Digital certificate vs. SSL service

What is the difference between a Digital Certificate and an SSL service?

They don’t manage the same thing? The supported cipher algorithms are not in the Digital Certificate?

Because there’re 2 findings FIN.S.0049. Insecure digital certificates and FIN.S.0052. Insecure cipher algorithms, when we talk about an SSL cipher like TLS it is not better to report a condensed FIN.S.0049? Or they’re different in this scenario?

They are different things. A digital certificate is a kind of identifier of a SSL service. It works like this:

  1. A SSL client (a browser for example) wants to talk with a SSL service to exchange sensitive information (credentials, credit card numbers).

  2. The client will start a negotiation with the SSL service in which the client will send the versions (SSLv3, TLSv1.0, TLSv1.3 etc), cipher suites (stream-based like CHACHA20 or block-based like AES or 3DES), keyexchanges (RSA) and extensions (Heartbeat, SNI, Encrypt-Then-Mac, etc) it supports in a ClientHello request.

  3. The SSL service receives the ClientHello and will negotiate if any of the offered configurations is supported. If any matching configuration is supported, the SSL service will send a ServerHello response with the accepted configuration along with the digital certificate.

  4. This certificate tells things like what is the name of the service, the company it belongs to and other information (certificate subject).

  5. The certificate also has a lifespan (2 years is the maximum secure lifespan).

  6. The client will need to be sure that the service is trustworthy.

  7. But how does the client know if the information in the certificate is real? The certificate must be signed by a recognized certificate authority (CA). A recognized CA will sign the certificate only after passing several identity checks. Once signed, this certificate will tell the clients of this SSL service to trust it because the CA made those identity checks.

  8. So, to this point, the client received the certificate of the SSL service and will decide whether to trust it or not or even skip it altogether.

  9. The client will then send a sample message (pre-master) to the SSL service using the public key of the certificate. If the the SSL service is really the owner of that certificate, it must have the private key to decrypt that message and will sent the response to the client.

  10. After a successful negotiation and verification of the certificate, the client will start sending the sensitive data to the SSL service.

So, after this explanaition, it is clear that there are vulnerabilities that applies to the digital certificate and other that applies to a SSL service. For example, supporting obsolete SSL versions (SSLv3, TLSv1.0, etc) is a fault of the SSL service, not the digital certificate. An expired certificate is fault of the certificate, not the SSL service.

I hope this clarifies the difference between both things.