022.1 Lesson 2

022.1 Lesson 2

Certificate:

Security Essentials

Version:

1.0

Topic:

022 Encryption

Objective:

022.1 Cryptography and Public Key Infrastructure

Lesson:

2 of 2

Introduction

Building on cryptographic principles, a Public Key Infrastructure (PKI) is fundamental for secure communications and identity verification in the digital world. PKI establishes a framework for the use of public and private keys in encryption, ensuring that entities involved in communication can trust one another.

At the core of PKI are digital certificates, which link a public key to an entity, such as a person or organization, and are managed by Certificate Authorities (CAs). These certificates play a crucial role in encrypting data and validating identities, making PKI indispensable for secure web browsing, email communication, and other online activities. Trusted Root Certificate Authorities (Root CAs) form the top tier of this trust model, establishing the chain of trust that extends to end-user certificates.

This structured relationship ensures that users and systems can rely on the authenticity of the digital certificates they encounter. Understanding how PKI and CAs function is essential for comprehending the secure exchange of information and the role of digital certificates in maintaining the integrity and security of online communications.

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is pivotal in establishing trust and securing digital communications. At its core, PKI provides a structured framework for managing digital certificates and public-private key pairs, which are essential for verifying identities and securing data exchanges over the internet. When two entities, such as a user and a website, need to communicate securely, PKI ensures that each party can be confident of the other’s identity and the integrity of the data being shared.

PKI allows secure communication through the management of public and private key pairs. Entities such as websites, servers, or individuals are issued a digital certificate that links their identity to a public key.

Digital certificates serve as an electronic “passport” for an entity — whether it’s a person, device, or service. This certificate is issued by a trusted third party known as a Certificate Authority (CA).

Before issuing a certificate, the CA performs a thorough verification process to confirm the legitimacy of the entity’s identity. This process prevents malicious actors from falsely claiming to be someone else. Once the certificate is issued, it can be used to encrypt data with the entity’s public key. Only the corresponding private key, which is securely held by the entity, can decrypt this data, ensuring that sensitive information remains confidential and accessible only to the intended recipient.

CAs and Trusted Root CAs

At the heart of PKI are Certificate Authorities and Trusted Root Certificate Authorities, which form the backbone of the chain of trust that underpins the security of digital certificates used in web browsing, secure email, and other applications.

CAs play a critical role in PKI by issuing, validating, and managing digital certificates. Once issued, the certificate can be trusted by other users or systems that rely on the CA’s authority.

Root CAs form the top of the trust hierarchy in PKI. Root CAs issue certificates to intermediate CAs, creating a chain of trust that extends to the end-user certificates. Root certificates are pre-installed in operating systems and web browsers, providing the foundation for all certificates issued in the hierarchy.

This chain of trust is essential, creating a hierarchical relationship between Root CAs, intermediate CAs, and the entities they issue certificates to. Each certificate in the chain is validated by the one above it, ultimately leading back to a trusted Root CA. This hierarchical model ensures that users and systems can trust the certificates they encounter in digital interactions.

Example of the Chain of Trust

Here is an example of a chain of trust involving a Root CA, an intermediate CA, and end-entity certificates.

Root CA Certificate

The Root CA is the topmost authority in the chain and is trusted by all systems. It is self-signed, meaning that it certifies its own identity.

- Root CA Name: "GlobalTrust Root CA"
  - Subject: "CN=GlobalTrust Root CA, O=GlobalTrust Inc., C=US"
  - Issuer: "CN=GlobalTrust Root CA, O=GlobalTrust Inc., C=US" (Self-signed)
  - Public Key: Contains the public key of GlobalTrust Root CA
  - Validity Period: 20 years (e.g., 2020-2040)
  - Signature: Self-signed using the Root CA's private key

The Root CA certificate is pre-installed in most operating systems and browsers, establishing it as a trusted authority.

Intermediate CA Certificate

The intermediate CA is issued a certificate by the Root CA. This CA acts as a bridge between the Root CA and end-entities, enabling better security management and distribution of trust.

- Intermediate CA Name: "GlobalTrust Intermediate CA 1"
  - Subject: "CN=GlobalTrust Intermediate CA 1, O=GlobalTrust Inc., C=US"
  - Issuer: "CN=GlobalTrust Root CA, O=GlobalTrust Inc., C=US" (Signed by Root CA)
  - Public Key: Contains the public key of GlobalTrust Intermediate CA 1
  - Validity Period: 10 years (e.g., 2022-2032)
  - Signature: Signed using the Root CA's private key

The intermediate CA issues certificates to end-entities, such as websites or applications, after validating their identity.

End-Entity Certificate (Website or Application)

The end-entity certificate is issued to a website or application by the intermediate CA. It is what the end-user sees when they connect to a secure website.

- End-Entity Name: "example.com"
  - Subject: "CN=example.com, O=Example Inc., C=US"
  - Issuer: "CN=GlobalTrust Intermediate CA 1, O=GlobalTrust Inc., C=US" (Signed by Intermediate CA)
  - Public Key: Contains the public key of example.com
  - Validity Period: 1 year (e.g., 2023-2024)
  - Signature: Signed using the Intermediate CA's private key

In this example, each certificate in the chain is verified by the one above it, ultimately leading back to a trusted Root CA, which ensures the integrity and security of the digital communication (Visual representation of the chain of trust).

022 1 2 chain
Figure 1. Visual representation of the chain of trust

When a user visits the website example.com, their browser receives this certificate. The browser then checks the validity of the certificate by following the chain of trust:

  1. End-Entity Certificate Check

    The browser verifies that the certificate of example.com is signed by GlobalTrust Intermediate CA 1.

  2. Intermediate CA Certificate Check

    The browser checks that the certificate of GlobalTrust Intermediate CA 1 is signed by the GlobalTrust Root CA.

  3. Root CA Check

    The browser verifies that the Root CA is a trusted authority pre-installed in its trust store.

If all certificates in the chain are valid and properly signed, the browser establishes a secure connection with example.com, and the user can safely interact with the website.

X.509 Certificates

X.509 certificates are the standard digital certificate format used in Public Key Infrastructure (PKI) and are essential for verifying the identity of entities in secure communications. Often referred to as “digital passports,” these certificates establish a reliable association between an entity’s identity and its public key through certification by a trusted Certificate Authority (CA).

Each X.509 certificate contains fields that detail the entity’s public key, the name of the issuing CA, and specific identity information, such as the entity’s domain name or organization name. This standardized format ensures that X.509 certificates provide a consistent and trusted method for authenticating entities across a wide range of digital applications.

Understanding the role of X.509 certificates is essential because they are used to facilitate secure connections in many applications, including HTTPS for secure web browsing, SSL/TLS for data encryption, and digital signatures for verifying the authenticity and integrity of electronic documents.

The certificate contains a digital signature generated by the CA using its private key, which binds the public key to the entity’s identity. This digital signature can be verified by anyone using the CA’s public key, ensuring that the certificate has not been tampered with and that it indeed originates from the trusted CA.

Structure of X.509 Certificates

An X.509 certificate contains several fields that provide detailed information about the entity and the certificate itself. These include the subject, which identifies the entity the certificate is issued to, and the issuer, which identifies the CA that issued the certificate. The certificate also contains the public key associated with the entity, as well as the digital signature of the CA, which verifies the authenticity of the certificate.

The certificate also includes a validity period, indicating the time frame during which the certificate is considered valid. After this period, the certificate must be renewed or replaced to maintain secure communication. In addition to these fields, X.509 certificates can include extensions that specify the intended use of the certificate, such as for server authentication or email encryption.

Requesting and Issuing X.509 Certificates

The process of obtaining an X.509 certificate begins with the generation of a Certificate Signing Request (CSR). The CSR is a file that contains the entity’s public key along with identifying information such as the entity’s domain name, organization, and location. This information helps to uniquely identify the entity requesting the certificate. The CSR is then submitted to a CA for validation.

The CA plays a critical role in verifying the legitimacy of the information provided in the CSR. This validation process may vary in rigor depending on the type of certificate being requested. For example, a Domain Validated (DV) certificate requires the CA to verify that the entity controls the specified domain, typically through a simple email or DNS verification process. For more stringent certificates, like Organization Validated (OV) or Extended Validation (EV) certificates, the CA performs additional checks, such as verifying the organization’s legal existence and physical location.

After the CA successfully verifies the entity’s details, it issues the X.509 certificate by digitally signing it with the CA’s private key. This digital signature ensures the authenticity and integrity of the certificate, so that it can be trusted by any entity that recognizes the CA as a trusted authority. The issued certificate is then sent back to the requesting entity, where it can be installed on a server or device.

Once installed, the X.509 certificate is used to establish secure communications by enabling SSL/TLS encryption. When a client (e.g., a web browser) connects to the server, the server presents the certificate. The client then verifies the certificate’s authenticity by checking the CA’s signature against its list of trusted root certificates. If the verification is successful, an encrypted communication channel is established, ensuring that all data exchanged between the client and server remains confidential and protected from interception.

X.509 Certificates in SSL/TLS

X.509 certificates play a central role in the SSL/TLS protocol, which is used to secure communications between clients and servers over the internet. Here’s a step-by-step example of generating a Certificate Signing Request (CSR) for a domain, using OpenSSL, a widely-used cryptographic library.

When a user connects to a secure website, the server presents its X.509 certificate to the user’s browser as part of the SSL/TLS handshake. The browser then verifies the certificate’s authenticity by checking the chain of trust back to a trusted root CA. If the certificate is valid and trusted, the browser proceeds with the SSL/TLS handshake, establishing an encrypted connection between the user and the server.

X.509 certificates are also used in other applications, such as email encryption and digital signatures, to verify the identity of the sender and ensure the integrity of the message.

Let’s Encrypt

There are dozens of CAs around the world, most of which offer paid certificate issuance services. Well-known CAs include Let’s Encrypt, which provides free, automated SSL/TLS certificates and promotes the widespread adoption of HTTPS.

Let’s Encrypt has transformed the process of obtaining and managing X.509 certificates by offering free, automated SSL/TLS certificates. This initiative promotes the widespread adoption of HTTPS, making the internet more secure by lowering the barriers to encryption.

Before Let’s Encrypt, obtaining SSL/TLS certificates was often a costly and technically complex process. Let’s Encrypt simplifies this by automating the certificate issuance and renewal process, allowing websites to secure their communications easily and at no cost.

Let’s Encrypt has played a significant role in increasing the adoption of HTTPS, improving security and privacy across the web. However, it is important to note that Let’s Encrypt issues Domain Validated (DV) certificates, which verify domain ownership but do not provide the same level of assurance as Organization Validated (OV) or Extended Validation (EV) certificates.

Let’s Encrypt certificates are valid for only 90 days. This short validity period ensures that certificates are regularly updated, reducing the risk of misuse in the event of compromise. Because of the short lifetime of Let’s Encrypt certificates, automatic renewal is crucial to maintaining security.

Guided Exercises

  1. Describe how Public Key Infrastructure (PKI) establishes trust in digital communications.

  2. What is the role of X.509 certificates in the SSL/TLS protocols?

  3. Explain the concept of the chain of trust in PKI. Why is the chain of trust important for establishing secure communications, and how does it ensure that digital certificates can be trusted? n+

Explorational Exercises

  1. Research the role of Extended Validation (EV) certificates in web security and explain how they differ from Domain Validated (DV) and Organization Validated (OV) certificates.

  2. Generate a CSR for the domain www.example.com using OpenSSL. Provide the command you would use and explain each part of the command.

Summary

This lesson explores Public Key Infrastructure (PKI), delving into the roles of Certificate Authorities (CAs), X.509 certificates, and the chain of trust that underpins secure digital communications. In addition, it discusses the advent of Let’s Encrypt and its impact on the widespread adoption of HTTPS.

Answers to Guided Exercises

  1. Describe how Public Key Infrastructure (PKI) establishes trust in digital communications.

    PKI establishes trust through a chain of trust involving Certificate Authorities (CAs). CAs issue digital certificates that link an entity’s public key to its verified identity. Root CAs, trusted by browsers and operating systems, anchor the chain of trust, validating certificates issued by intermediate CAs. This hierarchical structure ensures secure communications by verifying the authenticity of digital certificates.

  2. What is the role of X.509 certificates in the SSL/TLS protocols?

    X.509 certificates are used in the SSL/TLS protocols to authenticate the identity of servers and establish secure communication. During the SSL/TLS handshake, the server presents its X.509 certificate to the client, which verifies the certificate’s authenticity through the chain of trust. If the certificate is valid, the handshake proceeds, and an encrypted connection is established.

  3. Explain the concept of the chain of trust in PKI. Why is the chain of trust important for establishing secure communications, and how does it ensure that digital certificates can be trusted?

    The chain of trust in PKI refers to the hierarchical relationship between the Root Certificate Authority (Root CA), intermediate Certificate Authorities (CAs), and the end-entity certificates. The Root CA, at the top of the hierarchy, is inherently trusted by operating systems and browsers. It issues certificates to intermediate CAs, which in turn issue certificates to end entities such as websites ane servers. This structure ensures that each certificate can be validated by the one above it, ultimately linking back to the trusted Root CA.

    The chain of trust is crucial for secure communications because it allows users and systems to verify the authenticity of digital certificates. If the chain is broken or a certificate is compromised, the system flags the communication as insecure, protecting users from potential threats.

Answers to Explorational Exercises

  1. Research the role of Extended Validation (EV) certificates in web security and explain how they differ from Domain Validated (DV) and Organization Validated (OV) certificates.

    Extended Validation (EV) certificates provide the highest level of assurance among digital certificates. Unlike Domain Validated (DV) and Organization Validated (OV) certificates, which mainly verify domain control and basic organization details, EV certificates involve rigorous vetting processes. Certificate Authorities (CAs) must verify the legal existence, physical location, and operational status of the requesting entity before issuing an EV certificate. While DV certificates are easier to obtain and sufficient for basic encryption needs, EV certificates focus on providing additional layers of identity verification, enhancing user trust during sensitive transactions like online banking or shopping.

  2. Generate a CSR for the domain www.example.com using OpenSSL. Provide the command you would use and explain each part of the command.

    To generate a CSR for www.example.com using OpenSSL, you would use the following command:

    openssl req -new -key private.key -out example.csr

    req -new initiates the creation of a new CSR.

    -key private.key specifies the private key file to be used for generating the CSR. You must have previously created this private key.

    -out example.csr indicates the name of the CSR file that will be created.

    After running the command, you will be prompted to enter information such as the domain name, organization, and location, which will be included in the CSR. This file can then be submitted to a Certificate Authority to request an X.509 certificate.

Linux Professional Insitute Inc. All rights reserved. Visit the Learning Materials website: https://learning.lpi.org
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.