Certificates
- Certificate is a "box" with various elements, including the public keys of the owner (a server)
- Contents
Owner infoIssuer info(CA or ICA)Public key: Owner public key (lock)Signature: a hash encrypted with the issuer's private key- Self-signed certificates: certificate signed by the owner's private key and not the issuer
Public Key Infrastructure (PKI)
- A set of different protocols, algorithms, entities, certificates, etc
- Allow
communication based on certificates -
Every entity has its own public key (in every certificate)
-
Certification authority(CA): Sign certificate and delegate to other authorities (intermediate CAs) -
Intermediate CA(ICA): Sign certificates -
File extensions
- Certificates (public keys): *.crt, *.pem
- Private keys: *.key, *-key.pem
Chain of trust
- Based on certificates we can build
chains of trust - Verify the chain of trust https://www.geocerts.com/ssl-checker
Certificate Authority
Certificate Authority: well known organizations that can verificate and sign your certificate- Symantec
- Digicert
- GlobalSign
- Comodo
-
etc ...
-
The Signature is the data that has been hashed and then encrypted
-
Root CA
- Root CA are signed by themselves! No entity comes before them. The owner info and issuer info are the same
- How web browsers trust root CA? Because the certificates of the CAs (containing their public keys) are installed in the operating system!
- Root CAs are stored in
/etc/ssl/certs/ca-certificates.crt(only root CAs, not intermediate CAs)
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
Certificate Sign Request
- The entity below sends a
Certificate Sign Request(CSR) to the entity above - The entity above take the request and signs the certificate
- The certificate is signed only where the private key is located
Domain scopes
Single domain:Wildcard domains: *.google.comMulti domain: .facebook.com + .fb.com + *.messenger.com