Digital Certificates

Posted on Updated on
Digital Certificate
Photo by Ylanite Koppens on StockSnap

My notes on digital certificates (X.509):

How a digital certificate is obtained:

  • The entity requests CA for a digital certificate.
  • The request is in the form of a CSR (Certificate Signing Request)
  • The CSR contains
    • the name/description of the entity (server name / email id)
    • the public key of the entity
  • CA requests/obtains identification/validation documents of the entity
  • CA validates/rejects the entity, based on identification/validation documents obtained
  • Following steps assumes entity is validated
  • CA extracts entity’s name/description (CN) and public key from CSR and places them in a new digital certificate (X.509 format)
  • An expiration date is attached to the certificate
  • This digital certificate is then encrypted by CA using CA’s own private key
  • The certificate thus prepared is handed to the entity
  • Entity can now distribute this digital certificate
    • QUESTION: So the entity needs to hand-in two things:
      • The certificate
      • The name (some information) of the CA that has signed this certificate
  • Parties interested to communicate with the entity can
    • verify the certificate was indeed signed by CA by decrypting it using CA’s public key
    • entity’s public key can now be used for communication

Different formats of digital certificates:

  • DER (Distinguished Encoding Rules) – Binary
    • File extensions: .DER, .CRT, .CER
  • PEM (Privacy Enhanced Mail) – Text
    • File extensions – .PEM, .CRT
    • Text equivalent of DER
    • openssl can be used to translate both ways between DER and PEM formats
    • A .CRT file can either be binary or text, open and check content to see which one it is
  • PFX (Personal Information Exchange) – Binary
    • File extensions – .PFX, .P12
    • This format used on Windows commonly
  • P7B – Text
    • File extensions – .P7B
    • Text equivalent of PFX
    • This format used on Windows commonly

Sample command to create a CSR (Certificate Signing Request):

openssl req -new -newkey rsa:2048 -nodes -keyout YourDomainName.key -out YourDomainName.csr

Note: The argument -nodes above is “No DES” (and not NODES)

Some sample commands on Linux to view digital certificate information:

openssl x509 -noout -text -in 'cert_file.cer'openssl x509 -inform pem -noout -text -in 'cert_file.cer'
openssl x509 -inform der -noout -text -in 'cert_file.cer'

Some YouTube resources on digital certificates:

CertMike Explains Digital Certificates

OpenSSL to create CSR + Private key
How to generate free SSL certificate from OpenSSL