web analytics

Understanding SSL Certificates

Options
@2021-01-05 18:42:19

X.509

X.509 is a standard defining the format of public key certificates. An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the hostname/domain, organization, or individual contained within the certificate. The X.509 certificate is either signed by a publicly trusted Certificate Authority (Like DigiCert, Sectigo, GlobalSign, etc.) or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party or validate documents digitally signed by the corresponding private key. When a certificate is self-signed, it will not be trusted for public-facing applications and is mainly used to encrypt and authenticate data within an organization’s network.

Every certificate has two keys, a private key and a public key, and the two are known as an exchange key pair. In brief, the private key is known only to the owner of the certificate while the public key is readable from the certificate. Either key can be used to encrypt or decrypt a digest, hash, or other keys, but only as contrary operations. For example, if the client encrypts with the public key, only the site can decrypt the message using the private key. Similarly, if the site encrypts with the private key, the client can decrypt with the public key. This provides assurance to the client that the messages are being exchanged only with the possessor of the private key because only messages encrypted with the private key can be decrypted with the public key. The site is assured that it is exchanging messages with a client that has encrypted using the public key.

@2021-01-05 22:05:33

SSL/TLS Certificate 

X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS. SSL and TLS are both network protocols that allow data to be transferred privately and securely between a web server and a web browser. 

With SSL/TLS being the majority use case of X.509 certificate use cases, we’ll clarify the difference between SSL and TLS.

Secure Sockets Layer (SSL) is the predecessor to TLS

SSL is a cryptographic protocol designed to secure network communications. Netscape introduced SSLv2.0 in 1995, and after vulnerabilities were discovered, SSLv3.0 was created. In 1999 TLS v1.0 was introduced after SSLv3 was considered insecure due to the POODLE attack. The POODLE attack exploiting SSLv3 in 1999 created the introduction of TLS v1.0. Some applications, such as browsers, are compatible with some of the SSL protocol versions, although SSL has been phased out in favor of the better TLS security.

Transport Layer Security (TLS) is the CURRENT encryption standard

Like SSL, TLS is a cryptographic protocol used by websites to secure communications between their servers and web browsers. TLS replaced the older SSL protocol as the encryption standard protocol. This change was made mostly to avoid legal issues with the Netscape company, creator of SSL, so that the protocol could be developed as an open standard, free for all. TLS v1.3 is the current default standard protocol.

SSL/TLS Certificates are X.509 certificates

SSL/TLS Certificates are X.509 certificates with Extended Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1). Other common usage types of X.509 certificates are Client Authentication (1.3.6.1.5.5.7.3.2), Code Signing (1.3.6.1.5.5.7.3.3), and a handful of others are used for various encryption and authentication schemes.

 

@2021-01-05 22:25:09

X.509 Certificate Encoding Formats

X.509 is a standard that defines the structure of the certificate. It defines the data fields that should be included in the SSL certificate. X.509 uses a formal language called Abstract Syntax Notation One (ASN.1) to express the certificate's data structure.

There are different formats of X.509 certificates such as PEM, DER, PKCS#7 and PKCS#12. PEM and PKCS#7 formats use Base64 ASCII encoding while DER and PKCS#12 use binary encoding. The certificate files have different extensions based on the format and encoding they use.

The following figure illustrates the X.509 Certificate's encoding formats and file extensions.

PEM Format

Most CAs (Certificate Authority) provide certificates in PEM format in Base64 ASCII encoded files. The certificate file types can be .pem, .crt, .cer, or .key. The .pem file can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer file. The private key can be in a .key file.

PEM files use ASCII encoding, so you can open them in any text editor such as notepad, MS word etc. Each certificate in the PEM file is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. The CSR is contained between the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- statements.

PKCS#7 Format

The PKCS#7 format is a Cryptographic Message Syntax Standard. The PKCS#7 certificate uses Base64 ASCII encoding with file extension .p7b or .p7c. Only certificates can be stored in this format, not private keys. The P7B certificates are contained between the "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements.

DER Format

The DER certificates are in binary form, contained in .der or .cer files. These certificates are mainly used in Java-based web servers.

PKCS#12 Format

The PKCS#12 certificates are in binary form, contained in .pfx or .p12 files.

The PKCS#12 can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. These certificates are mainly used on the Windows platform.

@2021-01-05 22:40:50

SSL Handshake

As SSL/TLS certificates enable encryption, they are integral to Hyper Text Transfer Protocol Secure(HTTPS), a protocol that encrypts all communication exchanged between a website and your browser.

  • HTTPS starts when a browser requests a secure page.
  • The web server responds with its public key and its certificate.
  • The browser then verifies a trusted authority or CA issued this digital file.
  • Assuming that's the case, the browser uses the web server's public key to encrypt a random symmetric encryption key and sends it to the server with an encrypted URL and other encrypted HTTP data.
  • If the public key is valid, the web server uses its private key to decrypt the symmetric encryption key, URL, and HTTP data before sending over the HTML document and HTTP data now encrypted with the symmetric key.
  • This symmetric key, in turn, allows the browser to decrypt the HTTP data and display it to the user.

Comments

You must Sign In to comment on this topic.


© 2024 Digcode.com