Posts tagged PKI
This posting is solely about handling certificates, no cryptographic background or deeper technical digging.
background and grey theory
Basically creating a certificate can be done via two ways:
- create a private key and a certificate from it
- create a private key, a certificate signing-request out of it, and with another certificate-authority private-key and certificate-authority certificate create an own certificate
The first approach is to be done for CA's (certificate authorities), and their (CA) certificates are shipped with the common browsers.
Website (or whatever type of service uses SSL/TLS) let their domain be secured with an own certificate, which the certificate authority created from a certificate signing request the owner sent them using their private key and certificate.
The user using the browser to access the secured domain gets the ca cert and the site owner's cert, and can check if the site owner's cert can be validated against the root CA cert.
So these are the artifacts in play: (CA = certificate authority, SRV = server owner)
- CA privkey (CA_PK)
- CA cert (CA_C)
- SRV privkey (SRV_PK)
- SRV CSR (SRV_CSR)
- SRV cert (SRV_C)
installing them server-side
In this order they are created and installed:
SRV CA ----- ---- | | | 1. create CA_PK | 2. create CA_C | | 3. create SRV_PK | 4. create SRV_CSR | | | 5. |--------------- email SRV_CSR ----------->| | | | 6. create SRV_C | (from CA_PK,CA_C,SRV_CSR) | | 7. |<-------------- email SRV_C ------------| | | 8. configure server (web,ftp,...) | (to provide CA_C,SRV_PK,SRV_C) | | |
This is all which is needed to set TLS encryption up.
Note: CA_C and SRV_C differ in having the
CA flag set to
TRUE or not.
Besides that, they are the same.
using them client-wise
To keep it simple, clients negotiate the connection with the server, and use the th SRV_C of aforementioned artefacts from the server. The CA_C is already part of the web browser.
practice and its complexities
To prevent some misunderstandings, even more basics:
- CA's are just companies printing money, as these certificates tend to be very expensive but are not saver than ones you create on your own and validate these against a self-created self-signed one (With you being basically your own CA.). The only difference is, the CA's get their certificates shipped with every browser, whereas you do not get that luxury.
- CA_PK and SRV_PK do not differ in how they were created.
- self-signed certificate = no higher-level cert is needed for validation (for CA's)
- messing up which one is which is the third biggest source of problems revolving around certificates
- the second biggest problem is the unwieldiness of the tools to handle these things
- the biggest source of FAIL when dealing with certificates is the amount of different ones being in different formats (single file or container 'containing' several 'files') and encodings (ascii/base64 vs. binary) and simple copy-paste errors when creating some of them
This sounds complexer than it really is. Haha, I know.
You can import the self-created self-signed CA cert into your browser by hand, so you don't get the warning about visiting unsecure sites anymore, but the rest of the world will still get the error. Plus your google ranking for your website should be lower, as far as I can remember.
a script for automating things
When having to have to create certificates from time to time, this may come handy:
openssl genrsa 2048 > ca-key.pem && \ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem && \ openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem && \ openssl rsa -in server-key.pem -out server-key.pem && \ openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
For automated generation, the
openssl tool is way more nicer than
certtool from GnuTLS.
For checking contents or creating a
.p12 / pkcs #12 container, the latter is better:
# check contents certtool --certificate-info --infile C.pem # create .p12 certtool --to-p12 --load-ca-certificate CA_C.pem --load-privkey PK.key --load-certificate C.pem --outfile CONTAINER.p12 --outder
show certificate information
certtool --certificate-info --infile C.pem
View posts from 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10