Certificate Authority (CA)

Certificate validation

• DigiCert - What’s the difference between DV, OV & EV SSL certificates? (opens in a new tab)

Install a self-signed CA certificate

• Windows 10

  certutil –addstore -enterprise –f "Root" <pem-file>
  • Open Run dialog, type certmgr.msc
  • The imported certificate will show up under Trusted Root Certification Authorities - Certificates

• Ubuntu

  Add

  sudo mkdir /usr/local/share/ca-certificates/extra
  sudo cp CA.cert.pem /usr/local/share/ca-certificates/extra/CA.cert.crt
  sudo update-ca-certificates

  Remove

  sudo rm /usr/local/share/ca-certificates/extra/CA.cert.crt
  sudo update-ca-certificates  # This will remove the symlink under /etc/ssl/certs

• Fedora

  Add

  sudo trust anchor "$CA_certificate.pem"
   
  # or manually
  sudo cp "$CA.cert.pem" /etc/pki/ca-trust/source/anchors/
  sudo update-ca-trust

  Remove

  sudo trust anchor --remove path.to/certificate.crt
   
  # or manually
  sudo rm /etc/pki/ca-trust/source/anchors/CA.cert.pem
  sudo update-ca-trust

• Application

  • Java

    • Use keytool to import CA certificates into $JAVA_HOME/lib/security/cacerts

  • Nodejs

    • Use environment variable NODE_EXTRA_CA_CERTS for custom CA certificates: NODE_EXTRA_CA_CERTS=file (opens in a new tab)

  • Docker

    • Verify repository client with certificates (opens in a new tab)

DNS

• The certificate is valid only if the request hostname matches the certificate Common Name (CN) or Subject Alternative Names

• Multi-Domain (MD) or Subject Alternative Names (SAN) SSL Certificates

  Also commonly referred to as SAN certificates, multi-domain SSL allow a single certificate to secure multiple domains, including subdomains of a single main domain name or entirely different domain names. One of these can secure up to 250 unique domains with a single solution. They provide a convenient option for organizations that own a lot of domains and are looking for a simplified way to secure them through a single solution rather than purchasing an individual certificate for each. Multi-domain SSL certificates are available in DV, OV, and EV validation options.

• Wildcard SSL Certificates

  The Wildcard option is used to secure the main domain and an unlimited number of subdomains under the main domain. For example, www.yourwebsite.com (opens in a new tab), login.yourwebsite.com, mail.yourwebsite.com, etc. Wildcard certificates offer full encryption for the subdomains, making them an affordable and effective solution for most websites. They are available in DV and OV validation options.

Private key

• PKCS#8 - PEM base64-encoded format

CSR

• CSR is generated and sent to a CA to request the issuance of a CA-signed SSL certificate.
• CSR contains information for identification purposes, which will be stored into the CA-signed certificate along with CA's public key.
• You can use OpenSSL to generate a new private key and a CSR, or generate a CSR from an existing private key.
• Format: PKCS#10
• Wikipedia - CSR (opens in a new tab)

Serial number

• A number that uniquely identifies the certificate and is issued by the CA.

Thumbprint / Fingerprint

• A certificate's fingerprint is the unique identifier of the certificate. It is the hash value of the entire certificate in DER format. A certificate could have multiple fingerprints computed by different hash functions such as SHA-256. Certificate details in web browser include fingerprints.

• sha256sum / sha1sum $crt.der | tr '[:lower:]' '[:upper:]'

  should get the same hash value as:

  openssl s_client -connect <host>:<port> 2>/dev/null | openssl x509 -noout -fingerprint -sha256/-sha1

Certificate Formats

• Base64 ASCII

  • PEM

    • Start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

      The header and footer are fixed strings, and must not be changed.

    • In the middle is actually Base64 encoded DER format.

    • Multiple PEM files can be concatenated into one PEM file.

    • PKCS#7 (container format)

• Binary encoding

  • DER

    PKCS#12 (container format)

• Resources

  • Microsoft Learn - X.509 certificates (opens in a new tab)
  • SSL.com - PEM, DER, CRT, and CER: X.509 Encodings and Conversions (opens in a new tab)
  • SSLs.com - What are certificate formats and what is the difference between them? (opens in a new tab)

Key usage

• The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted.

• Resources

  • 4.2.1.3. Key Usage (opens in a new tab)

  • 4.2.1.12. Extended Key Usage (opens in a new tab)

  • Trust Lifecycle Manager / Certificates / Certificate attributes and extensions / Key usage (opens in a new tab)

  • Trust Lifecycle Manager / Certificates / Certificate attributes and extensions / Extended key usage (opens in a new tab)

  • Validating certificate purpose | Apigee Edge | Apigee Docs (opens in a new tab)

Java (JSSE)

• A KeyStore typically holds onto certificates that identify us, therefore typically consisting of certificates for servers. The KeyStore fails to work with JSSE without a password.

• A TrustStore holds certificates that identify others, therefore typically consisting of CA certificates (aka root certificates).

• Java only supports KeyStore format of JKS or PKCS#12 (Java SE 9+, JEP 229 (opens in a new tab)), the latter is preferred as it's an industry standard.

• To import CA certificate, only DER format can be used.

• Private CA Certificate for local Java development

  Refer to cheatsheet for details

  • Steps

    1. Generate a private key and CA certificate pair

    2. Import the generated CA certificate into OS CA trust store

    3. Import domain private key and certificate into a JKS / PKCS#12 KeyStore

    4. Install and configure your SSL/TLS certificate in Spring Boot application config

       # Spring Boot 2.4.4
       server.port=8443
       server.ssl.enabled=true
       server.ssl.key-store=<keystore.jks>
       server.ssl.key-store-password=<keystore-password>
       server.ssl.key-store-type=JKS
       server.ssl.key-alias=<key-alias>

    5. If browser uses a custom trust store, import your CA certificate into it.

  • Windows 10

    Firstly generate a PEM certificate using OpenSSL, the certificate format can't be directly imported via Windows MMC GUI, therefore using the command line (opens in a new tab): certutil –addstore -enterprise –f "Root" <pem-file>. This will import certificate to root.

  • Resources

    • HTTPS using Self-Signed Certificate in Spring Boot (opens in a new tab)
    • How to Create Your Own SSL Certificate Authority for Local HTTPS Development (Tested using this tutorial to generate root certificate on Win 10) (opens in a new tab)
    • How to get HTTPS working on your local development environment in 5 minutes (opens in a new tab)
    • Be Your Own Certificate Authority (opens in a new tab)
    • Baeldung - Creating a Self-Signed Certificate With OpenSSL (opens in a new tab)
    • GitHub Gist - How to setup your own CA with OpenSSL (opens in a new tab)

• Resources

  • Oracle - JSSE Sample Code (opens in a new tab)
  • Java Keystore Best Practices — MyArch Best Practices for Managing Certs and Keys (opens in a new tab)
  • DigitalOcean - Java Keytool Essentials: Working with Java Keystores (opens in a new tab)

ACME (Automatic Certificate Management Environment)

Certbot

• Installation (opens in a new tab)

• Certbot documentation (opens in a new tab)

• Sample usage

$ sudo certbot --nginx
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: crystallover.com.au
2: www.crystallover.com.au
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for crystallover.com.au and www.crystallover.com.au
 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/crystallover.com.au/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/crystallover.com.au/privkey.pem
This certificate expires on 2024-03-13.
These files will be updated when the certificate renews.
 
Deploying certificate
Successfully deployed certificate for crystallover.com.au to /etc/nginx/conf.d/crystallover.conf
Successfully deployed certificate for www.crystallover.com.au to /etc/nginx/conf.d/crystallover.conf
Congratulations! You have successfully enabled HTTPS on https://crystallover.com.au and https://www.crystallover.com.au
 
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Resources

• Wikipedia - X.509 - Certificates (opens in a new tab)