SSL Certificate Operations

Why do we need SSL/TLS?

  • Server [/Client] authentication for source [/dest] validation and trust.
  • Secure data transfer using encryption

SSL Communication Process

ssl_communication

  1. Server authentication (Handshake)
  2. Key Exchange
  3. Encrypted data transfer (Record)

 

 

 

Request, sign, install and verify

browser-ca-verify

CA Signed

  1. Generate the private key and certificate signing request for your site.signing
    openssl genrsa -out mysite.key 4096
    openssl req -new -key mysite.key -out mysite.csr
  2. Send mysite.csr to the CA of your choice.
  3. Get it signed by CA, say mysite.crt

 

 

Self Signed

  1. Generate the private key and self signed certificate for 365days.
    openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365
  2. Install the certificate

sign_verify_jpg

SSL Certificate types (DV, OV, EV)

DV – Domain Validated (Basic)

  • Small or medium level website owners who only wish to encrypt their domain can issue DV SSL certificate. (https://www.ycombinator.com/, https://www.nisheed.com)
  • Features
    • Green padlock. But no validation for the organization.dv
    • Lower price
    • Quick issuance within minutes
    • No paper work or documentation required for validation. Validated against the domain. It does not guarantee the identity of the website’s owner nor the actual existence of the organization
    • 99.9% mobile and web browser compatibility
    • Comes up with Wildcard and Multi Domain features
    • Reissue as many times as needed during the validity period
  • Validation process (email,file,registrar)
  • https://aboutssl.org/domain-validated-ssl-validation-process

OV – Organization Validated (Enhanced)

EV – Extended Validated (Complete)

OpenSSL

Read cert (online)

openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/null
openssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null

Read the cert – x509 decoded (online)

openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text

Check expiry [startdate, fingerpring, ]

openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]

Verify the key and cert (offline)

openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasum
openssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum

Public key extraction from Private key

openssl rsa -in mysite.key -pubout > mysite.pub.key
openssl req -noout -in mysite.csr –pubkey > mysite.pub.key

Remove passphrase from privae key

openssl rsa -in mysite.key -out nopassphrase_mysite.key

Certificate Standard & Structure

x509 – PKIX (Public Key Infrastructure) certificate rfc6818

cert_structure

Encoding

DER  => Binary DER encoded certs. (appear as .cer/.crt files)

PEM => ASCII (Base64) armored data prefixed with a “—– BEGIN …” line. (appears as .cer/.crt/.pem files)

File extensions

.crt => *nix convention of binary DER or Base64 PEM
.cer => Microsoft covention of binary DER or Base64 PEM
.key => public/private PKCS#8 keys. DER or PEM.

View certificate content

openssl x509 -in ServerCertificate.pem -text -noout
openssl x509 -in ServerCertificate.der -inform der -text -noout

Encoding conversion

openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der
openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem

Chain of Trust

openssl s_client –connect google.com:443  -showcerts < /dev/null 2>/dev/null

chain_of_trust

Trust Stores

  • Application trust stores
    • Browser
      • Public keys of all major CAs come with release
    • Applications (JDK/Tomcat, ColdFusion etc)
      • Mostly there but less frequently updated.
      • You need to take care if stored in custom location.
JDK
/usr/local/java/jre/bin/keytool -import -v -alias SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file /$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore /application/conf/jssecacerts  -storepass changeit –noprompt

/usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts  -storepass changeit –noprompt
ColdFusion
/usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 -file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts  -storepass changeit

/usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts  -storepass changeit

Certificate pinning

HTTP Public Key Pinning, or HPKP (rfc7469).

This standard allows websites to send an HTTP header instructing the browser to remember (or “pin”) parts of its SSL certificate chain. The browser will then refuse subsequent connections that don’t match the pins that it has previously received. Here’s an example of an HPKP header:

Public-Key-Pins: 
       pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; 
       pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; 
       max-age=259200
Public-Key-Pins-Report-Only:
       max-age=2592000; 
       pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; 
       pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; 
       report-uri="https://example.net/pkp-report"
# Generate private key and csr.
openssl genrsa -out mysite.key 4096
openssl req -new -key mysite.key -out mysite.csr
# Get the crt from CA
openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out mysite.pub.key
openssl dgst -sha256 -binary mysite.pub.key | openssl enc -base64
# Form the header and add to web server (eg:- apache).
Header add Public-Key-Pins "max-age=500; includeSubDomains;
    pin-sha256=\"wBVXRiGdJMKG7vQhr9tZ9br9Md4l7cO69LF2a88Au/o=\";

Free & Open certificates

Let’s Encrypt