Victor Penso - SSL/TLS Certificates

Certificate Authority

TLS (Transport Layer Security) protocol…

…secure communication for client-server applications
…uses public and private key pairs to encrypt communication
…uses X.509 certificates to bind identities
…certificates must be signed by a certification authority (CA)
…sign certificates with a certificate signing request (CSR)

Private certificate authorities (CA)…

…private CA uses a self-signed certificate
…useful to verifying entities within your internal network

Non-profit CA providing TLS certificates: Let’s Encrypt ¹

Encoding Formats

Practically only a “boxes” to hold certificates and keys…

Certificate encoding schemas…

PEM (originally “Privacy Enhanced Mail”)
- …base64 ASCII encoding …plain-text headers and footers
- …can contain end-entity certificate …private key
- …or multiple certificates forming a complete chain of trust
- …usual extensions .crt, .pem, .cer, and .key
- …start with a line ----BEGIN CERTIFICATE----
DER (Distinguished Encoding Rules)
- …binary …do not contain plain text
- …usual extensions .der and .cer

Container formats …contains both public and private certificates

PKCS#12 …aka PKCS12 or PFX …extensions .p12 or .pfx
PKCS#7 …aka P7B …extension .p7b

Server Certificates

Common use-case for PKI are server certificates

…used for transport encryption (for example with HTTPS protocol)
PKI configuration on servers…
- /etc/pki/tls/certs for CA certificates
- /etc/pki/tls/private for private keys

Obtain certificates from Let’s Encrypt using certbot ²

Libraries

dnf install -y gnutls-utils openssl

SSL/TLS libraries and tooling …most commonly used:

GnuTLS ³ …LGPL …Free Software Foundation
OpenSSL ⁴ …Apache 2 licence

OpenSSL

View content of a certificate

1openssl x509 -in $file -text -noout
2openssl x509 -in $file -inform der -text -noout
# conversion
3openssl x509 -outform der -in $file.pem -out $file.der
4openssl x509 -inform der -in $file.der -out $file.pem

1: PEM encoded certificates …typical suffix .pem, .crt, .cer
2: DER encoded certificate k,.typical suffix .der
3: Convert PEM certificate to DER
4: Convert DER certificates to PEM

GnuTLS

Create a private CA…

# generate a 256-bit ECDSA private key
certtool --generate-privkey --sec-param High --key-type=ecdsa --outfile ca.key

# create a configuration file template
cat > ca.conf <<EOF
organization = "Example Organization"
state = "Example"
country = EX
cn = "Example CA"
serial = 007
expiration_days = 365
ca
cert_signing_key
crl_signing_key
EOF

# generate a self-signed certificate
certtool --generate-self-signed --load-privkey ca.key --template ca.conf --outfile ca.crt

Create a server certificate…

# generate a 256-bit ECDSA private key
certtool --generate-privkey --sec-param High --outfile server.key

# create a configuration file template
cat > server.conf <<EOF
country = "EX"
organization = "Example Organization"
cn = "server.example.org"
signing_key
encryption_key
key_agreement
tls_www_server
dns_name = "example.org"
dns_name = "server.example.org"
ip_address = "192.168.0.1"
ip_address = "::1"
ip_address = "127.0.0.1"
EOF

# create a CSR using the private key
certtool --generate-request --template server.conf --load-privkey server.key \
         --outfile server.csr

Use a private CA to issue a certificatek…

cat > server-extensions.conf <<EOF
honor_crq_extensions
ocsp_uri = "http://ocsp.example.com"
EOF

certtool --generate-certificate --load-request server.csr \
         --load-ca-privkey ca.key --load-ca-certificate ca.crt \
         --template server-extensions.conf --outfile server.crt

Trust

Enterprise Linux …ca-certificates package ⁵…

…upstream project CA certificates chosen by the Mozilla Foundation
…basically includes well-known CA certificates found in Firefox

Trust model based on hierarchy… root CAs at the top …trusted by default

Trust Anchors …root CA certificates are known as trust anchors
Trust chain …verifies end-entity certificates
- …signed by a trusted CA (directly or intermediate CA)
- …checks validity (not expired or revoked)
- …ensures that the certificate matches the domain

`trust`

# …verify the trust status
trust list --filter=ca-anchors | grep 'label: '

# Store a certificate in the trust-source directory
trust anchor --store $cert
update-ca-trust

# Remove a certificate from the trust-source directory 
trust anchor --remove $cert
update-ca-trust

`update-ca-trust`

Command update-ca-trust configures CA certificates and associated trust

Add certificates (PEM format) to a trust anchors source directories…
- /etc/pki/ca-trust/source/anchors …high priority
- /usr/share/pki/ca-trust-source/ …low priority
- …define untrusted CAs in /etc/pki/ca-trust/source/blocklist/
update-ca-trust extract based on the source configuration…
- …generates /etc/pki/ca-trust/extracted/

Footnotes

Let’s Encrypt
https://letsencrypt.org ↩︎
Certbot, Electronic Frontier Foundation
https://certbot.eff.org
https://github.com/certbot/certbot ↩︎
GnuTLS
https://gnutls.org/manual/gnutls.html ↩︎
OpenSSL
https://www.openssl.org/docs ↩︎
CA Certificates, Fedora Wiki
https://fedoraproject.org/wiki/CA-Certificates ↩︎

--- title: SSL/TLS Certificates categorie: - Linux - Security date: 2024/06/21 date-modified: 2024/08/27 title-block-banner: true toc-depth: 4 toc-expand: 4 --- ## Certificate Authority TLS (Transport Layer Security) protocol… - …secure communication for client-server applications - …uses public and private key pairs to encrypt communication - …uses X.509 certificates to bind identities - …certificates must be signed by a **certification authority** (CA) - …sign certificates with a **certificate signing request** (CSR) Private certificate authorities (CA)… - …private CA uses a **self-signed certificate** - …useful to verifying entities within your internal network Non-profit CA providing TLS certificates: Let’s Encrypt [^QnlII] [^QnlII]: Let’s Encrypt <https://letsencrypt.org> ### Encoding Formats Practically only a "boxes" to hold certificates and keys… Certificate encoding schemas… - **PEM** (originally “Privacy Enhanced Mail”) - …base64 ASCII encoding …plain-text headers and footers - …can contain end-entity certificate …private key - …or multiple certificates forming a complete chain of trust - …usual extensions `.crt`, `.pem`, `.cer`, and `.key` - …start with a line `----BEGIN CERTIFICATE----` - **DER** (Distinguished Encoding Rules) - …binary …do not contain plain text - …usual extensions `.der` and `.cer` Container formats …contains both public and private certificates - **PKCS#12** …aka PKCS12 or PFX …extensions `.p12` or `.pfx` - **PKCS#7** …aka P7B …extension `.p7b` ### Server Certificates Common use-case for PKI are server certificates - …used for transport encryption (for example with HTTPS protocol) - PKI configuration on servers… - `/etc/pki/tls/certs` for CA certificates - `/etc/pki/tls/private` for private keys Obtain certificates from Let's Encrypt using `certbot` [^Jtrkm] [^Jtrkm]: Certbot, Electronic Frontier Foundation <https://certbot.eff.org> <https://github.com/certbot/certbot> ## Libraries ```bash dnf install -y gnutls-utils openssl ``` SSL/TLS libraries and tooling …most commonly used: - **GnuTLS** [^DZ0NQ] …LGPL …Free Software Foundation - **OpenSSL** [^XM84s] …Apache 2 licence [^DZ0NQ]: GnuTLS <https://gnutls.org/manual/gnutls.html> [^XM84s]: OpenSSL <https://www.openssl.org/docs> ### OpenSSL View content of a certificate ```bash openssl x509 -in $file -text -noout #<1> openssl x509 -in $file -inform der -text -noout #<2> # conversion openssl x509 -outform der -in $file.pem -out $file.der #<3> openssl x509 -inform der -in $file.der -out $file.pem #<4> ``` 1. PEM encoded certificates …typical suffix `.pem`, `.crt`, `.cer` 2. DER encoded certificate k,.typical suffix `.der` 3. Convert PEM certificate to DER 4. Convert DER certificates to PEM ### GnuTLS Create a private CA… ```bash # generate a 256-bit ECDSA private key certtool --generate-privkey --sec-param High --key-type=ecdsa --outfile ca.key # create a configuration file template cat > ca.conf <<EOF organization = "Example Organization" state = "Example" country = EX cn = "Example CA" serial = 007 expiration_days = 365 ca cert_signing_key crl_signing_key EOF # generate a self-signed certificate certtool --generate-self-signed --load-privkey ca.key --template ca.conf --outfile ca.crt ``` Create a server certificate… ```bash # generate a 256-bit ECDSA private key certtool --generate-privkey --sec-param High --outfile server.key # create a configuration file template cat > server.conf <<EOF country = "EX" organization = "Example Organization" cn = "server.example.org" signing_key encryption_key key_agreement tls_www_server dns_name = "example.org" dns_name = "server.example.org" ip_address = "192.168.0.1" ip_address = "::1" ip_address = "127.0.0.1" EOF # create a CSR using the private key certtool --generate-request --template server.conf --load-privkey server.key \ --outfile server.csr ``` Use a private CA to issue a certificatek… ```bash cat > server-extensions.conf <<EOF honor_crq_extensions ocsp_uri = "http://ocsp.example.com" EOF certtool --generate-certificate --load-request server.csr \ --load-ca-privkey ca.key --load-ca-certificate ca.crt \ --template server-extensions.conf --outfile server.crt ``` ## Trust Enterprise Linux …**`ca-certificates` package** [^aIymw]… [^aIymw]: CA Certificates, Fedora Wiki <https://fedoraproject.org/wiki/CA-Certificates> - …upstream project CA certificates chosen by the Mozilla Foundation - …basically includes well-known CA certificates found in Firefox Trust model based on hierarchy… root CAs at the top …trusted by default * **Trust Anchors** …root CA certificates are known as trust anchors * **Trust chain** …verifies end-entity certificates - …signed by a trusted CA (directly or intermediate CA) - …checks validity (not expired or revoked) - …ensures that the certificate matches the domain ### `trust` ```bash # …verify the trust status trust list --filter=ca-anchors | grep 'label: ' # Store a certificate in the trust-source directory trust anchor --store $cert update-ca-trust # Remove a certificate from the trust-source directory trust anchor --remove $cert update-ca-trust ``` ### `update-ca-trust` Command `update-ca-trust` configures CA certificates and associated trust - Add certificates (PEM format) to a **trust anchors source directories**… - `/etc/pki/ca-trust/source/anchors` …high priority - `/usr/share/pki/ca-trust-source/` …low priority - …define untrusted CAs in `/etc/pki/ca-trust/source/blocklist/` - `update-ca-trust extract` based on the source configuration… - …generates `/etc/pki/ca-trust/extracted/`