A list of acceptable compression methodsA randomly-generated number2.The server responds to the client:

The chosen TLS/SSL version (this is the highest version in common with both the server and client)

The selected cipher suite (the most secure version the server and client have in common)

The selected compression method (the most secure version the server and client have in common)

A randomly-generated number of its own

3.The server then sends its certificate. The server and client will use the public key in the certificate to decrypt messages once the handshake ends and the secure session is established.

4.The client verifies the identity of the server using the information in the server certificate:

The validity period (the expiration date of the server certificate)

Whether the client possesses a copy of the CA certificate for the authority which issued the server's certificate (whether the certificate was issued by a trusted CA)

Verifying the digital signature of the issuing CA for the server certificate

Whether the domain name for the server in the certificate subject name matches the actual domain name of the server

5.Depending on the cipher suite being used, the client sends the server key material to use to generate session keys to encrypt data. This key material can be public key or a master key secret, which is used to derive the encryption keys.

6.Using the key material sent by the client, the randomly-generated numbers from the client and server, and the selected cipher, the server and client independently derive the same encryption keys.

7.The client sends a notification to the server that all subsequent messages from it will be encrypted. It also sends a hash and a message authentication key, which are wrapped in the client's encryption key.

8.The server successfully decrypts the client's message using its derived encryption keys.

9.The server then sends a hash and a MAC key to the client, wrapped in the server's encryption key.

10.The client successfully decrypts the server's message using its derived encryption keys.

11.The TLS handshake closes, and the secure channel opens between the server and the client.

The Directory Console can be configured to be encrypted by SSL/TLS by configuring the Directory Server to enable SSL in the Console.

6.2 Installing certificates

Before the Directory Server can be set to run in TLS/SSL, server and CA certificates must be properly installed in the servers.

Obtaining and installing certificates consists of the following steps:1.Generate a certificate request.2.Send the certificate request to a certificate authority.3.Install the server certificate.4.Set the Directory Server to trust the certificate authority.

The Directory Server Console has two wizards to make it easier to request and install certificates.

62 Using SSL/TLS with the Console