Certificates
Concepts
SSH
TLS
HTTPS
Certificate Authority (CA)
Issuer
Key types
These are some of the certificates and key files extensions most commonly used:
.keyis theprivate key. This is accessible the key owner and no one else..csris thecertificate request. This is a request for a certificate authority to sign the key. (The key itself is not included.).crtis the certificate produced by thecertificate authoritythat verifies the authenticity of the key. (The key itself is not included.) This is given to other parties, e.g. HTTPS client..pemis a text-based container using base-64 encoding. It could be any of the above files..p12is aPKCS12file, which is a container format usually used to combine the private key and certificate.
Certificate Signing Request (CSR)
A certificate signing request (CSR or certification request) is a message sent from an applicant to a certificate authority (CA) of the public key infrastructure (PKI) in order to apply for a digital identity certificate. The CSR usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and a proof of authenticity including integrity protection (e.g., a digital signature). The most common format for CSRs is the PKCS #10 specification; others include the more capable Certificate Request Message Format (CRMF) and the SPKAC (Signed Public Key and Challenge) format generated by some web browsers.
The CRS is used to generate X.509 certificates that can be used to configure any webserver (Apache, NGNIX, Wordpress), Database (MySQL, Postgresql DB), IoT gateway/devices or even your own web app server(HTTPS) and web app client. The client SSL/TLS X.509 certificate can be used for any application that requires mutual TLS authentication for Zero Trust Security.
Before creating a CSR for an X.509 certificate, the applicant first generates a key pair, keeping the private key of that pair secret. The CSR contains information identifying the applicant (such as a distinguished name), the public key chosen by the applicant, and possibly further information. When using the PKCS #10 format, the request must be self-signed using the applicant's private key, which provides proof-of-possession of the private key but limits the use of this format to keys that can be used for signing. The CSR should be accompanied by a proof of origin (i.e., proof of identity of the applicant) that is required by the certificate authority, and the certificate authority may contact the applicant for further information.
Typical information required in a CSR are
- CN (Common Name):This is fully qualified domain name that you wish to secure (*.wikipedia.org)
- O (Organization Name): Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp. (Wikimedia Foundation, Inc.)
- OU (Organizational Unit): Internal organization department/division name (IT)
- L (Locality): Town, city, village, etc. name (San Francisco)
- ST (State): Province, region, county or state. This should not be abbreviated (e.g. West Sussex, Normandy, New Jersey). (California)
- C (Country): The two-letter ISO code for the country where your organization is located (US)
- EMAIL (Email Address): The organization contact, usually of the certificate administrator or IT department.
Create the certificate in server
The first command we're gonna used is openssl req, which stands for request.
# Create a Certificate Signing Request. Use ECDSA encryption algorithm instead RSA for production.
openssl req -new -newkey rsa:4096 -sha256 -days 365 -out MyCertificate.csr -keyout MyKey.key
# Provide all the information without prompting
openssl req -new -newkey rsa:4096 -sha256 -days 365 -out MyCertificate.csr -keyout MyKey.key -subj "/C=ES/ST=Madrid/L=city/O=JSantosA/OU=IT/CN=*.javiersant.com/emailAddress=jsantosa@gmail.com"
# Create a Self-signed certificate (-x509) without pass phrase (-nodes)
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out MySelfSignedCertificate.crt -keyout MyKey.key
You will be prompted to add identifying information about your website or organization to the certificate. If this certificate will be passed on to a certificate authority (CA) for signing, the information needs to be as accurate as possible. However, for self-signed certificates this information isn't necessary since it is not public.
The following is a breakdown of the OpenSSL options used in this command. There are many other options available, but these will create a basic certificate which will be good for a year. For more information, see man openssl in your terminal.
-newkey rsa:4096: Create a 4096 bit RSA key for use with the certificate. RSA 2048 is the default on more recent versions of OpenSSL but to be sure of the key size, you should specify it during creation. NOTE: UseECDSAencryption algorithm insteadRSAfor production.-x509: This option is used to tellopensslto output a self-signed certificate instead of a certificate request. Used for demo or internal purposes.-sha256: Generate the certificate request using 265-bit SHA (Secure Hash Algorithm).-days: Determines the length of time in days that the certificate is being issued for. For a self-signed certificate, this value can be increased as necessary.-nodes: Create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the passphrase in the console each time the application using it is restarted.
The generated private key (MayKey.key) is encrypted whereas the certificate signing request (MyCertificate.csr) is not, it's base64-encoded only. Note that the information storef in MyCertificate.csr starts with BEGIN CERTIFICATE REQUEST.
-----BEGIN CERTIFICATE REQUEST-----
MIIE2DCCAsACAQAwgZIxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1JbGUgZGUgRnJh
bmNlMQ4wDAYDVQQHDAVQ...pWofr2eOeBQ4Q=
-----END CERTIFICATE REQUEST-----
If the certificate is self-signed, we can use the openssl x509 command to display all the information encoded in this certificate. Note that the information storef in MySelfSignedCertificate.crt starts with BEGIN CERTIFICATE.
-----BEGIN CERTIFICATE-----
MIIFxjCCA64CCQCNT+eP2vjJxzANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMC
RlIxEjAQBgNVBAgMC...udJwE7HnnA7lpA
-----END CERTIFICATE-----
This command can also be used to get the information of the certificate (-x509).
Sign Certificate Request
To emulate the CA (issuer) for issue the certificate we are going to generate a CA certificate.
# Generate the private key to become a local CA
openssl genrsa -des3 -out MyCA.key 2048
# Generate a root certificate (you can) use crt or pem format
openssl req -x509 -new -nodes -key MyCA.key -sha256 -days 1825 -out MyCA.crt -subj "/C=ES/ST=Madrid/L=city/O=CA/OU=CA/CN=*.ca.org/emailAddress=ca@gmail.com"
To sign the certificate, we will use the same openssl x509 command that we've used to display certificate before.
# Sign the Certificate Request using `x509`
openssl x509 -req -in MyCertificate.csr -CA MyCA.crt -CAkey MyCA.key -CAcreateserial -out MyCertificate.crt
In this command, we use the -req option to tell openssl that we're gonna pass in a certificate request. We use the -in option follow by the name of the request file: server-req.pem. Next we use the -CA option to pass in the certificate file of the CA (ca-cert.pem). And the -CAkey option to pass in the private key of the CA ()ca-key.pem).
Then important option is -CAcreateserial. Basically the CA must ensure that each certificate it signs goes with a unique serial number. So with this option, a file containing the next serial number will be generated if it doesn't exist.
To verify a certificate (simulate web browser interaction) you need to compare both CA and server certificates, it can be used using openssl verify command