Understanding Digital Certificates

This article has been created to help those required to implement a more secure network using certificates but only have minimal experience working with certificates. It provides a basic understanding of certificate use so you can better implement certificates in your network. This article has been broken down into three categories—knowledge to provide a general understanding of the certificate flow, common tasks used in implementing certificates, troubleshooting, and answers. Reading through these categories will provide you with a basic understanding that will help you with your certificate implementation.

Knowledge

Common Tasks

Troubleshooting

Answers

What is a public key infrastructure?

"A public key infrastructure is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption."
Source: https://en.wikipedia.org/wiki/Public_key_infrastructure

What is a digital certificate?

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key.[1] The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers to issue certificates for them. By contrast, in a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.

The most common format for public key certificates is defined by X.509.[2] Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as Public Key Infrastructure (X.509) as defined in RFC 5280.

What does X.509 standard means?

"In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. An X.509 certificate contains a public key and an identity (a host name, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

Certificate encoding and file extension

DER is digital certificate encoded in binary and it is used by Windows Systems. Base64 is a DER version of the digital certificate converted to text (ASCII) and it is used by Linux systems. When it comes to reading certificate files, what matter is the content of the file, if it is encoded using DER or Base64 standard. However, you will find that, generally, the file extensions for DER files are .der, .crt, and .cer. For Base64, it is usually .pem.

rtalimage

Certificate Authority (CA)

It is the first member service responsible for signing certificates for intermediate CAs to form a chain of trust

Intermediate Certificate Authority

It is the second member service responsible for signing certificates for other intermediate CAs or end entity to form a chain of trust

What is a chain of trust?

"Digital certificates are verified using a chain of trust."

rtalimage

rtalimage

rtal

rtal

rtalimage

What is certificate revocation list (CRL) and certificate distribution point (CDP)?

X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor. "

With CRLs, the list of revoked certificates is downloaded from a certificate distribution point (DP) that is often specified in the certificate. The server periodically goes to the CRL DP URL specified in the certificate, downloads the list, and checks it to determine whether the server certificate has been revoked.

What is the certificate lifecycle?

It is planning for certificates renewal according to rules.

rtalimage

-- Practice --

The instructions outlined in this session are focused on Linux systems since CAS Manager, Connector and License server are Linux based server applications.

How to request a certificate using openssl?

1 - Create a file with the following content and save is as server.example.com.cnf

[ req ] default_bits = 2048 default_md = sha256 prompt = no encrypt_key = no distinguished_name = dn req_extensions = req_ext [ dn ] C = ST = L = OU = O = CN = #FQDN, DNS Name, . [ req_ext ] subjectAltName = extendedKeyUsage = serverAuth basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment basicConstraints = critical,CA:FALSE

2 - Execute the following command to generate a certificate request file and the private key

openssl req -new -config server.example.com.cnf -keyout server.example.com.key -out server.example.com.csr

3 - Use the certificate request file (.csr) to request a certificate through internal request (your own company) or a third-party certificate provider

4 -Verify the certificate package

You should receive back a certificate package containing the following files: