SSL - ashishranjandev/developer-wiki GitHub Wiki

Digital Certificate

A digital certificate contains various pieces of information that serve to identify the certificate's owner, provide information about the certificate's authenticity, and specify how the certificate can be used. Here are the main pieces of information typically found in a digital certificate:

1. Subject: This field identifies the entity (individual, organization, or server) to which the certificate is issued. It often includes information like the Common Name (CN), organization, organizational unit, and country.

2. Issuer: This field identifies the Certificate Authority (CA) that issued the certificate. The issuer's distinguished name, including the CN and other details, is typically included.

3. Public Key: The certificate contains the public key of the certificate's owner. This key is used for encryption, authentication, and digital signatures.

4. Digital Signature: A digital certificate includes a digital signature that is created by the Certificate Authority. The digital signature helps verify the certificate's authenticity. It is based on the contents of the certificate and is used to ensure that the certificate has not been tampered with.

5. Serial Number: Every certificate has a unique serial number that distinguishes it from other certificates issued by the same CA.

6. Validity Period: The certificate specifies the date and time when it becomes valid (the "not before" date) and when it expires (the "not after" date). Certificates are only valid within this period.

7. Key Usage: This field defines how the public key in the certificate can be used. It may specify purposes such as digital signature, key encipherment, data encipherment, and more.

8. Extended Key Usage: This extension further refines the key usage information, specifying specific purposes for which the public key can be used. Examples include server authentication, client authentication, and code signing.

9. Subject Alternative Name (SAN): This extension allows the inclusion of additional names, such as email addresses, IP addresses, or domain names, associated with the subject of the certificate.

10. Issuer Alternative Name (IAN): Similar to the SAN, this extension allows the inclusion of additional names associated with the issuer of the certificate.

11. Basic Constraints: This extension specifies whether the certificate can be used to sign other certificates. It defines if the certificate is a Certificate Authority (CA) or not.

12. Authority Key Identifier: This extension helps link certificates in a hierarchical PKI (Public Key Infrastructure) by specifying the identifier of the issuing CA's public key.

13. Subject Key Identifier: This extension provides a unique identifier for the certificate's public key.

14. Revocation Information: The certificate may contain information about how to check its revocation status, typically in the form of URLs or other pointers to Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders.

15. Digital Signature Algorithm: The algorithm used for creating the digital signature is specified in the certificate. Common algorithms include RSA, ECC, and DSA.

16. Version: The X.509 specification version to which the certificate conforms, such as v1, v2, or v3.

These are the core components of a digital certificate. The specific details may vary depending on the certificate's intended use and the X.509 standard version followed. Digital certificates play a critical role in securing online communications, authentication, and identity verification.

CSR

How to create

To create a Certificate Signing Request (CSR) on your local machine, you can use the OpenSSL tool, which is widely available on various operating systems, including Linux, macOS, and Windows. Here are the general steps to create a CSR using OpenSSL:

1. Install OpenSSL (if not already installed):

   • If OpenSSL is not already installed on your local machine, you can download it from the official website or use a package manager specific to your operating system (e.g., apt-get for Debian-based Linux, brew for macOS, or a precompiled binary for Windows).

2. Generate a Private Key:

   • First, generate a private key that will be used to create the CSR. Use the following command to create a private key file (e.g., private-key.pem):

   openssl genpkey -algorithm RSA -out private-key.pem
   

   You can replace RSA with other algorithms like EC (Elliptic Curve) if you prefer.

3. Generate a CSR:

   • Use the private key generated in the previous step to create the CSR. The following command will create a CSR and prompt you to enter information about your organization and the domain for which you want the certificate:

   openssl req -new -key private-key.pem -out my-certificate.csr
   

   Follow the prompts to enter the requested information. The Common Name (CN) should be the fully qualified domain name (FQDN) for the website or service you are securing (e.g., www.example.com).

4. Verify the CSR:

   • You can view the contents of the CSR using the following command:

   openssl req -text -noout -in my-certificate.csr
   

   Review the CSR information to ensure it's accurate.

5. Submit the CSR to a Certificate Authority:

   • Once you've generated the CSR, you can submit it to a trusted Certificate Authority (CA) to obtain a digital certificate. The CA will use the information in the CSR to verify your identity and create the certificate.

6. Secure the Private Key:

   • Keep your private key (private-key.pem) secure and do not share it with others. The private key is used for decrypting encrypted communication.

Remember that the exact OpenSSL commands may vary slightly depending on your operating system and the version of OpenSSL you have installed. Be sure to replace private-key.pem and my-certificate.csr with the desired file names and paths.

Once you receive the digital certificate from the CA, you can install it on your server or web application to enable secure, encrypted communication.