The whole shebang on Cryptography, SSL Certificates, IPSec, SSH - Part 2

The whole shebang on SSL Certificates

Part 1 > Part 2 > Part 3 > Part 4

How SSL Certificates / IPSec / SSH differentiates ...

SSL certificates

What is a SSL certificate?

• Certificate is simply a way of validating that site really is what is says.
• Certificates are used when you have decided you use Asymmetric encryption for your data exchange process
• Certificates are used to hold public keys, not private keys. (You will not be able to store/find a private key inside a certificate)

A legitimate company (Pizza Hut) would,

1. submit its company information to a registered certification authority.
2. obtain a SSL certificate from a CA.
3. Install the SSL Certificate on their web site.

When a client accesses their website (Pizza Hut Web Site) via a Web-Browser,

1. Browser will perform SSL handshake between customers browser and web server.
2. In the SSL handshake, the client browser requests the web server to prove its authenticity.
3. In response, the server sends certificate chain(root, primary and intermediate certificate) to the client browser.
4. Then browser checks this certificate chain against the local stored certificates as every browser has legitimate root certificate of authorities for verifying SSL handshake.
   E.g : Mozilla Included CA Certificate List    Apple Included CA Certificate List

Trusted Certificate Authority (CA)?

• Certificate Authorities / CAs, issue Digital Certificates. 
• Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed.

E.g : Mozilla Included CA Certificate List    Apple Included CA Certificate List

Certificate chain?

A certificate chain is an ordered list of certificates containing,

• User Certificate /End entity Certificate /Leaf Certificate
• Intermediary Certificate/s 
• Root Certificate

The chain or path begins with the User certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.

Use SSL Checker to identify the certificate chain installed on a site.
SSL Checker on https://www.pizzahut.com/

Types of Certificates?

-User Certificate /End entity Certificate /Leaf Certificate

• Is a digitally-signed statement issued by a Certificate Authority to a person or system.
• It cannot be used to sign other certificates.
• Its the certificate which will be installed on a site. (E.g: https://pizzahut.com)

-Intermediate Certificate/s

• Any certificate that sits between the User Certificate and the Root Certificate is called a chain or Intermediate Certificate. 
• A certificate used to sign other certificates, which is not self-signed. 
• An intermediate certificate must be signed by another intermediate certificate, or a root certificate.

-Root Certificate

• The Root CA Certificate is always signed by the CA itself.
• A self-signed certificate used to sign other certificates.
• The root certificate carries critical importance; The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

Self Signed Certificate ?

• A certificate which is not signed by a CA.
• A certificate with a subject that matches its issuer, and a signature that can be verified by its own public key. 

Certificate standards
Certificate Standard defines the format of public key certificates.

X509 standard (format for public key certificates)

• Certificate
  • Version Number
  • Serial Number
  • Signature Algorithm ID
  • Issuer Name
  • Validity period
    • Not Before
    • Not After
  • Subject name
  • Subject Public Key Info
    • Public Key Algorithm
    • Subject Public Key
  • Issuer Unique Identifier (optional)
  • Subject Unique Identifier (optional)
  • Extensions (optional)
    • ...
• Certificate Signature Algorithm
• Certificate Signature

CSR (Certificate Signing Request) ?

• CSR contains information such as your domain name, your organization’s name, your location, and is filled out and submitted to a Certificate Authority(CA) such as SSL.com.

• The information in a CSR is used to verify and create your SSL certificate. 
• Most importantly, it also contains the public key that will be included in your certificate.

A CSR (Certificate Signing Request) which needs to be submitted to a Certificate Authority(CA) looks like (Most CSRs are created in the Base-64 encoded PEM format),

How do I generate a CSR and private key?

If you are familiar with OpenSSL,

you can use the following command to generate a CSR and private key

openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key

Or else,

you can use one of the guidelines provided in the links and use the GUI tool,

Comodo CSR Generation Instructions
DigiCert CSR Generation Instructions
GeoTrust CSR Generation Instructions
Thawte CSR Generation Instructions
VeriSign CSR Generation Instructions

Note : The private key must not be shared with any party (Not even with the CA) except your intended parties. CA only requires the CSR to provide you with a SSL certificate.

Certificate Containers / Key Stores

Certificate container standards

PKCS#12(.p12 extension) : a standard for a container which can hold an X509certificates and the corresponding private keys.

E.g : If you're examining a PKCS#12 file (typically .p12 extension), then you already know:

• It contains at least one X509 client certificate, which contains a public key; and
• It contains the corresponding private keys.

What are types of key stores?

Useful facts when working with Certificates

Useful commands in private key/certificate conversion

For Advanced Learners

CA/Browser Forum

If you want to learn about Cryptography > Part 1 - The whole shebang on Cryptography

If you want to learn about IPSec > Part 3 - The whole shebang on IPSec

If you want to learn about SSH > Part 4 - The whole shebang on SSH