SSL-Does a server certificate bind to a specific machine?

ssl ssl-certificate
10,576

The certificate isn't necessarily bound to a particular machine. To be able to "use a certificate" on a machine, you need two things: the certificate itself, and its private key. You should have generated the private key along with the CSR (depending on which tools you've used).

Some systems don't allow you to re-extract the private key (e.g. Windows has an option to import a private key in a way you can no longer export it, but as far as I understand, this can be bypassed if you have sufficient access rights on that machine). In cases where you're using a smart card or hardware token, the private key may be generated there in such a way that you can't extract it (in this case, moving the token to the new machine would make sense if necessary).

The other part is the certificate and its name. The host name(s) in the certificate (which is often also found in the CSR, although that's ultimately not necessary), should be the host name(s) of this machine, as seen by the clients trying to connect to it (see RFC 2818 Section 3.1 for detail on host name verification for HTTPS). As such, although the certificate itself isn't tied to a particular machine in terms of hardware, it will be tied to this host name (which allows you to change the hardware for this machine or its IP address for example).

Share:
10,576
zgcharley
Author by

zgcharley

Software Principle Engineer/Architect, Cloud Integration, IPaaS

Updated on June 06, 2022

Comments

  • zgcharley
    zgcharley almost 2 years

    Recently we created a server with tomcat and we also add SSL support for this little server. For SSL support, we need a certificate which issued by a third issuer like Entrust, Thawte etc.

    A colleague said to me that the certificate is binding to a specific machine. That's once we got the issued certificate, then this cert can't be used in another machine.

    I doubt this completely because the CSR doesn't contain any info of the machine. Is that true?

    Thanks

  • zgcharley
    zgcharley about 11 years
    So that's mean the certificate is tied to a host name. Then how can i see the host name in the cert? Is the CN? Another question is does SSL client always requires host name checking?(I don't think so)
  • Bruno
    Bruno about 11 years
    If there are DNS subject alternative names, the host name can be any of them. Otherwise, it's the CN in the Subject DN. SSL clients should always check the host name (some don't, but that makes them vulnerable to MITM attacks -- not verifying the name should be treated as a security bug).
  • zgcharley
    zgcharley about 11 years
    Thanks for your explanation!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Firebase Hosted flutter app shows not a secure connection error when launching an external URL
How to Bypass SSL Certificate Verification in flutter?
Connecting to MySQL server with ssl
Some clients accept SSL cert; others reject it
Creating Self-Signed CA Certificate with makecert.exe
Is it possible to have a valid sub-subdomain with a wildcard certificate?
Loading HTTPS in UIWebView
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
CRYPT_E_NOT_FOUND when importing certificate
Error while creating self-signed SSL certificate