TLS Certificates

Whenever you accessed any website using HTTPS protocol then you must observed that browser shows a lock or a toggle icon that means the current website is secure and uses HTTPS. But what secure means here?

A Lock before website

The beginning

Suppose you are accessing mail.google.com to login to your mail. Here you provide your credentials in plain text such as

• username: demo
• password: demopassword

Now your cred is not encrypted that means if there is any hacker, he can steal your cred that is not good.

To resolve this there are two methods to encrypt the data:

• Symmetric Key encryption (Same key to encrypt and decrypt): In this user will encrypt the cred using a key and sends to server but server also needs the key to decrypt the cred and user needs to send the key along with cred. However hacker can also have the key with cred and boom! you are exposed again. So, this is not option.
• Asymmetric key encryption: In this method there are two keys that are called as public and private key. The speciality about this method is data can be encrypted using one key and decrypted using other one. Same key can not be used to encrypt and decrypt the data. So whenever you request any website, it sends its public key with response and then your data gets encrypted using it. Now even a hacker get the public key and encrypted cred, he will not be able to decrypt it as it requires private key of that public key.
• Let’s take a look what public and private key looks like

Generating Asymmetric key pair

• id_rsa → your private key
• id_rsa.pub → your public key
• Data encrypted using public key can only be decrypted using private key and vice-versa.

Now, we understood the methods so does the hacker. Here’s comes another method to fraud you called phishing.

I saw multiple intelligent person access https://mail.google.com using gmail.com or search gmail or search engine.

• Now, hacker can use this to create a clone of the gmail and generate a key pair and somehow he’s able to fool you and you send your cred to hacker’s server.

To tackle this, certificates were introduced.

Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.

So how it is different from our asymmetric encryption?

For certificates instead of using ssh-keygen , openssl is used.

• Generate a key using openssl command. It contain both private and public key. I have run some additional command just for your knowledge.
• openssl genrsa -out demodoamin.key 2048
• Then this key is used to generate Certificate Signing Request (CSR) which will be send to an authority who will sign this certificate and mark this as valid.
• openssl req -new -key demodoamin.key -out demodomain.csr

# First we need a private key
# genrsa is a algo
# 2048 means length of key

> openssl genrsa -out demodoamin.key 2048

root@2e8ce08eb302:/# openssl genrsa -out demodoamin.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
......+++++
e is 65537 (0x010001)
root@2e8ce08eb302:/# cat demodoamin.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAlp50GD6j4Ekq55U7Htmr6GGv/JuqBBrW63V04eOOLqVULdX7
XVcGLIzvy6D3N4udrY8WLkdj1LQPVljqwIqMlNKBXek3U3TWZ6m773tSHDt8KPZZ
6/AMZScxU+8/3uSte2lgbrj0bx0POqFDJJPOFun55WTJc0rVkozJCjeFnhHofdjE
uFYGt/6TRC2FvRC7bq1Yxh2SUU1P7nal2N6roFUwuUbwFJUA6UeN4+l5TN/+CwK1
MnGKFhamuGrttxfTxdzfeKgdap/A9fXQlU/xQ+4deKAzQD+Cl9Zyn1fLt1pVMbSo
AZw6B70zlqpPz8yOu5A4Suw1pcM/8St/SpCLBwIDAQABAoIBAGqYF1d1NWssvQWK
Mn4B1MywHelrjSY8jG+0/5RCBET00p9hufRz+zWaRLba4zrXPy8ufacg9QD6sYQN
h43eP+GvHMkGnRYeMQLKN+wjXZgHbTZcKoV0rIEF/L4HKy+mrTQS/qE9mhfs+/Ml
X6xKQmcrDaUP8BX9FysRIdJuOs0Dj5IfxCnDEZ57DT0hZ6sbFoqFTF1sr1CwbR3L
5o8s1WaM8qp3R2S0dVCUEP4mo64cmhCftvE+wqMZcmeZLZOeEngo8Ci32c52KLyH
OPNyVeY8jrLsZPQWcKar50L26D+u3TyDuGO1fMDC7R6UaG3GH21EmCXKeilm30T5
6QBdASkCgYEAxTvl+N5zHWXyv3NmJE6zDONr6VUp3J1iaJKVlisIB5f1l4YnA3rP
KJ2eSpp5bJoh4yOuR/qb5jFNSIk03vjvGYx4n/5uwejFGOBP3l+N6fgqipd2Lj0c
jvrtWtRobKr1FKRkvgF/XGY9Hpk3bO07A+gMB7zzrUkR6edEmEiCQusCgYEAw375
xuFyYhsx+Wb/4oS10bSR6QgnJyjcVr8p8b2pIoKNGwQe9Yaau2Ja8vGdCNMsczKm
bqiusJKg24Vg3xPYhH7+60/9IDFlg94IsWE3hpbMj1KEgzJJlu3I4xOhp9Bz/sS7
1PaXoMFBev+owEQF+DQ8BoFAHYb7osswOqS+OVUCgYEArZjp8mFA6ug3f8D/bweB
2t80tNvLi61O14HlfZYEbEKY3DQslIh8W2BX2YwbQbZsCzL1i88Nds+AGU8CpRpv
wIn+Bbx5Gd1Z1WphgfWSwBM4xmFHmK0bPNGpJh/8hWD3c6K6NO62fcpTE2KCATLQ
lcChDhKGW8gLp1dx7aMsW98CgYEAhk5ViyyXSI8mZhE8+oHx54AGPfI788s+lNoA
FvQVnn/SMR1Dp6ox40pO8VjMaaOqhfnmHWAFo4kYubeINbmMpnoY59CsNdG5zD5d
+n6vhudS4aPvJbMGm4oA2QBDruamygCeilBfGzGpqra5WF1jPIGmO1HQmniBp/Wv
zJohlYECgYBX3vI4u77JED7r+cgD8HZoBwU+1HiOZBNi0u7AQVp7lsNwY3KVyUlS
x3CXeAV9U6jhC3Nxv/viNzuldEptDz6MiH5VpO1B7X+IYtkyxj7ldSL9ioimVCaZ
29iomU0z85PS6I9UXplgNgXmBEviLcpdaxFG6khvEGvjtQ7pYOkM7w==
-----END RSA PRIVATE KEY-----
root@2e8ce08eb302:/#

# To check the content of the key
root@2e8ce08eb302:/# openssl rsa -text -in demodoamin.key -noout

#The private key file contains both the private key and the public key. 
# You can extract your public key from your private key file if needed.

root@2e8ce08eb302:/# openssl rsa -in demodoamin.key -pubout -out demodomain_public.key
writing RSA key
root@2e8ce08eb302:/# cat demodomain_public.key 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlp50GD6j4Ekq55U7Htmr
6GGv/JuqBBrW63V04eOOLqVULdX7XVcGLIzvy6D3N4udrY8WLkdj1LQPVljqwIqM
lNKBXek3U3TWZ6m773tSHDt8KPZZ6/AMZScxU+8/3uSte2lgbrj0bx0POqFDJJPO
Fun55WTJc0rVkozJCjeFnhHofdjEuFYGt/6TRC2FvRC7bq1Yxh2SUU1P7nal2N6r
oFUwuUbwFJUA6UeN4+l5TN/+CwK1MnGKFhamuGrttxfTxdzfeKgdap/A9fXQlU/x
Q+4deKAzQD+Cl9Zyn1fLt1pVMbSoAZw6B70zlqpPz8yOu5A4Suw1pcM/8St/SpCL
BwIDAQAB
-----END PUBLIC KEY-----
root@2e8ce08eb302:/#

root@2e8ce08eb302:/# openssl req -new -key demodoamin.key -out demodomain.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:IN
Locality Name (eg, city) []:Noida
Organization Name (eg, company) [Internet Widgits Pty Ltd]:demodomain
Organizational Unit Name (eg, section) []:demodomain
Common Name (e.g. server FQDN or YOUR name) []:demodomain.com
Email Address []:ceo@demodomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@2e8ce08eb302:/# 
root@2e8ce08eb302:/# cat demodomain.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJJTjEOMAwGA1UE
BwwFTm9pZGExEzARBgNVBAoMCmRlbW9kb21haW4xEzARBgNVBAsMCmRlbW9kb21h
aW4xFzAVBgNVBAMMDmRlbW9kb21haW4uY29tMSEwHwYJKoZIhvcNAQkBFhJjZW9A
ZGVtb2RvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCW
nnQYPqPgSSrnlTse2avoYa/8m6oEGtbrdXTh444upVQt1ftdVwYsjO/LoPc3i52t
jxYuR2PUtA9WWOrAioyU0oFd6TdTdNZnqbvve1IcO3wo9lnr8AxlJzFT7z/e5K17
aWBuuPRvHQ86oUMkk84W6fnlZMlzStWSjMkKN4WeEeh92MS4Vga3/pNELYW9ELtu
rVjGHZJRTU/udqXY3qugVTC5RvAUlQDpR43j6XlM3/4LArUycYoWFqa4au23F9PF
3N94qB1qn8D19dCVT/FD7h14oDNAP4KX1nKfV8u3WlUxtKgBnDoHvTOWqk/PzI67
kDhK7DWlwz/xK39KkIsHAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAMl+QgndH
jV2FvpUe1f9pCFLK5VYEEz8oxZKkvGg/2YpZZInHpnuWHYHJWntNVW0gMV63fGTI
fMEQ3lG+AFwBa7xn98niculfaHoEivh9nJXY0qojSOLdTyaK7eb4WRA7yneJr+9r
YzlstJgUzsZQIHEO+RumEqixdfznDAJxZIIg7h5g9WTumjF+DLpdyBHHzS5QTFoz
4IPqXLY2c1Ht2AkhsmwVVZwntYdhovyVvT4W95Iguxvt9i804Of+uk6rsK1A3s4K
09nNimYk774VL2v0DMKVbdd3AKYvIE0ixnabjtNzrNXNB1TN8s2syVatEYVYvCF6
RL0THuwmST/lEA==
-----END CERTIFICATE REQUEST-----
root@2e8ce08eb302:/#

Credit — https://knowledge.digicert.com/general-information/openssl-quick-reference-guide

Now we have generated CSR, but who will sign it???

A certificate authority is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.

A digital certificate provides:

• Authentication, by serving as a credential to validate the identity of the entity that it is issued to.
• Encryption, for secure communication over insecure networks such as the internet.
• Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.

A CA will validate and sign the CSR and then provide you the certificates means demodomain.crt

Suppose your CSR has been signed by a CA and you got the certificate. But what if some one is impersonating as CA? CA signs the certificate using its private key to sign the certificates and your browser already have public key of most CA. It validates then the request becomes secure.

Note: → If certificate get expire then it also become unsecure. Here’s the example of one of the cert.

• Here the CA is Cloudflare who signed this certificate and it is valid upto Jan 1, 2025.

Thanks

Reference:

• https://www.ssl.com/article/what-is-a-certificate-authority-ca/
• https://knowledge.digicert.com/general-information/openssl-quick-reference-guide