Digital Certificates

#cryptography #encryption

(OBJ 1.4)

Digital Certificates

Digitally signed electronic documents
- Bind a public key with a user's identity
- Used for individuals, servers, workstations, or devices
- Use the X.509 Standard
  - Commonly used standard for digital certificates within PKI
  - Contains owner's/user's information and certificate authority details
- Applied to only one server by default

Types of Digital Certificates

Wildcard Certificate
- Allows multiple subdomains to use the same public key certificate and have it displayed as valid
- Easier management, cost-effective for subdomains
- Warning: Compromise affects all subdomains
  - Revoke affects all other subdomains as well
SAN (Subject Alternate Name) field
- Certificate that specifies what additional domains and IP addresses are going to be supported
- Used when domain names don’t have the same root domain
  - maccgenics.com and notes.maccgenics.com are on the same root domain so you can use a Wildcard certificate
  - But milo.com and milomilays.com would need SAN field certificates
Single-Sided and Dual-Sided Certificates
- Single-sided
  - Only requires the server to be validated
  - One site of authentication happening
- Dual-sided
  - Both server and user validate each other
  - Dual-sided for higher security, requires more processing power
Self-Signed Certificates
- Digital certificate that is signed by the same entity whose identity it it certifies rather than by a certificate authority or third party
  - In essence, the entity is claiming its own identity and vouches for itself.
- Provides encryption but lacks third-party trust
- Used in testing or closed systems (non-production systems)
Third-Party Certificates
- Often just called Certificates
- Digital certificate issued and signed by trusted certificate authorities (CAs)
- Trusted by browsers and systems
  - Any certificate issue is inherently going to be trusted by that system or browser.
- When a user or system encounters a third-party certificate, they can actually trace its authenticity back to a known entrusted CA or certificate authority.
  - This level of external verification will ensure a higher degree of trust and security for online transactions or encrypted communications.
- Preferred for public-facing websites or applications you may be hosting

Key Concepts

Root of Trust
- Highest level of trust in certificate validation
- Trusted third-party providers like Verisign, Google, CloudFlare etc.
- Forms a certification path for trust ("a family tree")
- Each certificate is validated using the concept of a root of trust or the chain of trust
  - "Everybody trust your grandfather, which trusts your father, so everyone trusts your father too, and so on."
Certificate Authority (CA)
- Trusted third party that issues digital certificates
- Certificates contain CA's information and digital signature
- Validates and manages certificates
- You do have to purchase this certificate from a CA or registration authority
Registration Authority (RA)
- Requests identifying information from the user and forwards certificate request up to the CA to create a digital certificate
- Collects user information for certificates
- Assists in the certificate issuance process
- Maintains a publicly accessible copy of that user's public key and allows them to have that for use by other users who wish to send them confidential information
- Examples:
  - Verisign, Digisign, etc.
Certificate Signing Request (CSR)
- A block of encoded text with information about the entity requesting the certificate
  - Organization Name
  - Domain Name
  - Locality
  - Country
- Includes the public key
- Submitted to CA for certificate issuance
- Private key remains secure with the requester and is never send out to the certificate authority because this ensures the confidentiality of that given key pair.
- The resulting certificate will be returned to the entity and can be installed on all of its servers to facilitate secure communications
Certificate Revocation List (CRL)
- Maintained by CAs
- List of all digital certificates that the certificate authority has already revoked
- Checked before validating a certificate
Online Certificate Status Protocol (OCSP)
- Determines certificate revocation status or any digital certificate using the certificate's serial number
- Faster but less secure than CRL
  - Operates much more quickly and efficiently because it is not using encryption and it only is looking up one digital certificate at a time.
OCSP Stapling
- Alternative to OCSP
- Used to be known as the TLS certificates status request extension.
- Allows the certificate holder to get the OCSP record from the server at regular intervals
  - Eliminates an extra connection being required at the time of the user's request, and this also speeds up the tunnel creation process to get us that secure tunnel that we're going to use to send the bulk of our data back and forth between your web browser and our web server.
- Includes OCSP record in the SSL/TLS handshake
- Speeds up the secure tunnel creation
Public Key Pinning
- "If an attacker could impersonate a server we would be in great trouble"
- Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates
- Presents trusted public keys to the user's web browser as part of its HTTP header.
- Alerts users if a fraudulent certificate is detected
  - That website was compromised or there was an issue.
Key Escrow Agents
- Securely store copies of private keys
- Ensures key recovery in case of loss
- Requires strong access controls
- Used when an organization cannot accept any Data Loss
Key Recovery Agents
- Specialized type of software that allows the restoration of a lost or corrupted key to be performed
  - A backup of all the certificate authority keys
- Acts as a backup for certificate authority keys

Trust in Digital Certificates

Trust is essential in digital certificates
Compromised root CAs can impact all issued certificates
Commercially trusted CAs are more secure
Self-managed CAs must be vigilant against compromises