our case, of course, it's the same the same entity. But if you use the intermediate later on. If you use the intermediate certificate here, it will be the intermediate issuer. But here it will be another person, another entity. The certificate to whom you are signing and trusting. The other thing is the algorithm. As you can see, it's a 4096 bit. But here there is one important thing for the root certificate is that you see, see a true if you see a C A. True that means your root certificates can sign and trust other certificate. You have to make sure that you get c a true once. This done that means you already have ah root certificates that can sign and trust the intermediate certificate. One thing before we finish this video is that to remind you again that once you have done this, you need to remove your root key. Move it to a thumbnail dry movie to on external hard drive whatever toe a place where no one can access to it. Absolutely no one except for you and no, I should even knows about where you have said that Root key. Remember, if they're lucky, is compromised every certificate that you have made with this rookie is compromised as well . So be careful. This next video will create the roots, the intermediate certificates. Thank you very much for watching. 8. 4 Intermediate Certificate SSL Client Server with Ubuntu Server 18 & Postgresql : and in this video we will talk about the creation off the intermediate certificate. Now, do you remember from the previous video we said that the intermediate certificates is a certificate that sign and trust other certificates on behalf All the root certificate. This is the main objective off the inter media certificates. Now, having said that, let's start doing the intermediate certificate. The first thing we need to know that we need to create an openness itself, not enough file that and fit for the intermediate certificates. The easiest way is that we copy the root certificates open SSL does CNF file. We copy it here, then we open it and make some changes on it. These changes will fit for the use off the intermediate certificate. So let's start doing this first thing is that we need to change the directory. The next thing is that we need to copy the openness itself. Oil CNN to the intermediate directory okay, have been copied. Now let's hope in this file and start making some changes feeding your media, hoping so good the keys are very few and it will here at this sector of this year default The first thing is the directory, As you see here for the route I dedicate, this is the directory now for the intermediate. Let it get will create and inter I mean yet direct. The rest are wilderness. Same here. Now, here for the root certificates. We will make it as intermediate certificates Intermediate. Certain one thing to notice. I advise people to do it. Don't use their dot pin extension. You know the Doc Yorty. And the reason is why when you will move this intermediate certificates to your client machine to your user machine if the client machine uses the windows operating system, windows in general is unlike their daughter. Pain extension even doesn't use it. Windows prefer the dot CRT extensions. So it's better from this stage that you create the certificate with the door CRT extension . Now here we will make intermediate CRL. The root key will make it intermediate key. And the other thing is here We will make it because it's will fit for the intermediate certificate. That's it. These are the changes. No, we save them. Yes, out. That's it. The next step is that we need to create a few directories. So let's change the intermediate directory. Okay, so make directory this year Started the certificates and request directory, You know, private. Okay, these are the directors that we need to create. We need to create the other two miles the index, the text file and the cereal and file and the CRL file. So index DXC milled 700 Indyk, I hope txt and finally equal 1000 to the index while Okay, I believe should be triple seven. Okay, uh, now we need to create the videophile to do see it. Go, um, se 100 to the cereal while we need to create another file by the name off year old number. These are the certificate revocation list numbers. Whenever you revoke a certificate means it typically that expires. This is revoked certificates. So you also need to keep track off this revoked certificates and you give them a number. Okay, Now done. These are the directors and the files that we need to do. Let's go back to our main directory now. The first thing we need to create when we want to create the intermediate certificate, obviously, is to create the intermediate key. And the way to do that is penises, gin or a year to 56 again. I'm using this. I'll go totally Me are free to use whatever I'll go to them. And the outward wild will be intermediate directory, private and intermediate key. And we used 4096 bit for the encryption. This is the way to create the intermediate key. Okay, You make a strong best race. Confirm it. Now you have the intermediate key ready for the use. Now, the next tip is that you limit the access to this intermediate key only to the root. Obviously you might know you do. Sietch moment 400 with the intermediate. Private Intermediate. He don't pin. Okay, Done. We have limited he now. From here we will start. Create a certificate signing. Request a certificate signing requests. Now This certificate signing request, we'll have a new think that will have the name off the entity that you want to sign and trust it Using your intermediate certificates. The common name here will be different in the intermediate certificates, sign and other certificates. Let me show you the way to you. Do. Let's create the CSR filed Openness is so request the co think flag on thick like now we news the intermediate flash open SSL notice when you make the intermediates it'd get You need to use this extension the configurations that is available at that file, not at the root certificates. Open SSL Guilty. Anna. Uh, you 18 56 The key that we have generated and outward trial will be again intermediate at the CSR folder Certificates signing request then into immediate CSR. Yes, are don't them. But this is the middle step is that you need to create a certificate signing request which will be like in this coat. Openness is a request. Come pick here. You have to be give attention that you need to use the configurations off the intermediate file, not the root file. So you have to give the right location in new fhe the key you use which we have just created it and the trial will be at this year's Are come directory. Okay, enter the best phrase of the key into the your details. In this case I'm entering by the way, the same be feels as since I'm This is just for tutorial, but in your case, you need to enter in here the certificate off your entity. Remember that you need to enter your entity the ICTY division here. The terrible, fully qualified domain or your name. Now you are signing now for other entity, so you need to enter that entity. But in my case, I will enter the same home because for two tier all purpose. But you have to be careful here, so w w dot I thought you made throw it and the same email report pro a rising good in it. Skip these three things now you have the certificate signing request Now the next step is that we create the intermediate certificate on the way to do that is cool like this way. Sorry, I had to drink some water x 509 Request the X file extension file which will be intermediate open if this CNF and the extensions extinctions remember here the extension will be the three into our meat. Yet since we are making an intermediate certificate so we need this extinction then the next step is we used the certificate that we have created the root certificates that we have created previously, Which is I believe it, Sir Holder and the route. That's Yorty. Then we used the key, the root key as well. See a key which I believe it was at the private holder Root key dot And then we see a create serial and we give it period. Now, usually the intermediate certificate should be less than the period off the root certificates and the root certificates we selected. Ah, 10 years. Let's say that we ended for the intermediate certificate. We will select five years, which is supposed to be 1825 days. No, the input file here will be that Inter. I mean, yet three. The certificate signing requests and the intermediate. He s our dot him and the output file will be intermediate as well. And the intermediate Let's go through this code this legacy code step by step. The first thing you need to do is that you pseudo used the open its asshole that quite 09 you have to request because if the request for a certificate and the thinking file which is will be the opening the sealed file off the intermediate certificate and extinctions here, you need to be careful. In it is a V three intermediate ta. Now here, As you remember, the ta will be true because this is can used as a certificate authority. And we have to sign this intermediate certificate by the root certificate that we have created already using our key that is at the root key. And we create the create serial we give it a days which is less than the root certificates . It's opportunity decide. In my case, I choose it half off the road certificate, period and then you take the certificates signing requests that we have just created here, and you out Put it to this intermediate certificates dot CRT. This is the entire process. Now let's do it. Enter the que the best phrase. No, you have no certificates signing or story. You have no the intermediate certificates. The next thing to do is that we need to limit the access to this certificate as you know before. So your immediate there intermediate the CRT. Okay, let's look, let's take a look at the this intermediate certificates how it looks like. So if you do open it, this ill explains, you don't nine. No. Oh, and text. And the import trial is into immediate I mean yet. Okay, this is our intermediate certificates. Let's take a look and see what are the distinguishing things? Firstly, thing is the issuer. The issuer is our This is the owner of this intermediate and it will be issued to other guy . I remember I used the same one because it's 48 year old purpose. But in your case, you have to add that entity which you want to sign it and trust it. The artist say the same. The key is the same port out in 96. Here is again, Another important thing. The septic. Eight intermediate certificates should be true because this intermediate certificate we will use it to sign and trust other certificates. So the CIA should be true in this case. Okay, now we have reached to this stage no. When any application, like a web or older, tries to verify certificates signed by intermediate, see A, it must also verify that this intermediate certificate have bean signed against the root certificates. So when the browser gets to this intermediate certificate, it also needs to check that this intermediate certificate have bean signed and trusted. Why would certificate so the way to do that is that we make a chain off trust. What does it mean? We mean we concoct in eight the root certificates with the intermediate certificate together in a foil, and we present to the web browser. In this case, the Web browser will check that this root certificates is already registered with that process. So he will trust this intermediate certificate. This is the operation, the Web browser usually or in Java In general, they have the root certificates, all nations, all over thousands of certificates providers. They're all registered in there. So when you come cutting it your certificate with the intermediate certificate and presented to the server the terrible realize that do certificate this root certificates is out indicated, Therefore, the intermediate certificate is also authenticated. This is the process. How we can do this, how we can that if I that this intermediate certificates have been signed and trusted by the root certificate and to do that is if you do, openness is so very fine. The CIA file certificates file, which is the root certificates don't CRT. We verified against the intermediate step dedicate. So we will verify this intermediate against the root certificate if the verification is done, if we get an okay result, that means the verification is correct. And this intermediate certificate did have bean certified, signed and trusted by this root certificates. So let's check in our case. Okay? You see, we have got okay. That means everything is correct. This intermediate certificates have been signed and trusted by this route certificate. Okay, Now we need to concoct innate the certificate with the intermediate certificates to create the chain off trust certificates. In the course of while I was doing, I get an order. I got an error. And I assure you that error. So maybe it will be useful to you. No, let's do the shooting. Intermediate, Intermediate Yorkie, and become cutting it with Route 30 the CRT. And we output it too. Ah, heil. Immediate The file name. It's up to you. You can choose whatever name I choose, Then it all route. Shane CRT? No. If you do it this way, you might get a permission. Deny. Most likely you will get a permission denied. So how you can do that? It's better if before you do this you make to do dash it before you write anything off all of this? You just right to do dash issue, Then enter your he is there password. Then you write this line off. Put You got my point. Because if you directly right this line of court, you'll get a permission tonight. So better. Before you write this line, you write pseudo dash is Then enter your user password and then you write in this line of code. As you can see now, we have created our chain off trust route certificate. No, The next step is that we change the ownership off this certificates, and the way to do that is very easy. As you know, triple for intermediate and inter Not sorry. Ah, route Shane the CRT. Very well. Now, if you want to take a look about this, I don't think you'll stop to refuse to look. But this is the end off the creation off the intermediate certificates. We create the certificates, the intermediate key, intermediate certificates signing request, then the intermediate certificate. Then we very fight this intermediate safety figure certificate to the road certificate, wants the verification succeeded. Then we can coordinate them to each other. On this. We will This new route change certificate will be presented to the server or table to there to any Web browser. So to make sure that this intermediate certificate is authenticated now, this is the end off this video. In the next video, we will talk about the were certificates. Thank you for watching. 9. 5 Server Certificate SSL Client Server with Ubuntu Server 18: steps are almost identical when we create to the intermediate certificates. Except for one thing. After regulating the CSR the certificate signing request of the sober we have two options. Number one. If you are using a local server or server for testing purposes, then we can sell signed this certificate if we want option number two, we want to use the our server over the Internet. Then we have to submit this server CSR server certificates signing request to a global certificate authority. They will sign it and trust it and send it back to us. This is the only difference in these three cases. Otherwise, the steps are almost identical in both cases. So let's dive in and start creating the several certificates. And the first thing is that we need to do is to create the sever key. But first of all, let's change directory and, ah, as usual, to create flew open as a cell cnrs a dash a yes to 56 and this is our guardian. You are free to use whichever goes unsuitable for your case and I would put file, we will say without the private holder at the name of a server key dot PM Now you are free to use whichever name suitable for your needs. Then we use the encryption ogle on corruption bits for 2048. Now you can use 4096 bit for the encryption strength, but it's not recommended to use 4009 to 6 in the case of the server because that would cause an overload over the server performance. Especially if your server hardware is low, um, flow. You know how to say no value, you know, because encrypting and decrypting the these files will koza an overload over your server performance. So 2048 is a good choice that will handle both the security former one side and the performance of the sea server from other side. Okay, we give it as best phrase we confirm it. Okay, Now we have the key. Ah, this limit the access to the ski only to the root. I'll give it for 600. Okay, Now only route can read and write from this private sever key. Now we will start creating the certificate standing request from our sever key. There is another point. We need to know that fully qualified domain. Name off your server when you want to Chinese and trusted form an intermediate certificate , then the fully qualified domain. It should be different because as we stayed, the purpose of the intermediate certificate is to sign and trust other certificates, other server certificates or client certificate. So in this case, the server is a unique entity. It's a different Ah, let's say company organizations. So the fully qualified domain has to be different from the intermediate fully qualified domain name. Ah, in case if you are, you want to use Ah, for a client certificates, you don't need to use a fully qualified them name. No, you can use only on email or a name. So there is no several this case for the client certificate? No, you just need the common name for the common name. You use an email or a name so and breathe for the common name. If you want to sever certificates, you have to use fully qualified domain off your server or your company that is different from the intermediate certificates. Fully qualified domain name. If you want to create the clients certificates. In this case, the common name has to be either an email or a person named. Having said that, let's create the request for the yes are off the server. And the way to do that is food. Do Openness is so requests that's go think Don't forget to intermediate openness is elder Vienna. Then the key, which is our key, the sabre key and new to get a new certificate and the hacking. And then the output file will be in the intermediate. It's yes, are the There were CSR Does pen okay lets so it's that you can see the open desert request . We are using conflict here as I have making maybe before to you that if you want to use a specialized ah configuration that is not available at the basic configuration that we have made in here, then you can use this conflict that's gone thick. And you can add whichever different attributes in here different than whatever you have made originally. Basically in this file, and then we can create this year's are Enter the Saver password. Now we need to enter the hour server details. Remember, the server details is a private entity. It's a different entity than the intermediates of the details should be different and the game for simplicity. I'm using almost a little bit different details. So country name I'm changing few things only just for simplicity. But you have to be careful that in your service identification details could be completely different. It's whatever your entity details. So the company named Let's Say, um, Throw rising and I t div here the common name it should be which have our common name of your entity off your company in this case that this is the servers and we need to use a company name or organization fully qualified. Domain name. Let's say, supposedly your your company name dotnet Boris's. Then the email. People are rising. Don't skip these through things. Now we have a silver signing A request certificates signing request for our server. Here comes our two options. If we have a server, that is for testing purposes are local server. Then you could carry on and sell. Sign it. Otherwise we take this year's are this file of the CSR and we submit find ah Global Certificate Authority, which is available many over the Internet. You pay them some amount. Get there, get there signature and trusting. Trusting your your certificate for some certain amount for one year or two years. And then you can follow up whatever what we will do later in this video. In our case, we will go for the self signing. Ah, so let's see, this year s are how it looks like. This is the CSR off your sever our server, whichever said were you applying for you just copy it from top to bottom from here to hear and submitted to a global certificate authority. They will sign it and trust it and they will send back to you a server certificate. In that case, you will get a server certificate signed and trusted by a certificate. A global certificate authority. In our case, we will start using self signing to self assignment. We have to go this way. If you do open SSL x 509 This is the way how it was the certificate will be written and then the requests the new request and X trial extinction file which extension file work with all their basic configurations we have made which is in the intermediate hoping that this elder CNF this is our basic configurations and then the extensions. This is an important thing. Remember, we will use in this case the server underscore. Third, because this is a server certificates. So we need to use this extension. The server. Certs, Let's take days. For how long This certificate. Usually we take 3 70 Oh, a few days extra. Then we will use the intermediate certificate to sign and trust this server certificates. Remember that the only object of the intermediate certificate is to sign and trust other certificates. In this case, in our case is the server certificate. And then we use the ta ke with his, uh, intermediate key, the d a. Create serial. This will create a Syrian number for this certificates and save it in the file that we have created earlier. If you remember the serial file and then the input, which is the TSR that we have created, and the output file, we will save it in server Dr Pym. Okay, lets go one by one. First of all, we used stupid because it's stupid user than the openness and sell. This is the way how it will be returned. The certificate. This is one of the ways where the data will be handle and will be saved in a certain form. The requests for certificates, the extent file, his basic configuration that we have made in this file and then the X Stations in get this case, we lose the server extension and we give it, ah, period of one year over a little. And then we will use the intermediate certificates to certify, sign, insert, certify this several key the server certificates. We use the intermediate key as well. And then we create a serial number and we save it for this certificate and we say within the cereal file and then the import file, which is the CSR, the server CSR, and we output it to this place. Okay, enter the as praise over the intermediate key for the sever key. That's it. We have created a self sign server certificate. Okay, Now we need to check this server certificate, see what are the details, and so should off openess. Cecil x 509 no out sticks. And the input file is intermediate. There. Server, third door pen. Okay, let's take a look over here. Your things, The serial number. Of course, this is the issue are remember the issue, or in our case, it was this one. It is the intermediate certificates, the common name off the intermediate certificates. And here we have this intermediate certificate. We signed it toe a subject. And the subject is the entity that wanted your intermediate certificates to certify Stein and certify. This entity in this case is the common name. As you remember, we entered your company name, for instance, because this is server. You need a company name or organization. Fully qualified. Domain name. We used to 1048 bit. We need to take a look over the sea A here it is false. It should be force because this is a certificate off. A server server doesn't sign or trust any other certificates. So everything looks fine in here. Okay, Now we start Teoh, verifying that service to the gate. Have bean authenticated by the chain off trust certificate that we have previously created . And the way to do that is, if you do, openness is l very five, the c A file into immediate there. Route fehn sir. Don't CRT and intermediate, sir. Step over there dot Pim, remember if we get an okay. As a result, then that means that service certificate have bean out indicated by the chain off trust certificates. We got the OK, then Everything is OK. Now, the next step is that we this allow the groups or anyone else from accessing this certificate except for the roots. And obviously, you know this the okay, we have got now our several certificates, a self signed server certificate, and we have verify it against the chain off trust certificates. Now, remember, this is a self signed certificate, so we cannot use it over the internet. It has to be trusted and signed by a certificate authority, Global Certificate authority. But this self signed certificates is okay for local server or for a server that is used for testing purposes. Okay, this is the way how we can can create a service certificates. In the next video, we'll see how we can create a client's certificates. Thank you very much. 10. 6 Client Certificate SSL client Server Ubuntu Server 18: have reference this with the number six for serious. There's a cell server cone connection, and this would you will talk about client certificate. Each client machine requires three files the client certificates, the client key and the intermediate certificate. These three files has to be copied to the client each and every client machine. So there will be a connection can be made between the client machine and the server. Let's start creating this to file the client certificate in the client key. The first thing you need to do is as you know, the gladkiy. We save it that file intermediate. Private. Give it a name. Post, Kresk. Your key them. And we use the 2048 before in corruption. Okay, give it the past phrase of strong one. The clanky have been created. Now we need to create the clients. CSR file certificate, signing requests as he goes fut open. Is this cell requests? I don't think intermediates opened the cell door. Sienna and we used the key we have just created. Then you lend out with file will be intermediate certificate signing requests and, uh, both Cresskill. CSR. Don't pin. This is a set of Gates signing requests off the client certificate into the best phrase. Now we need to add the details off the user. Of course, it's your own news there. You need to add the user details. And when you reach to the common name in this case, you will not enter a fully qualified domain name. No, you'll inter either individual name or an email address or, let's say, an organization name. So there will be no fully qualified domain name, a regular name, an email or an organization name, in my case again. And sorry for that. I'm using the same details. Uh, see, So you made pro on the unit is I t. And the email supposing we will use, uh, throw all rise and take. That's gmail dot com and a in foreign for the email for a whole rising look a bit. Okay, skip these things. Three things now the certificates signing requests for the client certificate is ready. Now this CSR, it's normally we can sign it with the Our intermediate certificate means it is self signed , which is regular for their clients at the gate, and no need to get a glove alone, said to get authority The way to do that to get the client certificate is you do open is a cell x 58 or nine requests X file intermediates Open it. This older CNF the extensions here we need to use the extension which is user underscore Set if you remember in our open SSL file openness is Aldo CNF file. We have created multiple extensions for the user for the silver for the client for the route. In this case for the client centric eight, we will use the user Underscore sets extension Now we need to use our intermediate certificates and we news r c a key. Then we see a create serial. Then we use the input file, which is that CSR we have just created and the output file will be and we give it a period off a little bit over a year. The game best phrase. No, the client certificates have been created. Now we can take a look over this client certificate because you looking now? This is the issuer, which is the intermediate company. Now. This is, uh, client, which is we just have entered a meal of it and the knee and I'll go to them and they encryption. And again, this is false. The client certificate cannot sign and trust other certificates, no less. Change the mode of it, which will make it six or zero gain. Well, danger Immediate. There, boss. Cresskill, search the CRT. Now. The final step is that we verify this. Certificates to the chain off trust certificates. This is the rule change certificates, and we write our client certificates if we get okay, Duck means the client certificate. Have bean authenticated by the rule change certificates, absurdity. Mistake typing. Okay, again. Now we have got the OK. Which means our clients certificated have bean out indicated by the rule change certificate . By doing so, until this point, we have created our client certificates and we have created our client route A client key. These two files, we will copy them to the client machine along with intermediate setting the gate. And these three things we will use them in our next video. I will show you how to copy them to collect machine and how to start the connection. Thank you very much for watching 11. 7 Client Machine SSL Client Server with Ubuntu Server 18: Hello, friends. This video number seven of or serious as a cell client server connection. In this video, you will talk about the copying off the files from the server machine to the client machine . These are the 35 that we have said in the previous video. They are client certificates, the client key and, uh, intermediate certificates. No, let's start having an idea about the steps that we will do in this video. The first is that you need to make sure that you have an openness. Is it several server in your white machine and in your seven machine, the client machine. You can do these steps to install the ssh server sitting get installed, excelled in center cell. Then it will be showing a list. From this list, you will choose. The openness is a server and you start insulation. Once you have done the installation, then you're good to go. Now, sometimes in some countries, the I S. P, the Internet service provider, or maybe a proxy may block the port number 22. So you need first to check the service studies. If it's not working, that means you have something with blocking your default port. So you need to go inside. The configuration file of all this is itself Do this line of code you will find port number 22. You need to change it. Don't come in the line 22 0 to 401 or whatever. Then you re stop openness and such Server. We'll see how done. Done? No, let's talk. So being the three files to from the server machine to the client machine, the first thing we need to do is that we need to create a directly by this name exactly by this name. This is what the manuals off the prosperous stipulates. Based on the manuals, you have to create this directly on the home Director off your client machine. This directly by this name should be created in the home directory. But the client machine, Once you have done that, you need to start the procedure off the coping files. No. This side of present. The server side this side represent the client side machine, the server side. We started the s and admin, which is the current user in the silver that you are using. Now they use that which use there is active right now. This is that Use this. This is ecstatic. I p address off the saver. This is a little the location. Where is the intermediate step? Litigate, reside. And here you had this line and you give it a name. Root don't CRT So this certificate will be given a name in here by route. Don't CRT No. You do this seem for the past Cresskill certificates and give it the name Poskus killed or CRT And then for the key as well. You do the same with the Paszkowski all key, and you give it the name by post Carrasquero key. Once you have done the steps and you just change the mode of whisky to 600 to prevent anyone except for the user to access this file, these are the city that we will do now. These steps I have already done so I will just show you from here. This Let's copy this and show you what is the status? Sorry, Stuckey. As you can see. No. The open exited server in my client machine is up and running. Now. I am working in the client machine. I'm not working on the server machine. This is the client mission. Okay? No, the SS is. December is up and running. Good. This is sick one. Now let's create a directory by this name directly created. Let's go, P The first file. The intermediate certificates Enter the password off the server. The password off the server. As you can see. You know, the first file had Bean transferred successfully. Let's do the second file, which is clients certificates again. Enter the server passport. The second file Have Bean transferred successfully. This transfer the third file, which is that Bosc rescue the client key. Now I will show you something that you might face. When you try to transfer the key, you will get a permission the night for transferring their key. The reason is very obvious. I believe this folder in the several machine is protected. The only route can access. And even this file The key also is protected with 600. So what you need to do is that you go to the server just for a short while just for a short while. Change the ch modoff. This folder and this file make them triple seven. The CH morning will be truthful seven for this file. Change it. And for this folder, just for let's say a couple of minutes and then come here, make the coping once hit copy has done. Go back to the server, change the mode again off these folder and filed to their default moat. Okay, I'll show you the steps. Permission denied. Now we go to the server, we change the mode of the Privates folder. Okay? Okay. Now we have changed both of them. This file on this file. We made them Triple seven mode. Now we go back again to this. Enter the best word off the server. As you can see now we have managed to copy the file. Now we go back again to the server. Change the moat. Okay. Now, I have made the changes in the saver as well. No, I have transferred these three files. They lost. Step is that I need to restrict the access to the key to this key from anyone except the route. Make it ch more 600 for this possible skill key. Done. No. We have managed to copy these three files from the seven machine to the client machine, and then we have changed the mode off the postal scale key. Now, in this case, we can start the connection from the client machine to the server. Notice one thing you remember I have told you before. If you have made the certificates the Post Chris Keogh said mitigate the client certificates If you have made it with self sign self signing here, If you know you try to connect, you will not be able to get connection. And the reason, as I have told you before, that this key has to be saved in the key store off the Java off this machine because this is a self signed certificate. So it has to be saved as well in the Jubba platform off this client mission and you have to do it in each and every client machine that you want to connected to the server. So this is really headache Pelosis and the easiest way as I told you before, that you need to by a global Certificate authority and these global certificate or authorities are already saved their names already saved in the browsers in the Java platforms in the key stores off the Java, so they will not you will not have any problems when you get the connection from the client machine to the cerebral machine. Now this is the video number seven. In the next video, we will go deeper into the connection which connection prosecutors consider as secure and which one doesn't consider it as secure. This is a very important issue. Most of the people think that once the do the service site configuration that they have got a secure connection. And this is not the case. According to post Cresskill manuals. Just configuring the several site. I will not give you a total secure connection between the client and server. We will discuss this in the next three or four videos. Thank you very much for watching. 12. 8 SSL Concept SSL Client Server with Ubuntu Server 18: Hello. This has been your number seven or seriousness. Still clients ever certificates in this video, we will talk about the concept of the secure connection. What is this secure connection concept and how we consider that our connection is secure? No. Based on post Chris manuals, this server client SSL Connection Consider be secured when both the client and the server have been configured before the connection is made. Now what does that mean? That means the saver should have a certificate and the client should have a certificate. And the server checks the client certificates before it connects and declined. Chick the server connection for the saver certificated before it connect to it. Now, in some cases, some people consider if they configure the server certificate. That's it. That means the server client connection is secure. That is not the case, according to the manuals. Why? Because if we're in here, if the client doesn't have a certificate and doesn't check the server certificates, that means the data which is leaving from the client to the server could be lost. Or could be something happened like the eavesdropping or the man in the middle or in person , anything the man in the middle could steal the data that declines sent to the server or the impersonation. That means that someone impersonated that it is the server while it is not the server and declined. He thinks it's the server and he sent to it the information in which case this connection is not considered as secured, which bring us to one important point, which is the client out indication. And thats could be fined in the h B a pg underscored h b a dot com file that is the authentication file for their client when it wants to connect to any server and how it will check that server. As you can see here that we have multiple lines that how can we configure the client authentication, which is stipulated that this is house SSL, the database name, the user name, the address and the authentication method and authentication option. Now I'm sure you have made these. These are very clear, but we will talk about specifically about this option, which is the authentication option, and this is mation in below. These are the authentication options, but the most important one, which we will discuss now when we make the PG underscore hbh dot corn file, which is that client authentication file is that when the server connect to the client and we have added this thing to the H B A, this server will request the client authentication certificates. And if we makes this client search flag equal to one at this case, the server must have a client certificates to out indicated otherwise the connection will be rejected. So in this case, it's a very important thing. If we want a secure connection, both sides of the server and the client should have check each one's another, and the server will check the client by adding to the client authentication file this flag and we should make it equal to one. Which brings us also to another. I think no, this client certificates flag when we added to the p g, underscore Hve dot com alongside the type of the connection which is host as a cell type. If it is zero, then the server will not ask for a client certificate. In this case, the connection is not totally secure, So it should be one. Okay, now there is another thing which you can replace as we can see here and the H B A configuration file for the client certificate There is assert, if we use assert instead off clients, certificates, flag, we use a certain there will be another, more stringent requirement for the connection to be made. And what is that? It says here that the search, when we used assert the common name should match with user name on the server. So this is ah, higher level off. How's indication when we use the CERT? The common name in the certificate should match with the user name off the server. But this is kind of complicated for some people, so it is better when you use the clients served equal to one. In this case, the server will request the client certificates. Toby checked and authenticated, and then they connection can be made. And how the client will check the server in this case, how the client will check the server. As you remember in video number six, we have copied this certificate authority that we made on the server. We have cooperated in the post grace directory. If you remember that now, we copied it on the client machine Now, when the client want to check this server, it will compare this certificate authority, which is in the client machine. It will compare it to the certificate authority in the server machine. If both match then declined, will out indicate that this is the intended saver and that is not a fake server. Now, this is just a breathe off how the client and the server checks each one's another. And what are the option that we can take to make sure that the server is secure completely ? This server client connection is secure completely. In the next video, we'll start next to videos. Actually, the first video we will show you a connection only from the server side is secured and the other video We will show you how the connection is totally secure from both sides from the server side and from the sets client side. Thank you. 13. 9 SSL Concept One SSL Client Server with Ubuntu Server 18: Hello. This is video and berated or serious as this ill clients ever certificates In this video, we will talk about the scenario Number one. As I told you in video number seven, there are two types or two scenarios. First scenery is that when we configure only the server side and we get only secure connection from the server side but not the client side. In the next video, we'll talk about securing the connection from both sides, the server side and the client side, as Post Grace stipulates. So let's start here when you install able to sever 18 and post Chris Skilled 10. You'll get these default configurations off the server. You can find these configuration of default configurations in the Post grad school dot com file. Now, apart from this line, this line I have changed by default. It has commented, and it's written here. Local hosts I have an commented the line, and I add the star. The star means that the server now can listen. Toe all I P addresses whether its I p four or I p 86 now on this site, you can see the client authentication configurations, which is mentioned in the file Name. PG underscore h b a dot com Now, in this file, there are two types off connection type. Either it is host or hosts SSL. These two types what is the meaning of them? If you queues hosts, you still can get an SSL connection, but from UNIX local connection or from a remote TCP I p connection. In both cases, it is secured. It's an SSL connection. But if you choose hosts SSL, the request will come accepted from the saver only former removed TCP I p address. Now here. This is a database. This is the user name if you add. Plus that means this is a group And here this is the I P number. You can see this old zeros, which means it can accept all I PV for addresses. And here this is the Cedar mask. And here this is hashing. You can see I am selected. Scram is situated 56 which is better than MP five because nd five its spots Kresk, you'll default and they I prefer the client should use this type of hashing as a small professional, more secure now, as you can see here in the client authentication file. We didn't add, as we mentioned in previous video, we didn't add the request to get from the server the request to get the client certificate , which we said clients certain equal one or cert. Usually, when we had this client cert equal one or third, the server will request the client certificate, but here we don't see that means only the server site will be secured, but not the client side will be secured, which means any data from the server to the client will be secured. But any data sent from the client to the server will not be secured. It could be stolen like in the case of man in the middle. Or it could be, as we said in the previous video impersonated, which means that someone pertain that it is the server when it is not the intended server, which means it's like a fake server. In this case, the client will send its data to that fake server. So let's recap again. This is the default configuration off the server, which we can find in the post grizzled Conseil. Here, the server can listen to all ports, whether it's I before RPP six here The client authentication file. The PG underscore h b a dot com file. Two types off connection Either its hosts or hostesses, all the host can accept from Kooning's local requests already. Muti c P I p the host SSL can accept Onley from Remember P c p i p Here. We didn't add the client surgical one, which means the server will not request any clients, certificates and old. This means that only the server side is secured when it sent the confirmation, but no decline side when it's certain sent its information. So let's try no on the client machine. This is a client machine. Now, In this scenario, we will not copy the client server, the client key and the root certificates or the intermediate certificates certificate authority in the client mission. We will not do that because there is no need because the server will not request the client certificate as we didn't adhere any clients. 30 equal one. So in the client machine, we haven't is GOP the client certificate client key and intermediate certificate, which is the certificate authority. We will try to connect to the server securely. What is the result. So we be SQL the hosts. I p address the user name here the database here and we try to connect to the server. We will get a secure connection as a self connection. But this connection, as you can see here with cyber, is he the h e rs 18 56. This connection is secure on Lee from the server side, not from the client side. Based on post Cresskill manual, this sick connection is not fully secured. No. In the next video, we will talk about the configuration how to configure to get ah fully secured SSL connection between the client and a server. So we have to configure both sides the server side and decline site. Thank you for watching. 14. 10 Custom Config SSL Client Server with Ubuntu Server 18: Hello, Friends. This is video number 10. Off are seriously SSL client server connection. In this video, we will talk about the configuration off both sides. The silver sight on decline site And how can the server authenticate the client and how can decline out? Indicate the server? We will see. How can we configure the server file, which is the poskus killed dot com file? And how can we configure the client authentication file, which is the PG underscore, actually a dot com file? No, on the left side, you'll see the server file, and you can access it by. This is a customize poskus cable package so you can access it through this Commend. The first thing is the listener. There's which port which I P addresses. The server should listen if you add this thought, that means this server will listen to all I P addresses. That includes the I P before under HPV six. The next thing is the portage is one boat. 5432 The second thing is the maximum condition, which is 100 now This line of code by default. It's commented now. I noticed in few applications when I run the application I get in the earth. The other says that there should be three connections reserved toward the super user. No, if you get in your application, if you get this error, then you come to this file. The Poskus kill darken while and uncommon this line. The next thing is that house into getting time out. It is committed by default. You can comment and you select whatever time you need for the time out the SSL By default, it's off. You should make it on. This one is commented. You should comment and the SSL ciphers are by Grady int from the high ciphers to the medium to the no. The next line is the prefer server cycles by default, it's commented. According to the post Cresskill manuals, it is preferably to uncle meant. This line of quote and shoes on by default is commented here as well. By default is commented its preferred If you uncle meant is this two lines is are totally up to you. You know, if we come to the juice of the this file where we can find these certificates No, The 1st 1 of course, that the server certificates the 2nd 1 is the several key and the 3rd 1 with the certificate authority in our case, it it's the intermediate certificates and the last thing is a password encryption, which we will set it as on to use the scrum. Dutch Such a doctor 56. No, again me. I have to remind you off this fact that this should be silver certificates signed by a global certificate authority. So you'll have no worries when you use your server over the internet. Otherwise, if you self sign it, then you have to go and registered this certificated in each and every client machine at the key store. And the way to do that is you follow this lengthy procedures. Now, if you want to do this, be my guests up to you Totally. Once you have done this, this is a server site and then you also need to configure the client authentication file by creating hosts SSL. You remember the host SSL means this connection has to accept TCP I P as a cell connections only if it hosts SSL means only TCP I p removed. Connections only will be accepted Now. Here the database name whatever. Name off your database here, the user name, whatever name. And if it's there is a plus. Like means This is a group off users here. The i p If you dizzy 0000 that means all i PV for addresses here the SIGIR mask zero. This is the scram is such a to 50 success hashing over the password. And here is the main issue off the client authentication when we select clients certain equal one. In this case, the server will request from the client. When the client want to connect to the server, the server will request that the client should present certificates the client certificates . Then on the same time the client machine, which has the intermediate certificates and it it will tests this intermediate certificate that is available in the server machine. If both intermediate certificates match, that means this server is out indicated this server is not fake. This is the intended server. So this is a double authentication. The surgery requires a notification from the client by supplying their client supply, the client certificate and the client will chick. The intermediate certificate, which is available in the client machine, will match it with the intermediate certificate that is in the server machine. If it's matched that mean this is a cerebral. This is a fully as a cell configuration. This is by Plus Chris manual. This is, uh, full secure connection. Two ways out indication sever to client client to server. Both ways are checking each other. And this is the full secure configuration. Now, the next video, we will apply this full lying off SSL connection. We will apply it in our application and we'll see how we can do that. Thank you very much. 15. 11 SSL Concept Two SSL Client Server with Ubuntu Server 18: Hello, friends. This is a good number 11 for Syria's. There's a cell client server connection. In this video, we will show you how can you apply Ah fully secured SSL connection between the client and the server? No, let's go through this presentation off the steps that we will employment on our connection . First of all, let's see two points which are important now. The first thing is that these steps, this implementation will be done on the Java site, which means on your obligation. It's not on the server side. It's in your application. The second thing you need to notice that the silver certificate has to be signed and trusted by a global certificate authority. If you have a self signed certificate and you apply it here, your connection will not be done. The client machine will not connect to the server. Having said this two things. Let's go with the application off the as a connection from the client to the server. Now, the connection we need to make have some properties, so the connection from the client to the server has multiple quote properties. You can turn this properties at this article of the Post Chris. There are many properties that affects this connection in terms of security, in terms, off performance as well. So all these properties, you can apply in your connection. Now, I have selected the basic properties just the SSL a moment as I sell certificates, some key and root certificate and the hope name verifier hosting very fire. Now the verify fool and verify. See a This one can be applied in both ways, but there are some distinctions in between them. If you have a self signed, you can use the verify. See if you are very five full this. If you are getting a global certificate authority and which sells Sinus trust your server certificate, then you have to use this very fivefold. Otherwise, you can use verify CIA. So if your service certificates is being signed and trusted by Global Certificate Authority and it is, then you can use the very high full and you can have the details off this about this in this article, whatever the differences and how this verify four can protect you. And what are other issues you can get in from this article? The next thing is a cerebral as a sell certificates, which is the client certificate. I remember you are doing this on the machine on the client machine and SSL key, which we have copied from the server and the SSL route, which is Ah, root cert. Remember the intermediate certificates that we have copy to decline machine. But here there is one. I think to notice that you need to get the full path off this the full path. Not just like this one. No, it's You have to mention the full part of this and, uh, last property that I have choose is their SSL hosting verifier. You can just at this line once you have set these properties off the connection. Now let's come to that next day. The next thing is that you create a socket between the A connection circuit between the client and the machine. Now, every machine, when it connects to the server, it goes the connection Ghosts, or suck it servers requires socket to connect to. So we have to make the circuit the connection socket. And the way to do that is that first of all will be making a try. Catch loop, dry catch, Block three, try catch look and then we apply this class. The lip pick you factory. This is typically factory will get us an object in this object. We will use this method to create socket and we will add the ice static. I p address off our server and the port number off the s, of course. Our port. It's 5432 This line off code will give us a socket. The client s l socket. So it will give us a socket. Now the circuit with the server have been created with this class. No, that this is from the client site. So this to lines are focused on the client side to get the circuit end from the client side . Now let's talk about the other end from the circuit daughter and is the server site in the server side. We need to apply this class the circuit address, which is new in its socket address, which takes two parameters. The 1st 1 is the host name off that server. What is your host name And the port? No. Once you have set this line of code, then you know you have assigned the server site The address from which this socket can connect to this address to this address so the client can connect to the server. The client we need to create the socket and the server the other side of the connection. We need to assign where it is. Where is this server we have to make? What is the name? The host name of the server and what is the port? And then we can create the connection between the client and between the server. Now, this parameter is time out. Barometer is 30,000 milliseconds. After you two decide whichever time out, once you have done this steps, now you have created the circuit which the connection between the client and the server will go through this socket. Now, this is the first step that you need to do in your application. The first thing is that you create the connection socket the next sit. This will come also that you need to create a J DBC connection. But the JD disconnection will focus on the connecting to the database so the circuit create the client machine to the circle machine. The jail BBC will connect your machine to the database in that server And it is a very simple way. As I'm sure most of you know, the jdb. See here the hosts I p address the port and that of his name, the user name and the password. That's it. Once you have done this, then you can. Now your client can connect to that. That the base, which is available in this server through this circuit connection. And, ah, I have applied in my application. And it looks like this. This is a way how you can apply it. The first thing is that you need to create the properties of the connection. Then you create the socket between the client machine and the server machine. This is the client circuit. The details off. What? You create the circuit to the server i p with a port and then this server where it is. What is the the properties off the circuit? What is where we can find this server? It is the house name of the server and the port. And then the client will connect to that server once we have done this steps. This is obviously this should be done at the beginning, off your application when you want to connect. This is the first step in your application when you want to connect to the server. Once you have done this, then you can go for the G B C connection and you can connect your database in that server. This is the general idea. And let me remind you off one important thing. Whatever we have done in this 11 videos, we have choose or I have choose to go only for the basic configurations. There are a lot off considerations that affect your connection Affect your SSL connection. If IQ your security in terms off the security in terms of the performance. And I have showed you here on Lee this creating the connection have a lot off a lot off properties. You see how many properties? So this is only one factor off properties off the connection which have a lot off properties. So you can imagine about other things what other parameters that effect the security of the connection. So, again, whatever you have done in this 11 videos, we just set up the basic configuration to create an SSL secure connection between the client machine and the server machine. I thank you so much for adjusting and for taking up this course. I thank you so much again and I wish you all the best.