331.1 X.509 Certificates and Public Key Infrastructures
Topic 331: Cryptography
Weight: 5
Description: Candidates should understand X.509 certificates and public key infrastructures. They should know how to configure and use OpenSSL to implement certification authorities and issue SSL certificates for various purposes.
Key Knowledge Areas:
Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
Understand trust chains and public key infrastructures, including certificate transparency
Generate and manage public and private keys
Create, operate and secure a certification authority
Request, sign and manage server and client certificates
Revoke certificates and certification authorities
Basic feature knowledge of Let's Encrypt, ACME and certbot
Basic feature knowledge of CFSSL
Partial list of the used files, terms and utilities:
openssl (including relevant subcommands)
OpenSSL configuration
PEM, DER, PKCS
CSR
CRL
OCSP
Cryptography concepts
What is Cryptography?
Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.
In computer science, cryptography refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms, to transform messages in ways that are hard to decipher. These deterministic algorithms are used for cryptographic key generation, digital signing, verification to protect data privacy, web browsing on the internet and confidential communications such as credit card transactions and email.
Uses of Cryptography:
Encryption: Encryption is the method by which information is converted into secret code that hides the information's true meaning. The science of encrypting and decrypting information is called cryptography.
Integrity: The information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected.
Authentication: The sender and receiver can confirm each other's identity and the origin/destination of the information.
There are two primary elements in cryptography:
Key: Key is used to encrypt data and must be kept secret
Algorithm: The Method used to encode and decode messages are called encryption algorithms, or ciphers. It may or may not be public. Examples: AES, blowfish, 3DES(old)
Symmetric encryption vs Asymmetric encryption
There are two types of encryption in modern Cryptography.
Symmetric: Secret key encryption, also known as symmetric encryption, uses a single key to encrypt and decrypt data. This type of encryption is symmetric because the same key is used to encrypt plaintext into ciphertext and decrypt that ciphertext back into plaintext, so both parties must know the key. It is generally faster than Asymmetric encryption. examples: AES,blowfish.
Asymmetric: Public key cryptography, also referred to as asymmetric cryptography, uses public key pairs. One of the paired keys is public, and the other is private. Each of these keys can transform plaintext into encrypted ciphertext -- but ciphertext encrypted with one of the keys can only be decrypted with the other key.
When the public key is used to encrypt ciphertext, that text can only be decrypted using the private key. This enables anyone with access to the public key to encrypt a plaintext message, which only the private key holder will be able to decrypt. This is how private messages can be sent without exchanging a shared secret key.
Text encrypted with the private key can only be decrypted using the public key. This is how a digital signature is created. A ciphertext encrypted with a private key is decrypted using the public key to authenticate the signature.
Public keys are published in publicly accessible repositories, where anyone who needs to communicate with public key pair holders can access them. The key pair owner is the only one who can hold the private key. It must remain secret, or else the key pair can't be trusted to authenticate the owner.
Data integrity through hashes
Hash functions provide another type of encryption. Hashing is the transformation of a string of characters into a fixed-length value or key that represents the original string.
PKI and trust chains
Before jumping into details of how public key infrastructure works, let’s first cover what PKI is to ensure we’re all on the same page.
What is PKI?
In a nutshell, public key infrastructure (PKI) is a system (based on encryption key pairs and digital certificates) that’s used for securing communications between different computer systems. Public Key Infrastructure is made up of hierarchy of Certificate Authorities and a Certificate Signing Request process.
What is Certificate Authotiry?
A certificate authority (CA), also sometimes referred to as a certification authority, is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.
Certificate Authorities Are Like Passport Authorities for the Internet
If you’ve ever gotten a passport to travel internationally, you probably remember the verification process that you went through to prove that you are who you claimed to be. (It probably included some legal papers, photo ID, and maybe fingerprints.)
Once you got your passport, you could use it to prove to anyone that you’re really you. (Even if they’d never met you before.)
Certificate authorities are like that — but for websites and online activities. Just like the passport office, a certificate authority charges a small fee to complete the verification process and issue the certificate. In this case, after they verify a website (or organization), they issue what’s known as a digital certificate. This digital file enables organizations, websites, or other entities to prove who they are — that they’re the real deal.
What is Certificate Signing Request?
Certificate Signing Request(CSR) are essentially public keys that are generated and may be submitted to a CA to be signed.
When CA signs a CSR, it produces a certificate that is trusted by the signing CA.
How Certificate Authority works?
a CA is a trusted third party that validate the authenticity of a public key.
chain of trust
The SSL/TLS internet security standard is based on a trust relationship model, also called “certificate chain of trust.”
there is a root CA that has signs verified CA certificate
by trusting CA certificate, you trust all certificates signed by that CA.
lets take a closer look:
A CA public key has typically been signed by another CA that is trusted.
OCSP , CRL
the CA can invalidate the certificate if need be by using either OCSP(Online Certificate Status Protocol) or by using a CRL(Certificate Revocation List)
Creating and working with Certificates
X.509 Certificate File Format
The openssl command creates PEM formatted files by default. Furthermore, there are different X.509 certificate formats like DER, PEM, PKCS#7 and PKCS#12. CAs will provide the certificates with one of these formats. Here, PKCS#7 and PEM formats use Base64 ASCII encoding & DER and PKCS#12 use binary encoding. Likewise, all the certificates have different extensions based on their used encoding and format.
PEM Format
Usually, CAs (Certificate Authorities), provide certificates in PEM format which are encoded files in Base64 ASCII. The file type of this certificate can be .crt, .pem, .cer or .key. And this .pem file can include the server certificate, the intermediate certificate and the private key file within a single file. It’s also possible that the server and the intermediate certificate can be provided in a separate file, .crt or .cer and the private key in a .key file.
PEM files can be opened through text editors like notepad and MS word, as it uses an ASCII encoding. Also, the PEM file contains the certificate between the statements —- BEGIN CERTIFICATE—- and —-END CERTIFICATE—-. The private key is between the —- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements and the CSR is between the statements —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–.
PKCS#7 Format
The PKCS#7 format is a Cryptographic Message Syntax Standard which uses a Base64 ASCII encoding file with .p7b or .p7c extension. Also, only this certificate can be stored and not its private keys. This certificate is contained within the statement —–BEGIN PKCS7—– and —–END PKCS7—–.
DER Format
DER Certificates are mainly used for Java-based web servers and they are in binary form with an extension of .der or .cer files.
PKCS#12 Format
The PKCS#12 certificates are mostly used in the Windows platform and they offer two different extensions of files, .pfx and .p12. It uses a binary form and helps to store the server certificate, the intermediate certificate and the private key within a single .pfx file with password protection.
Various openssl sub-commands can do conversion as noted below:
Operating a Certificate Authority
The CA has three primary responsibilities:
• Sign valid CSRs
• Maintain security of their private key
• Revoke compromised or misused certificates
Operating CA
first let take a look at openssl configurations, if we run openssl ca command with no options, it will shows what configurations files using:
it shows that is unable to find a private key. so use following commands to create a private-key:
now we can continue using following commands:
note: -set_serial allows a serial number to be set for a self-signed certificate.
it is good to know that there is an alternative tool for openssl on redhat which is called genkey It is Simpler than openssl and uses TUI .See genkey --help for a list of subcommands
that's all.
.
.
.
resources:
.
.
Last updated
