Certificates: Difference between revisions
Content added Content deleted
Line 18: | Line 18: | ||
*This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for. |
*This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for. |
||
*The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority. |
*The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority. |
||
*The |
*The Certification Authority issues a certificate binding a public key to a particular distinguished name. |
||
*An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. |
*An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. |
||
*Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed. |
*Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed. |
||
Line 41: | Line 41: | ||
*Certificate Signature Algorithm |
*Certificate Signature Algorithm |
||
*Certificate Signature |
*Certificate Signature |
||
*The serial number must be unique for each certificate issued by a specific CA. |
|||
= OpenSSL = |
= OpenSSL = |
Revision as of 21:56, 2 December 2019
X.509 Certificate
- In cryptography, X.509 is a standard defining the format of public key certificates.
- X.509 certificates are used in many protocols like TLS/SSL, which is the basis for HTTPS.
- They are also used in offline applications like Electronic Signatures.
- It contains a public key and an identity - hostname, organization or individual.
- It is either signed by a Certificate Authority or Self-Signed.
- When a certificate is signed by a trusted certificate authority or validated by other means, someone holding that certificate can rely on the public key it contains.
- X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.
- Working of Certificates
- In the X.509 system, an organization that wants a signed certificate requests one via a Certificate Signing Request (CSR).
- To do this, it first generates a key pair, keeping the private key secret and using it to sign the CSR.
- This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for.
- The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority.
- The Certification Authority issues a certificate binding a public key to a particular distinguished name.
- An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system.
- Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed.
- SSL certificates from major certificate authorities will work instantly.
- Structure of an X.509 v3 Digital certificate
- Certificate
- Version Number
- Serial Number
- Signature Algorithm ID
- Issuer Name
- Validity period
- Not Before
- Not After
- Subject name
- Subject Public Key Info
- Public Key Algorithm
- Subject Public Key
- Issuer Unique Identifier (optional)
- Subject Unique Identifier (optional)
- Extensions (optional)
- Certificate Signature Algorithm
- Certificate Signature
- The serial number must be unique for each certificate issued by a specific CA.
OpenSSL
Source: sslshopper.com
Generate Certificates
- Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
- Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
- Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
- Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
- Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Verifying Certificates
- Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
- Check a private key
openssl rsa -in privateKey.key -check
- Check a certificate
openssl x509 -in certificate.crt -text -noout
- Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
Debugging
- Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
- Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443
Converting Format
- Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
- Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
- Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
- Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Troubleshooting
- References
{{#widget:DISQUS
|id=networkm
|uniqid=Certificates
|url=https://aman.awiki.org/wiki/Certificates
}}