OpenSSL is a full featured tool capable not only to generate keys and certificates, but also to provide every facility a PKI must have, such as indirect CRL and OCSP responders: these features, along with certificate's best practices such as the Certification Practice Statement (CPS), publishing CRL Distribution Points URL, OCSP Responders URL, CA Issuers URL, are the topics of the OpenSSL CA tutorial - A full-featured openssl PKI.
Modern applications exploit commonly used protocols and standards: thoroughly knowing them means if necessary being able to write the missing code to integrate applications to have everything playing nice together.
Besides being able to code scripts or to develop applications, this requires a having a good understanding of at least:
- HTTP protocol – knowing status code is enough most of the times, but when troubleshooting having a better understanding can really help a lot
- REST API design principles – the very most of the API are REST based. This of course requires to be skilled in managing JSON formatted documents
- SOAP API design principles – although much rare, it may happen to the to deal with SOAP API. This of course requires to be skilled in managing XML formatted documents
- Commonly used authentication and authorisation frameworks, such as SAML, OpenID, OAuth 2.0 and so
Beside this, professionals should be familiar with the usage of tools such as curl to connect to the API endpoints and issue commands.
Since nowadays TLS is broadly used to secure communications, professionals should also be skilled on TLS, X.509 certificates and PKI.
Take in account that professionals with these skills are quite rare (recruiters know this very well) but are among the most valuable ones, since they can make the glue between the “pure” system administration/engineering and the development.
JWT provides a convenient and standard way to securely transport claims from an issuer to its audience over HTTP. It can be used for authentication and authorization purposes, as well as non repudiable information exchange. It's easiness of setup along with the pros of being transportable over a simple and plain-text protocol such as HTTP and of being stateless (session data can simply be put inside the claims) made it be broadly adopted by developers, whenever it does not worth to implement more cumbersome frameworks such as OpenID or OAuth. In this post we explore JWT and its related standards JWS and JWE.