Transport Layer Security (TLS)

What is Transport Layer Security (TLS)

Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network.

TLS encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence.

Types of certificates:

TLS/SSL server certificate

The Transport Layer Security (TLS) protocol – as well as its outdated predecessor, the Secure Sockets Layer (SSL) protocol – ensure that the communication between a client computer and a server is secure. The protocol requires the server to present a digital certificate, proving that it is the intended destination. The connecting client conducts certification path validation, ensuring that:

The subject of the certificate matches the hostname (not to be confused with the domain name) to which the client is trying to connect.
A trusted certificate authority has signed the certificate.

The Subject field of the certificate must identify the primary hostname of the server as the Common Name. A certificate may be valid for multiple host names (e.g., a domain and its subdomains.) Such certificates are commonly called Subject Alternative Name (SAN) certificates or Unified Communications Certificates (UCC). These certificates contain the Subject Alternative Name field, though many CAs also put them into the Subject Common Name field for backward compatibility. If some of the host names contain an asterisk (*), a certificate may also be called a wildcard certificate.

Once the certification path validation is successful, the client can establish an encrypted connection with the server.

Internet-facing servers, such as public web servers, must obtain their certificates from a trusted, public certificate authority (CA).

TLS/SSL client certificate

Client certificates authenticate the client connecting to a TLS service, for instance, to provide access control. Because most services provide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than a hostname. In addition, the certificate authority that issues the client certificate is usually the service provider to which the client connects because it is the provider that needs to perform authentication.

While most web browsers support client certificates, the most common form of authentication on the Internet is a username and password pair. Client certificates are more common in virtual private networks (VPN) and Remote Desktop Services, where they authenticate devices.

Email certificate

By the S/MIME protocol, email certificates can both establish message integrity and encrypt messages. To establish encrypted email communication, the communicating parties must have their digital certificates in advance. Each must send the other one digitally signed email and opt to import the sender’s certificate.

Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.

Self-signed and root certificates

Main articles: Root certificate and Self-signed certificate

A self-signed certificate is a certificate with a subject that matches its issuer, and a signature that can be verified by its public key.

For most purposes, such a self-signed certificate is worthless. However, the digital certificate chain of trust starts with a self-signed certificate, called a “root certificate,” “trust anchor,” or “trust root.” A certificate authority self-signs a root certificate to be able to sign other certificates.

An intermediate certificate has a similar purpose to the root certificate; its only use is to sign another certificate. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate needs to sign it. An end-entity or leaf certificate is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.

How Libraesva can help?

TLS, Transport Layer Security, seamlessly ensures transport email encryption for email delivery over SMTP between supporting servers.

Libraesva ESG acts both for receiving and sending emails, so TLS can be configured on both sides: you can define different policies on receive (server) or when sending (client).

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.