Certificates

From Network Security Wiki
Jump to navigation Jump to search


Public-key cryptography

  • Asymmetric cryptography is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner.
  • The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions.
  • Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.
  • In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
Digital Signature
  • A sender can combine a message with a private key to create a short digital signature on the message.
  • Anyone with the sender's corresponding public key can combine the same message and the supposed digital signature associated with it to verify whether the signature was valid, i.e. made by the owner of the corresponding private key.
Prime Numbers & Encryption
  • Product of 2 large random Prime Numbers is the backbone of Encryption.
11 x 17 = 187
  • Cracking the encryption means figuring out the 2 factors.
  • Using Brute Force it takes decades with today's computers.
  • If 2 numbers are known (a private key), it takes a split second.
  • The numbers in largest known prime number: 17,425,170.
  • The Public key is made up in part by calculating the number of integers that share no common factors that are less than the product of 2 Prime Numbers.

X.509 Certificate

  • In cryptography, X.509 is a standard defining the format of public key certificates.
  • X.509 certificates are used in many protocols like TLS/SSL, which is the basis for HTTPS.
  • They are also used in offline applications like Electronic Signatures.
  • It contains a public key and an identity - hostname, organization or individual.
  • It is either signed by a Certificate Authority or Self-Signed.
  • When a certificate is signed by a trusted certificate authority or validated by other means, someone holding that certificate can rely on the public key it contains.
  • X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.
Working of Certificates
  • In the X.509 system, an organization that wants a signed certificate requests one via a Certificate Signing Request (CSR).
  • To do this, it first generates a key pair, keeping the private key secret and using it to sign the CSR.
  • This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for.
  • The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority.
  • The Certification Authority issues a certificate binding a public key to a particular distinguished name.
  • An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system.
  • Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed.
  • SSL certificates from major certificate authorities will work instantly.
Structure of an X.509 v3 Digital certificate
  • Certificate
    • Version Number
    • Serial Number
    • Signature Algorithm ID
    • Issuer Name
    • Validity period
      • Not Before
      • Not After
    • Subject name
    • Subject Public Key Info
      • Public Key Algorithm
      • Subject Public Key
    • Issuer Unique Identifier (optional)
    • Subject Unique Identifier (optional)
    • Extensions (optional)
  • Certificate Signature Algorithm
  • Certificate Signature


  • The serial number must be unique for each certificate issued by a specific CA.

OpenSSL

Source: sslshopper.com

Generate Certificates

  • Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate
 openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem

Verifying Certificates

  • Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
  • Check a private key
openssl rsa -in privateKey.key -check
  • Check a certificate
openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12

Debugging

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443

Converting Format

  • Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt


Troubleshooting



References





blog comments powered by Disqus