331.1 X.509 Certificates and Public Key Infrastructures
Weight: 5
Description: Candidates should understand X.509 certificates and public key infrastructures. They should know how to configure and use OpenSSL to implement certification authorities and issue SSL certificates for various purposes.
Key Knowledge Areas:
- Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
- Understand trust chains and public key infrastructures, including certificate transparency
- Generate and manage public and private keys
- Create, operate and secure a certification authority
- Request, sign and manage server and client certificates
- Revoke certificates and certification authorities
- Basic feature knowledge of Let's Encrypt, ACME and certbot
- Basic feature knowledge of CFSSL
Partial list of the used files, terms and utilities:
- openssl (including relevant subcommands)
- OpenSSL configuration
- PEM, DER, PKCS
- CSR
- CRL
- OCSP
Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.
In computer science, cryptography refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms, to transform messages in ways that are hard to decipher. These deterministic algorithms are used for cryptographic key generation, digital signing, verification to protect data privacy, web browsing on the internet and confidential communications such as credit card transactions and email.
- Encryption: Encryption is the method by which information is converted into secret code that hides the information's true meaning. The science of encrypting and decrypting information is called cryptography.
- Integrity: The information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected.
- Authentication: The sender and receiver can confirm each other's identity and the origin/destination of the information.
There are two primary elements in cryptography:
- Key: Key is used to encrypt data and must be kept secret
- Algorithm: The Method used to encode and decode messages are called encryption algorithms, or ciphers. It may or may not be public. Examples: AES, blowfish, 3DES(old)
Ciphers
In computing, unencrypted data is also known as plaintext, and encrypted data is called ciphertext. The formulas used to encode and decode messages are called encryption algorithms, or ciphers.
The ciphertext may be deciphered (or unencrypted) with a key
There are two types of encryption in modern Cryptography.
Symmetric: Secret key encryption, also known as symmetric encryption, uses a single key to encrypt and decrypt data. This type of encryption is symmetric because the same key is used to encrypt plaintext into ciphertext and decrypt that ciphertext back into plaintext, so both parties must know the key. It is generally faster than Asymmetric encryption. examples: AES,blowfish.
Asymmetric: Public key cryptography, also referred to as asymmetric cryptography, uses public key pairs. One of the paired keys is public, and the other is private. Each of these keys can transform plaintext into encrypted ciphertext -- but ciphertext encrypted with one of the keys can only be decrypted with the other key.
When the public key is used to encrypt ciphertext, that text can only be decrypted using the private key. This enables anyone with access to the public key to encrypt a plaintext message, which only the private key holder will be able to decrypt. This is how private messages can be sent without exchanging a shared secret key.
Text encrypted with the private key can only be decrypted using the public key. This is how a digital signature is created. A ciphertext encrypted with a private key is decrypted using the public key to authenticate the signature.
Public keys are published in publicly accessible repositories, where anyone who needs to communicate with public key pair holders can access them. The key pair owner is the only one who can hold the private key. It must remain secret, or else the key pair can't be trusted to authenticate the owner.
Hash functions provide another type of encryption. Hashing is the transformation of a string of characters into a fixed-length value or key that represents the original string.
- Each string provides a unique hash
- hashing is generally one way
- a salt may be used to improve security (a salt is an additional text value [typically a random text ]) added to the ciphertext to improve security
- common hashing algorithms include CRC2(insecure), md5 , sha-1 (most common)
Hashing utilities
- md5sum: Creates a hash based on input
- openssl dgst
Before jumping into details of how public key infrastructure works, let’s first cover what PKI is to ensure we’re all on the same page.
In a nutshell, public key infrastructure (PKI) is a system (based on encryption key pairs and digital certificates) that’s used for securing communications between different computer systems. Public Key Infrastructure is made up of hierarchy of Certificate Authorities and a Certificate Signing Request process.
A certificate authority (CA), also sometimes referred to as a certification authority, is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.
If you’ve ever gotten a passport to travel internationally, you probably remember the verification process that you went through to prove that you are who you claimed to be. (It probably included some legal papers, photo ID, and maybe fingerprints.)
Once you got your passport, you could use it to prove to anyone that you’re really you. (Even if they’d never met you before.)
Certificate authorities are like that — but for websites and online activities. Just like the passport office, a certificate authority charges a small fee to complete the verification process and issue the certificate. In this case, after they verify a website (or organization), they issue what’s known as a digital certificate. This digital file enables organizations, websites, or other entities to prove who they are — that they’re the real deal.
Certificate Signing Request(CSR) are essentially public keys that are generated and may be submitted to a CA to be signed.
When CA signs a CSR, it produces a certificate that is trusted by the signing CA.
a CA is a trusted third party that validate the authenticity of a public key.
The SSL/TLS internet security standard is based on a trust relationship model, also called “certificate chain of trust.”
there is a root CA that has signs verified CA certificate
by trusting CA certificate, you trust all certificates signed by that CA.
lets take a closer look:
A CA public key has typically been signed by another CA that is trusted.
the CA can invalidate the certificate if need be by using either OCSP(Online Certificate Status Protocol) or by using a CRL(Certificate Revocation List)
#Creating a private key
openssl genrsa -<algorithm> -out <key_filename> <key_size>
openssl genrsa -aes128 -out mykey.pem 2048
# Generating a self-signed certificate (public key)
openssl req -utf8 -new -key <key_filename> -x509 -days <cert_lifespan> -out <cert_filename>
#Display Certificate
openssl x509 -in mycert.crt -text -noout
#Creating a CSR
openssl req -new -key <priv_key.pem> -out <output.csr>
The openssl command creates PEM formatted files by default. Furthermore, there are different X.509 certificate formats like DER, PEM, PKCS#7 and PKCS#12. CAs will provide the certificates with one of these formats. Here, PKCS#7 and PEM formats use Base64 ASCII encoding & DER and PKCS#12 use binary encoding. Likewise, all the certificates have different extensions based on their used encoding and format.
Usually, CAs (Certificate Authorities), provide certificates in PEM format which are encoded files in Base64 ASCII. The file type of this certificate can be .crt, .pem, .cer or .key. And this .pem file can include the server certificate, the intermediate certificate and the private key file within a single file. It’s also possible that the server and the intermediate certificate can be provided in a separate file, .crt or .cer and the private key in a .key file.
PEM files can be opened through text editors like notepad and MS word, as it uses an ASCII encoding. Also, the PEM file contains the certificate between the statements —- BEGIN CERTIFICATE—- and —-END CERTIFICATE—-. The private key is between the —- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements and the CSR is between the statements —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–.
The PKCS#7 format is a Cryptographic Message Syntax Standard which uses a Base64 ASCII encoding file with .p7b or .p7c extension. Also, only this certificate can be stored and not its private keys. This certificate is contained within the statement —–BEGIN PKCS7—– and —–END PKCS7—–.
DER Certificates are mainly used for Java-based web servers and they are in binary form with an extension of .der or .cer files.
The PKCS#12 certificates are mostly used in the Windows platform and they offer two different extensions of files, .pfx and .p12. It uses a binary form and helps to store the server certificate, the intermediate certificate and the private key within a single .pfx file with password protection.
Various openssl sub-commands can do conversion as noted below:
#DER to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
#PEM to DER:
openssl x509 -outform der -in certificate.pem -out certificate.der
#p7b/pkcs#7 to PEM:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem.
#PEM to p7b/pkcs#7:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
The CA has three primary responsibilities:
• Sign valid CSRs
• Maintain security of their private key
• Revoke compromised or misused certificates
first let take a look at openssl configurations, if we run
openssl ca command with no options, it will shows what configurations files using:[root@rocky8 ~]# openssl ca
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/private/cakey.pem for reading, No such file or directory
140316000794432:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/private/cakey.pem','r')
140316000794432:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load CA private key
it shows that is unable to find a private key. so use following commands to create a private-key:
[root@rocky8 ~]# openssl genrsa -des3 2048 > /etc/pki/CA/private/cakey.pem
-bash: /etc/pki/CA/private/cakey.pem: No such file or directory
[root@rocky8 ~]# mkdir -p /etc/pki/CA/private/
[root@rocky8 ~]# openssl genrsa -des3 2048 > /etc/pki/CA/private/cakey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................................................................................................................................................................+++++
..............................................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@rocky8 ~]#
now we can continue using following commands:
#Creating a private key
openssl genrsa -<algorithm> -out <key_filename> <key_size>
openssl genrsa -aes128 -out mykey.key 2048
#Generating a self-signed certificate (public key)
openssl req -utf8 -new -key <key_filename> -x509 -days <cert-lifespan> -out <cert_filename> -set_serial 0
#note: you would add -set_serial <serial-num> for a CA certificate, it is stored in /etc/pki/CA/serial
#Signing a CSR as a CA (requires CA keys)
openssl ca -in <CSR> -out <crt>
#view the content of certificate
openssl x509 -in <cert_filename.crt> -text -nout | less
note:
-set_serial allows a serial number to be set for a self-signed certificate. There are a couple required files that openssl ca must have to work (creation commands noted below):
echo 00 > /etc/pki/CA/serialtouch /etc/pki/CA/index.html
it is good to know that there is an alternative tool for openssl on redhat which is called genkey It is Simpler than openssl and uses TUI .See genkey --help for a list of subcommands
that's all.
.
.
.
resources:
.
.