Certificate Authority

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello friends welcome back I am British and this session is about understanding the certification Authority how it works and how the websites work over HTTP normally the websites work over HTTP for example if I just try to open google.com here you can see that it's working over a plain text you cannot see any kind of SSL information to it and whatever traffic you are sending from your laptop to the Google will go in plain text I'll have a separate video explaining you that but right now you can understand that all the text whatever you are typing is being sent to the Google and whatever results you are getting back are all in the plain text format but then you are trying to open or login into Google com you see that there is a certificate that you have and if you click on the certificate you will see that it's verified by a cow tech consulting Private Limited so this says that this is the right side which I am trying to open and it's not any fake site for example if you try to open or make triple zero or triple o so it could be a different side but the certificate could say certificate doesn't belong to that side so as of now you can see that google.com is verified by thout a and if you see more information to show you from then and till then is the certificate fine you can see the common name corresponding to it accounts.google.com so this specific certificate is created for accounts.google.com and if you try to use the certificate on wwe.com will not work because the certificate was created specifically for accounts.google.com here you have the details Google Inc organization unit optional so they didn't specify issued by this is the certificate authority which signed this certificate signing request from Google it was cloudy and here are the details for it at the final part that you can see is when wasn't issued it was issued on when is first July 2013 and it expires on 19th July 2013 so it needs to be updated before that it needs to be rescind before that or it could be a new certificate that they may obtain so here again you can see serial number assure validity not before the same details you can see over here now just a small PPD so how it actually works is that you create a key you create a certificate signing request using this key and send it to certification authority certification authorities signs it and sends it back to you as certificate which is ready to be used on a web server and whenever you are trying to use the certificate you need to have a key that you used to generate CSR so this is very important keep it safe till the time the certificate is to be used so coming back to the lab here is my local machine this is my certification Authority this is again my certification Authority so this is my RHEL RHEL six machine and the folder that you can see is /et CPK itls and a slash EDC PKI you have the details corresponding to PK or public key infrastructure this is the certification Authority corresponding to Java and TLS transport layer security so under TLS folder or you can say e d c PK TLS you have the open ssl Kampf sorry I have to use veer because VI M is not yet installed so this is the generic open SSL conf which is present you can modify it the main section will be concerned is about CA the defaults here which is that C and s code default here is your C and this code default section what is the folder corresponding to it EDC PK I ca let me confirm whether it's present on the certification Authority yes it is present under this they should be folder certs crl certs CR Allah their certs is the folder that you will be putting the certificates into it the issued certificate will be kept under it C are L means certificate revocation list what are the certificates are revoked will be present on it database indexed or txt can you see this file yes you cannot see it so let's touch it copy you so this will be used to keep a track of indexes which is the I'll show you new certificates directory new sorts is it present yes new certificates will be placed in the under it see a search dot p.m. if you want you can change the name let's make it as are you all dots here it could be any extension doesn't matter or you can just for convenience and understanding if you want you can name it as CA dot c rd it could be any name doesn't matter serial number the current serial number it's not present let's just touch it and we are touching all these things in /a DC PKI fold a DHCP KSC a vole certificate revocation list C RL dot p.m. private key is placed under see a let's for simplicity it could be any name doesn't matter if you want you can keep it the same and it's not present we will have to create it so let's create it at the same time open SSL 10 RS a - ds3 let's use this algorithm and the size let's give it to 0 for 8 bytes and send it to see a dot key so it is asking you for the pass phrase passphrase for certification Authority let's keep it my CA open tab default my CA okay I just typed it to give a remind of it my CA is the password my CA it could be anything so whenever you are trying to use this private see a dot key you need to know the password for it and let me see the permissions private this folder can be accessible only by root that's fine so after you have generated this key the next is random file is fine certificate name options where they are to be fresh from C and is could default certificate options they are to be fetched from C and s Co default okay other thing that's important is by default for how many days should the generated certificates be valid by default it's one year let's make it ten years you can modify it according to your convenience for serials for how many days it should be generated default MD preserve let other variables be default policy is important variable which says policy match should be used and policy match is the policy that starts from here which says country name should match for example I am getting a certificate signed for any company xyz.com certification authority will be able to sign it only in the case when the country name matches the same when the state name matches organization name matches organization unit is optional it may be present or may not be present common name is supplied doesn't need to match and email address is optional may or may not match so this works good for a company policy anything means let it be anything anything for mail address country name could be anything and the CA will be able to sign it ra q is corresponding to the request that you are creating or the csr that you are creating default bits size of default bits that an algorithm that it has to use default key file name will be this one distinguished name and here you can see the other attributes that could be used by default distinguished name will be fetched from the section country name if you want to set it default to end so I'll show you when creating the certificate signing request or certificate the default country name that we'll provide you will be in in our case now for state also if you want to set a default its uncomment it and type the name of the state locality name default organization name default it could be a name of your organization and email address you can set it as default if you want so these were the main things just right and quit now till now what we have done is we have created a private key now we will be creating a certificate or CSR that will be signed by certification Authority and we may use that for signing others but if you are talking about your own organization you may use the self signed certificate throughout your organization so to create it open SSL is the command request and you you what was the neighbor to see certificate name was see a dot CRT so let it be see a dot C Rd so let's understand this line this says I am requesting something which is new x.509 says it should be a certificate rather than certification authority the format it uses so x.509 means generate a certificate using the key private see a dot key and the output should go to see a dot CRT and we are left with one more thing how much should be the valid ET of that key validity of that sorry validity of the sea is certificate let's keep it valid for around 20 years which says 365 one year into two or let's keep it for 20 years positive and recalculate er so right now your certification authority will work for the next 20 years - days so now you see that it's prompting you to enter the passphrase for the private key because you are using this key to create a certification authority so the password was my see here it prompts you for the country name is India because in this open SSL conf we modified the country name defaults to n so just press enter state it prompted for Rajasthan because we entered in underscore default locality organization name and organization unit name it could be anything or blank common name is the most important thing so what's the name of our C it's C dot RC Val dot n paste email address so now if we see ah we have see a dot CRT let me see the location what's the location of C a dot CRT it's in /et C PK I see a fine in a TCP KSC a I have see a dot CRT so I got it signed for 20 years if I just want to analyze the CA once again in days - issue Oh OpenSSL x.509 - in - it should be dates no out don't display anything extra or the complete certificate so it says that it can be used or not before mm ah okay not after so its validity started on 8 November 2012 and it's valid till 2032 November 3 the number of days it's it comes out to be around 20 years as I specified while creating the certification Authority so it sure is it's the same and if you see for whom it was here you can see the subject so subject and issuer are same because it's a self-signed certificate now we have a certification Authority ready with everything and we want a client to create a key and ask the certificate authority to get it signed let's go with it Oh let's create a temporary folder and the first thing is Gen RS a type of key - des 3 sighs let's give it to 0 for it is pretty secure enough and set send output to let's say it's client dot key now the passphrase let's keep it client or it can be anything CL ie and T so now you have Klan dot key visible to you now the second part that I need to do is I need to create a certificate signing request which I'll be sending to certification Authority open SSL request and new recruit a new request as a CSR so - key - out is a let's say dev dev dot our civil dot in so this is our website of observer for which I'm expecting the CSR as I have to use Klan dirt key I need to provide the password for the client which is client now you can see the country name as Australia rather than India because I didn't modify it on my client machine so I'm in India in Rajasthan in Palani organization name anything and organization unit name common name is the most important thing let me copy it Challenge password let's keep it as blank now we have a CSR which is ready to be signed by the certification Authority let's move to the certification Authority oh here I was okay I moved to TMP VA MW WRC well dot n dot CSR okay there are two ways either you can SCP or you can just create the same file over there let's use SCP root at 10:0 10.2 ohhh-kay clan libraries are not there okay so the other approach could be just copy the file and just pace over here because it's a simple plain text and if you see to the file it says begin certificate request in N certificate request so now open SSL open SSL CA for the certification Authority in out in the outfile we are just changing the csr by CRT so finally what it is doing is using open SSL come on as a certification Authority and it says take file CSR file and provide the output in CRT file over here only now it asks you for the password corresponding to see a key I think it was my CA ok unable to load serial number okay let's initiate this file this file should have the first serial number so now we have the serial number one which will say try to sign the first try to sign the CSR and provided the serial number one my CA ok signature was fine everything was fine but there is a policy which says the organization name should be the same here the policy says policy match is to be used and let's say is organization name should match in case you are trying to sign the certificates from anything so it just changed the policy to use this one or the other option could be you are going to create a CSR once again matching the organization name so best approach as of now is you see in the policy that it uses so now it will be using the policy anything here you have typed the same c'mon ca- n as CSR and output as CRD I'll ask you for the password corresponding to key checks it's okay and here it shows you the details of the certificate that will be creating serial number is fun it will be valid for 10 years 2012 to 2022 if you want you can specify short duration I'll show you there is a variable default days that you have set to 10 years you can set it to 1 years or any time which you prefer subject and here you can see the details of the CSR that you received in case you agree that it's a right one and you can sign it then go ahead and sign it so finally this certificate is going to used by a web server so finally it is not going to be a certification Authority this certificate that I am using cannot be used as a certificate authority open SSL generated certificate and keys so sign the certificate yes commit yes now you can see that you have a certificate this dot CSR copy and here you have the certificate I just get it back to my client machine see RT this is request and Ciardi is the certificate and here you can see the details about your certificate okay so in TPMS SL I created this certificate file now let's try to browse it TMP SSL now you see the identity or it can be used on wWOZ valeton it is verified by the certification authority the name of which is CA d'oro RC vol 13 and it expires on 2022 November 6 and here you can see the other details about the certificate this is the detail of my certificate these are the details of the issuer who issued it version serial number is 1 and here you can see all the details that you want to see regarding the use of the certificate I will be configuring appache in the next session and I'll show you so before we finish up with it let's recall the things once again here is the PPD I created a key created a certificate signing request send it to the certification authority certification authority signed it verified it and sends me back the certificate now CSR is of no use to me I can use my key and certificate to implement or to use this certificate and regarding the use it will be a different session hope you understood this session thanks for listening have a good day
Info
Channel: Rajnesh Kumar Siwal
Views: 31,341
Rating: undefined out of 5
Keywords: linux, CA, Certificate Authority, SSL Certificates
Id: Gw-Iq9StoXg
Channel Id: undefined
Length: 30min 41sec (1841 seconds)
Published: Thu Nov 08 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.