Certificates

= Public-key cryptography =


 * Asymmetric cryptography is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner.
 * The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions.
 * Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.


 * In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.


 * Digital Signature
 * A sender can combine a message with a private key to create a short digital signature on the message.
 * Anyone with the sender's corresponding public key can combine the same message and the supposed digital signature associated with it to verify whether the signature was valid, i.e. made by the owner of the corresponding private key.


 * Prime Numbers & Encryption

11 x 17 = 187
 * Product of 2 large random Prime Numbers is the backbone of Encryption.


 * Cracking the encryption means figuring out the 2 factors.
 * Using Brute Force it takes decades with today's computers.
 * If 2 numbers are known (a private key), it takes a split second.
 * The numbers in largest known prime number: 17,425,170.
 * The Public key is made up in part by calculating the number of integers that share no common factors that are less than the product of 2 Prime Numbers.

= X.509 Certificate =


 * In cryptography, X.509 is a standard defining the format of public key certificates.
 * X.509 certificates are used in many protocols like TLS/SSL, which is the basis for HTTPS.
 * They are also used in offline applications like Electronic Signatures.
 * It contains a public key and an identity - hostname, organization or individual.
 * It is either signed by a Certificate Authority or Self-Signed.
 * When a certificate is signed by a trusted certificate authority or validated by other means, someone holding that certificate can rely on the public key it contains.
 * X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.


 * Working of Certificates
 * In the X.509 system, an organization that wants a signed certificate requests one via a Certificate Signing Request (CSR).
 * To do this, it first generates a key pair, keeping the private key secret and using it to sign the CSR.
 * This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for.
 * The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority.
 * The Certification Authority issues a certificate binding a public key to a particular distinguished name.
 * An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system.
 * Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed.
 * SSL certificates from major certificate authorities will work instantly.


 * Structure of an X.509 v3 Digital certificate:
 * Certificate
 * Version Number
 * Serial Number
 * Signature Algorithm ID
 * Issuer Name
 * Validity period
 * Not Before
 * Not After
 * Subject name
 * Subject Public Key Info
 * Public Key Algorithm
 * Subject Public Key
 * Issuer Unique Identifier (optional)
 * Subject Unique Identifier (optional)
 * Extensions (optional)
 * Certificate Signature Algorithm
 * Certificate Signature


 * The serial number must be unique for each certificate issued by a specific CA.

= OpenSSL = Source: sslshopper.com

Generate Certificates
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
 * Generate a new private key and Certificate Signing Request

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
 * Generate a self-signed certificate

openssl req -out CSR.csr -key privateKey.key -new
 * Generate a certificate signing request (CSR) for an existing private key

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
 * Generate a certificate signing request based on an existing certificate

openssl rsa -in privateKey.pem -out newPrivateKey.pem
 * Remove a passphrase from a private key

Verifying Certificates
openssl req -text -noout -verify -in CSR.csr
 * Check a Certificate Signing Request (CSR)

openssl rsa -in privateKey.key -check
 * Check a private key

openssl x509 -in certificate.crt -text -noout
 * Check a certificate

openssl pkcs12 -info -in keyStore.p12
 * Check a PKCS#12 file (.pfx or .p12)

Debugging
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
 * Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

openssl s_client -connect www.paypal.com:443
 * Check an SSL connection. All the certificates (including Intermediates) should be displayed

Converting Format
openssl x509 -inform der -in certificate.cer -out certificate.pem
 * Convert a DER file (.crt .cer .der) to PEM

openssl x509 -outform der -in certificate.pem -out certificate.der
 * Convert a PEM file to DER

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
 * Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 * Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

= Troubleshooting =


 * Cert tools: https://www.sslshopper.com/ssl-certificate-tools.html


 * References