I can’t ask this on StackOverflow, because they require questions to be about specific lines of code. I thought I might be able to ask here.
I’ve got SSL enabled on a site. I can access the REST endpoints on that site via Postman, just by copying the security certificate to Postman.
How does SSL insure security when it is so easy to hit the REST endpoints via Postman? Is it very difficult for hackers to obtain the security certificate?
The security is ensured by access to the private key, this key is used to sign the CSR and the corresponding public key is attached to the CSR. You then send this CSR to a signing authority (or you self sign, though most browsers will reject self signed certificates). Your SA will then send you back a certificate and usually a certificate chain, which is a list of certificates that tie your certificate to some “root signing authority” that browsers are configured to trust. The certificate (and the entire chain infact) are public - the private key (as the name suggests) is private, and should only be present on the server(s) that will host the site that corresponds to the common name in your certificate.
I see. Checking I see that Postman does require the public and private key files. Hackers wouldn’t have access to the private key. Thanks!