Digital Certificate Management.

Security
Service,
Kolkata
Content

1.What is a SSL certificate

2. Why do we need to get it signed
3. How to generate a certificate
4. What is CSR
5. Current process of  
i. Requesting certificate
ii. generating CSR
iii. **Signing cert
iv. Sending Cert
6. In general - Signing the CSR – process , steps , types
7. What is the process of installing the signed certificate

5/8/19 Fußzeile 2
PKI - Introduction

The PKI includes:

 CA (certificate Authority)
 RA (Registration Authority)
 Certificates
 Keys
 Users.

5/8/19 Fußzeile 3
 SSL

Secure Sockets Layer, SSL, is the standard security technology for creating an encrypted link between a web
server and a browser. This link ensures that all data passed between the web server and browser remain private
and integral. SSL is an industry standard and is used by millions of websites in the protection of their online
transactions with their customers. In order to be able
to generate an SSL link, a web server requires an SSL Certificate.
When you choose to activate SSL on your web server you will be prompted to complete a number of questions
about the identity of your website (e.g. your website's URL) and your company (e.g. your company's name and
location). Your web server then creates two cryptographic keys – a Private Key and a Public Key. Your Private Key
is so called for a reason - it must remain private and secure. The Public Key does not need to be secret and is
placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit
the CSR during the SSL Certificate application process to Comodo, the Enterprise SSL Certification Authority, who
will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL.
Your web server will match your issued SSL Certificate to your Private Key. Your webserver will then establish an
encrypted link between the website and your customer's web browser. For detailed application and installation
instructions, please refer to section
"Step by step instructions to set up SSL on your webserver" of this guide.

Displaying the SSL Secure Padlock

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them
with a key indicator to let them know they are currently protected by an SSL encrypted session - the Padlock.

As seen by users of Internet Explorer

5/8/19 Fußzeile 4
HTTP vs HTTPS & SSL Handshake

SSL Certificate setup required three keys i.e.

public, private and session key. Data is
encrypted using public key can only be
decrypted by private key and encrypted data by
private key can only decrypted by public key.
But encryption and decryption with private key
and public key takes lot of processing power. So
public and private key are only used during SSL
Handshake process to create session key.
1. Browser connects to secure server with SSL.
The web browser request server to identify
itself.
2. Server sends copy of SSL Certificate to web
Browser.
3. Web Browser checks trust of SSL Certificate.
If true, Browser sends message to Server.
4. Server sends digital signed
acknowledgement, then SSL encrypted
session start.
5. Then Communication is encrypted by
Browser and Server.

5/8/19 Fußzeile 5
 CSR, Digital Certificate, CA

A Certificate Signing Request or CSR is a specially formatted encrypted message sent from a Secure Sockets
Layer (SSL) digital certificate applicant to a certificate authority (CA). The CSR validates the information the CA
requires to issue a certificate.
Core Component 1: Digital Certificates
Digital certificates (public key certificates, specifically X.509 certificates) are signed data structures that bind
attributes of an entity with its corresponding public key. The basic requirement for a Digital Certificate is that it
needs to be signed by a certification authority (CA). By being signed by a recognized and trustworthy authority a
digital certificate provides the guarantee that a specific public key belongs to an entity under consideration. In
addition the certificate also assures that the entity possesses the corresponding private key too. In cryptography,
X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the
Transport Layer Security protocol used to secure web and email communication.
Core Component 2: Certification Authority (CA)
The Certification Authorities could be people, process, and tools that are directly responsible for the creation of
certificate, issue of certificate, and the management of public-key certificates that are in use for a PKI.
CAs generates, revokes, publishes and also archives these certificates. The certification authorities (CA) rely on
Certificate Repositories (CRLs) to make and deliver certificates and these CRLs are readily available to all the
certificate users too. To help CAs to join existing managed infrastructures, they should be able to request
certificates from their parent CAs. CAs also is capable of generating cross-certificates to be able to support cross-
certifications with other CAs as allowed by the policies governing them. CAs by themselves includes both a
certificate holder function and a client function.
Functions of a CA are:
1. Issue and deliver certificates (both subordinate and cross-function certificates)
2. Access revocation requests from the certification holders and the ORAs for those certificates issued.
3. Posting certificates and CRLs to the repositories
4. Finally, request the CA certificates

5/8/19 Fußzeile 6
 RA, Certificate Repository

Core Component 3: Registration Authority (RA)

Registration Authorities are combination of people, process, and the tools that are directly responsible for
authenticating the identity of newer entities (could be users or systems) that require certificates from the
Certification Authorities. In addition, Registration Authorities maintain local registration data information and
initiates the renewal and revocation procedures for old or backup certificates. In short, Registration Authorities
acts as agents for CAs and can carry out few of the functions of the CAs if required.
Functions of a RA are:
1. Responsible for authentication of new users or systems that require certificates from CAs.
2. Maintain a local registration data for renewal and revocation of redundant certificates
3. Also capable of some functions performed by the CAs.
4. Act as agents for CAs
5. Intermediary agent between CAs and prospective certificate

Core Component 4: Certificate Repository

The Certificate Repository is a database which is easily accessible to all the users of the PKI system. This
repository holds the Public Key certificates, the certificate revocation related information and the governing
policy information. The certificates, CRLs in the repository are used in information retrieval without
authentication.
Functions of a Certificate Repository are:
1. Act as a database to hold items like Public key certificates, revocation list, policy etc.
2. Allow information retrieval in an unauthenticated manner.
3. Be available to the users of the PKI.

5/8/19 Fußzeile 7
 PKI client

Core Component 5: PKI Client Software

PKI client software is required to ensure that the entities of PKI to be capable of making use of the key and digital
certificate management services available in the PKI. Some examples of such services are: Key creation,
automatic updating of key and refreshment.
Functions of the PKI Client-side Software:
1. Helps PKI entities to use the key and digital certificate management services
2. Some examples include key creation, updating and refreshing.
Core Component 6: PKI-Enabled Applications
For any software applications to be used within the Public Key Infrastructure (PKI), they should be PKI-enabled. In
other words, it simply means that the applications or software should be capable of understanding and making
use of digital certificates. Such PKI-enabled application software should be able to authenticate remote users and
also authenticate the software itself for remote users while in a PKI.
Properties of a PKI-Enabled Software or Application:
3. PKI-enabled Applications.
4. Must be capable of understanding and using digital certificates
5. Capable of authenticating remote users and itself within a PKI system.

5/8/19 Fußzeile 8
 PKI Components

Core Component 7: Policy (Certificate Policy & the Certification Practice Statement)
Certificate Policy & Certificate Practice Statements are basically policy documents, structured operating
documents that define the practices and procedures to use, administration & management of certificates in a
PKI.
Properties of Policy documents in PKI:
1. Defines procedures and practices documented to manage and administer certificates in PK
2. Basically includes policy and practice statements
Other Components of the PKI:
In some circumstances, there are other components also as components in a PKI and they include the below:
• Trusted time stamping service: This service basically takes care of the time stampings in a legitimate and
authorized manner to ensure all important events are stamped with the time of occurrence within the PKI.
• Notary Services: To ensure the accuracy of records of all the transactions logged and maintained in a Public
Key Infrastructure (PKI).
• IT Infrastructure: Basically all PKI systems involve networks with both client machines and servers which
together comprise as the IT infrastructure components of the PKI.

PEM or Privacy Enhanced Mail is a Base64 encoded DER
certificate. PEM certificates are frequently used for web
servers as they can easily be translated into readable data
using a simple text editor. Generally when a PEM encoded file
is opened in a text editor, it contains very distinct headers and
footers.
CER is a file extension for an SSL certificate file format used
by Web servers to help verify the identity and security of the
site in question. SSL certificates are provided by a third-party
security certificate authority such as VeriSign, GlobalSign or
Thawte.
The PKCS#12 or PFX format is a binary format for storing the server
certificate, any intermediate certificates, and the private key into a
single encryptable file. PFX files are usually found with the
extensions .pfx and .p12
The Public-Key Cryptography Standards (PKCS) is a set of
standards for public-key cryptography, developed by RSA
Laboratories in cooperation with an informal consortium, originally
including Apple, Microsoft, DEC, Lotus, Sun and MIT
https://technet.microsoft.com/en-us/library/dd261744.aspx

5/8/19 Fußzeile 9
 CSR - Generation

Before you can order an SSL Certificate, you must first generate a CSR (Certificate Signing Request) for your
server.
A CSR is an encoded file that provides you with a standardized way to send us your public key along with some
information that identifies your company and domain name. When you generate a CSR, most server software
asks for the following information: common name (i.e. www.example.com), organization name and location
(country, state/province, city/town), key type (typically RSA), and key size (2048 bit minimum).
When you generate the CSR, if you aren't sure of the exact company name or location, don't worry; we can
correct that information during our review process before we issue your certificate.

Ref => https://www.digicert.com/csr-creation.htm

cluster1::> security certificate generate-csr -common-name lab.companyname.com -size 2048 -country US -state CA -locality Sunnyvale -organization
IT -unit Software -email-addr web@companyname.com
Certificate Signing Request:
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQMwaTEQMA4GA1UEAxMHcnRwLmNvbTELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAk5DMQwwCgYDVQQHEwNSVFAxDTALBg
NVBAoTBGNvcmUxDTALBgNVBAsT BGNvcmUxDzANBgkqhkiG9w0BCQEWADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAK3azm
z6UniwYDKVjA4iD3ImclAJ0sst3jPH2VqFwKbR9+srrC7l7yt8 1s3JMDBFZVXxv+GmBYWfOuzvMzajR2G7fg6/U2Z9XviXQo0m+FsqYt5H3ZEzhhK6 G8rI
EqKPL9yY3RFxfVCwoRn7k/Q9IvKwj1vxywjKVYijN9o7l9Gl59jBvmAkKyH0 SXz6iIwGzC8so8jiUm6OQdU5viDNBxeo+tkHy12gKDEjy5TGnuOcVVQ56Cx
0zYwG cqg32elgMo3MFUFV+TtAVoPkBibC9AuZfrXfMBJW/IR4mDs+fQL0Q5becWzETCwu 9mY4kPt0YvyJiPXujMwG144giQMi6cUCAwEAAaAAMA0G
CSqGSIb3DQEBCwUAA4IB kYz7hzkFpuMibAaCkp54Qrho
-----END CERTIFICATE REQUEST-----
Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjD
Wlgmlm3qIr/n8VT PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ z7UCIQDr8d3gOG71UyX+BbFmo/N0uAKjS2c
vUU+Y8a8pDxGLLwIhANqa99SuSl8U DiPvdaKTj6+EcGuXfCXz+G0rfgTZK8uzAiEAr1mnrfYC8KwE9k7A0ylRzBLdUwK9 AvuJDn+/z+H1Bd0CIQDD93P
/xpaJETNz53Au49VE5Jba/Jugckrbosd/lSd7nQIg aEMAzt6qHHT4mndi8Bo8sDGedG2SKx6Qbn2IpuNZ7rc
-----END RSA PRIVATE KEY-----
Note: Please keep a copy of your private key and certificate request for future reference.

5/8/19 Fußzeile 10
 Certificate - Install

cluster1::> security certificate install -vserver vs1 -type server Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIB8TCCAZugAwIBAwIBADANBgkqhkiG9w0BAQQFADBfMRMwEQYDVQQDEwpuZXRh cHAuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UEC
BMAMQkwBwYDVQQHEwAxCTAHBgNV BAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcNMTAwNDI2MTk0OTI4 ...
-----END CERTIFICATE-----
Please enter Private Key: Press <Enter> when done
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZ
jDWlgmlm3qIr/n8VT PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ ...
-----END RSA PRIVATE KEY-----
Do you want to continue entering root and/or intermediate certificates {y|n}: y
Please enter Intermediate Certificate: Press <Enter> when done –
----BEGIN CERTIFICATE-----
MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UECh
MOVmFsaUNlcnQsIElu Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g ...
-----END CERTIFICATE-----
Do you want to continue entering root and/or intermediate certificates {y|n}: n
Note: You should keep a copy of your certificate and private key for future reference.
If you revert to an earlier release, the certificate and private key are deleted.

5/8/19 Fußzeile 11
 Eg – Alice and Bob

Which Keys does Alice send?

There are two cryptographic operations that Alice may want to do: encryption/decryption, and signing/validation.
You can either use the same keypair for both, or have two separate pairs of keys.

1 keypair method:
Here Alice would sign outgoing messages, and decrypt incoming messages with the same private key. Bob
would validate the signature
on her outgoing messages, and encrypt messages for her using the same public key.
2 keypair method:
Here Alice would have a (signing_private_key, validation_public_key) keypair, and a separate
(decryption_private_key,
encryption_public_key) keypair.
In both cases she only sends the public keys to the Certificate Authority (CA) to be made into certificates. The
private keys are private,
she never shares them, they never leave her machine, they never become certificates.
How does the Certificate Authority (CA) trust Alice?
There are several trust models that different organizations use. Many large companies / government
departments operate their own CAs for internal email, file storage, etc. In these cases when someone is hired
they are issued digital certificates along with their ID badge, parking permit, etc. We trust that Alice is who she
claims to be because she's sitting right in front of the Security Officer issuing the ID.
For web certificates like SSL establishing trust is little more complicated. The CA/Browser Forum has guidelines
for CAs on how to verify the identity of applicants. Here is a long list of guidelines. The common forms that
most CAs offer are Domain Validated (DV) and Extended Validation (EV) SSL certificates.

5/8/19 Fußzeile 12
 … cont’d
Domain Validated (DV) certs
This basically asks you for an email address and a person's name along with the web domain that you want a
cert for. It does a whois lookup on the domain to make sure that the name and email you provided matched the
domain's registration information. Additionally they can send a confirmation to the email address to make sure
that you control it. DV certs can be completely automated, and in fact, "On November 18, 2014, a group of
companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai,
announced “
Let's Encrypt", a new nonprofit certificate authority that plans to provide free TLS certificates"

Extended Validation (EV)

The CA/Browser Forum specifies criteria for issuing EV certs, these all require a human in the loop, and relate to
how stringently the
identity of the applicant organization is researched. Having a phone call between the CA and the applicant is a
basic requirement. Often documents are signed, and a face-to-face meeting can even be required before the CA
will issue an EV cert. The level of validation that was performed will be included in the certificate to increase its
public trustworthiness, consequently issuing CAs charge more for higher quality EV certs.
Many issuers also offer variations on the SSL cert which don't fall into either the DV or EV categories. For
example GlobalSign also offers
Organization Validation (OV) as an intermediate category. Entrust offers many different types of certs
depending on the
network structure and software systems being used by the applicant.

5/8/19 Fußzeile 13
 Summary – Alice and Bob

1. Alice sends a CSR (certificate signing request) to the CA, which contains her public key, her name and
usually her location. This CSR is then signed to prove ownership of the associated private key. The CA uses
the data in the CSR to derive a certificate which will be handed to the user afterwards. The user can then
prove his identity.
2. The CA needs to "know" Alice. Usually this is done by setting up an account, verifying personal data in the
context of this account and putting the CSR in the context of the (verified) account.
3. They'll always check if the CSR matches (roughly) with the data you gave them with your account.
Concerning other validation there are different levels.
Level 1: simple validation.
You give the CA an e-mail address and it sends you a verification code which you have to enter in your
browser. (for S/MIME) Or the CA sends a mail to a box of "your" domain (like postmaster or the whois
address) and checks your ownership this way.
Level 2: personal validation
Usually this requires some official documents which you'll send the CA (as a copy). For companies this
means some tax documents or such things.
Level 3: extended validation
This means multiple documents (mainly tax stuff)

5/8/19 Fußzeile 14
Thanks for your attention.