Certificates

= X.509 Certificate =


 * In cryptography, X.509 is a standard defining the format of public key certificates.
 * X.509 certificates are used in many protocols like TLS/SSL, which is the basis for HTTPS.
 * They are also used in offline applications like Electronic Signatures.
 * It contains a public key and an identity - hostname, organization or individual.
 * It is either signed by a Certificate Authority or Self-Signed.
 * When a certificate is signed by a trusted certificate authority or validated by other means, someone holding that certificate can rely on the public key it contains.
 * X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.


 * Working of Certificates
 * In the X.509 system, an organization that wants a signed certificate requests one via a Certificate Signing Request (CSR).
 * To do this, it first generates a key pair, keeping the private key secret and using it to sign the CSR.
 * This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for.
 * The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority.
 * The certification authority issues a certificate binding a public key to a particular distinguished name.
 * An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system.
 * Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed.
 * SSL certificates from major certificate authorities will work instantly.


 * Structure of an X.509 v3 Digital certificate:
 * Certificate
 * Version Number
 * Serial Number
 * Signature Algorithm ID
 * Issuer Name
 * Validity period
 * Not Before
 * Not After
 * Subject name
 * Subject Public Key Info
 * Public Key Algorithm
 * Subject Public Key
 * Issuer Unique Identifier (optional)
 * Subject Unique Identifier (optional)
 * Extensions (optional)
 * Certificate Signature Algorithm
 * Certificate Signature

= OpenSSL = Source: sslshopper.com

Generate Certificates
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
 * Generate a new private key and Certificate Signing Request

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
 * Generate a self-signed certificate

openssl req -out CSR.csr -key privateKey.key -new
 * Generate a certificate signing request (CSR) for an existing private key

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
 * Generate a certificate signing request based on an existing certificate

openssl rsa -in privateKey.pem -out newPrivateKey.pem
 * Remove a passphrase from a private key

Verifying Certificates
openssl req -text -noout -verify -in CSR.csr
 * Check a Certificate Signing Request (CSR)

openssl rsa -in privateKey.key -check
 * Check a private key

openssl x509 -in certificate.crt -text -noout
 * Check a certificate

openssl pkcs12 -info -in keyStore.p12
 * Check a PKCS#12 file (.pfx or .p12)

Debugging
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
 * Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

openssl s_client -connect www.paypal.com:443
 * Check an SSL connection. All the certificates (including Intermediates) should be displayed

Converting Format
openssl x509 -inform der -in certificate.cer -out certificate.pem
 * Convert a DER file (.crt .cer .der) to PEM

openssl x509 -outform der -in certificate.pem -out certificate.der
 * Convert a PEM file to DER

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
 * Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 * Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

= Troubleshooting =


 * Cert tools: https://www.sslshopper.com/ssl-certificate-tools.html


 * References