What's in a Digital Certificate?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody John wagging out here with dev central we're coming to you with another light board lesson video and today we're going to talk about digital certificates what they are why you care about him and specifically what's inside one of these things and so the question is I guess the first question is what is a digital certificate and the kind of basic answer is it's a it's a digital file that's used to store information about your website and so imagine if you're a user on your internet browser so you're a client out here in the internet and you got your browser you know whether it's Firefox or Chrome or whatever you use and you use that to access some website out here and so there's going to be of course a web server that hosts that holds that that website then if that is a secure I'll put H TTP s colon slash slash if that is a secure website then there's going to be a digital certificate that holds information about that that's going to need to be shared back with the browser so you can do this this whole internet transaction in a secure way so what happens whenever a client accesses a secure website one of the first things that happens you go through this handshake is what it's called and one of the first parts of that is the client sensitive what's called a client hello message and then the web server sends back a output certificate right here and it sends it back to the browser and this certificate I'll just put a little you know a little file kind of thing right there it's just got its got several pieces of information in it and so the the information that's in the certificate is critical to accomplish the secure transaction that happens between the browser and the website or the web server and so so anyway so we wanted to dig into what is what is actually in that certificate and why do you need to care about it so the first thing whenever you look at a certificate which you can look at any certificate any kind of secure websites that you visit which this this experience that you're viewing right now is actually on a secure website YouTube you is htps encryption so that's def central so regardless of where you're watching this this is a secure transaction but when you open up that certificate the first thing that you'll notice is a version number and for most modern certificates it'll it'll say v3 and so some people may wonder hey what's that v3 is that like SSL v3 is it TLS 1.3 you know what is that but actually what that is is the x.509 standard which defines what's in the certificate that is the version 3 version so it's the 3 version of the x.509 and so so again the version of the x.509 certificate will define what else is going to be in that certificate so anyway so version is v3 most of the time and I'll just I'll put x.509 out here X dot 509 so that's the version number the next thing you'll notice is a serial number so I'll put serial number and this I'll put a CA right here a serial number is a unique number assigned to that specific certificate and it's issued by the certification authority there's a whole bunch of certification authorities out there you can decide which one you want to use based on cost or based on security or based on you know how much you love them or not or whatever but there's a whole bunch of them out there but whichever one you use it's going to create the certificate they are going to issue a serial number for that certificate and put it in the actual certificate itself so that'll be listed there there's also a signature algorithm and that signature algorithm is what the certificate authority or certification Authority uses to sign the certificate actually they signed a hash we talked it to that in a second but the signature algorithm is is what is the tightness the algorithm that's used by the certification Authority to do the signing and so the actual algorithm itself the type of algorithm is listed here so a common one is sha-256 maybe with some RSA thrown in sean stands for secure hash algorithm 256 bit RSA is the Rivest Shamir Adelman that's the that's a gets into some other encryption type capabilities but anyway but that's the type of algorithm that the certification Authority uses to sign this cert the certificate another thing that you'll notice is the signature hash algorithm and what that is is imagine imagine a big chunk of data to start the certificate that needs to be paired down to a smaller chunk of data so that when you run the signature algorithm against that you're not you're not running an algorithm against this humongous amount of data and that's what a hash function essentially does is you take a large amount of data you run through a hash function and it creates say this what's called a hash and then you can actually sign instead of signing the actual overall huge amount of data you only sign the hash and so that's what ends up happening here so the signature hash algorithm is also listed and this is also typically something like a sha-256 let's say it doesn't have to be but the type of security of the type signature hash algorithm the shoes for that certificate is is listed in the certificate itself so you have that you also have the issuer issuer and I'll put CA for this remember that certification Authority that we talked about earlier you got a whole bunch of them so whoever issued the certificate is going to be listed in the certificate details as well so you can see who that is valid dates put valid dates up here and this is this is how long the cert the certificate is valid let's say it's valid from January 1st let's say 2016 all the way out to maybe February 1st of 20 let's say 20 18 whatever it is I looked up a little bit of details on the valid dates how long can you keep a certificate valid for and the answer by and large is 39 months it's like the limit now there are some exceptions of that rule but if you go with the reputable certification Authority and they issue you a certificate it's going to be valid for no more than thirty nine months so anyway but nonetheless the dates are listed there that way if your browser tries to access a secure website and the dates for the students of the certificate are expired then then it'll know hey that's not a valid certificate all right the another thing is the subject information I'll put that there this has the C in the common name it's also got stuff like maybe the locality the state the country that kind of thing so for example like f5 comm or deaf central dot you know the deaf central site so it's going to have like the locality there the city is going to be Seattle the state is Washington and we're in the country of the United States that's going to have information like that so that's that's some of the information the subject portion of the certificate and then we get down here to the the public key which this is one of the interesting parts and this is also the actual public key is listed here so I'll put I'll put RSA 204 8 for example a lot of a lot of certificates use the RSA encryption type for the public key and and rather this that rather than just saying hey we're using RSA encryption for our public key our public private key this actually has the contents of the public key in the certificate which is important because when the web server sends the certificate back to the browser you need the actual public key in order to start encrypting data to to communicate back and forth securely with the web server so this physically has the RSA public key there's another video that we can share with you that really dives into RSA encryption and kind of we talked about how it actually works so we'll share that as well so I'll look for that one another couple things that I was going to list up here is what's called AIA and this is the authority info access and I'll just put a little arrow for OCSP which is the online certificate certification status protocol and this is basically how do you know that the certificate is not being compromised or if it's still you know still a good certificate the OCSP gets into that so the AIA portion of the certificate gives you a URL that you can visit to do an OCSP check to make sure that this certificate is still valid so the browser can check on that another thing that I'll mention is the krill distribution points and so the krill is is another form of certificate status checking it's the certificate revocation lists what that stands for but this is another way to check and say hey is this certificate still valid or not and so the browser can do a check against a certificate revocation list and if the serial number of that certificate is on a revocation list and it knows hey this is not a good certificate so let's not go to that website so these are a few things that are that are present in the actual certificate so whenever certificates passed you get all kinds of great and amazing data that you can work with and that you can use and and so anyway so hopefully you've picked up a couple of things on certificates one one quick thing that I'll mention from an f5 big-ip perspective is this website or I'll I'll say the you know the web server here this can actually be a big IP so I'll put big IP right here and you can actually load so you go out to a certification Authority you get your your certificate you can load that via the SSL profile on your big IP you can load that on to the big IP and now this guy can start to serve up the certificate information whenever a browser comes to your website they're actually going to come into a big IP and the big IP is going to do all that amazing work for you so so anyway so hopefully you've picked up a couple things on what's in a certificate how it works and why you should care so thanks for watching this light board lesson video and we'll see you guys out there in the community
Info
Channel: F5 DevCentral
Views: 41,448
Rating: undefined out of 5
Keywords: f5, devcentral, x.509, lightboard
Id: XmIlynkR8J8
Channel Id: undefined
Length: 10min 30sec (630 seconds)
Published: Wed Dec 07 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.