Digital Certificate

Table of contents

Reading Time: 5 minutes

A Certificate Authority (CA) is an entity responsible for issuing digital certificates to verify identities on the internet.

CA establishing trust and secure communications between browsers and servers, by verifying that the client or organization in question is indeed who they claim to be.

Anyone can become a CA and issue self-signed certificates, but only a select few companies end up signing SSL/TLS certificates for the general public.

List of HTTPS/SSL Certificate Authorities

There are only a handful of certificate authorities. Here are the most popular ones:

Comodo SSL (Now Sectigo)
DigiCert SSL
RapidSSL
Sectigo SSL
Symantec SSL
GeoTrust SSL
Thawte SSL

Creating Your Own Certificate or Self-Signed SSL Certificate

A self-signed SSL certificate is a certificate that is signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate.

Typically, the self-signed certificates are used for testing purposes or internal usage. You should not use a self-signed certificate in production systems that are exposed to the Internet.

Difference between HTTPs and SSL

Https – It is a combination of HyperText Transfer Protocol that is served with either SSL or TLS (Transport Layer Security).

In other terms, HTTPS is ideally HTTP that is delivering secure data through using either SSL or TLS.

SSL – SSL is a layer of security that enables encrypted data transfer online.

TLS – TLS stands for transport layer security. It is considered a more secure successor of SSL. However, using any one of them is considered as same.

What is the difference between one-way SSL and 2 way SSL?

One Way SSL

In one way SSL-only client validates the server. In this process, the server shares its public certificate with the client and then the client validates it before establishing a connection and transfer of data.

How One Way SSL Works?

Let’s understand this concept with an example. Assume you are the client and Google is the server.

You as a client will initiate a request to the Google server for some data on the HTTPS protocol. This is known as the SSL handshake process.
In return, the Google server will share its public certificate with you as a hello message.
Then you as a client will verify or validate that received certificate from the server-side. This certificate is verified through CA (Certification Authority).
Post certificate verification both you as a client and Google as the server will exchange secret keys that will be used for data encryption at both ends.
Lastly, post-agreement of the secret key at ends, client and server will start communicating and data transfer will take place.

In one way SSL the key point to be taken in whole process is that only server has shared its certificate with the client.

2 Way SSL Certificate

It is also known as mutual authentication. In 2 way SSL both client and server share their public certificate and authenticate each other before establishing communication with each other.

How two-way SSL Works?

You as a client will initiate a request to the Google server for some data on the HTTPS protocol. This is known as the SSL handshake process.
In return, the Google server will share its public certificate with you as a hello message.
Then you as a client will verify or validate that received certificate from the server-side. This certificate is verified through CA (Certification Authority).
Now, you as a client will provide your public certificate to Google for verification and validation.
The server will certify and validate the client’s public certificate through CA (Certification Authority).
Post certificate verification at both ends client and server will exchange secret keys that will be used for data encryption at both ends.
Finally, post-agreement of the secret key at ends, client and server will start communicating and data transfer will take place.

Keys concept in SSL

Public and Private keys, two keys are used that are mathematically related (they belong as a key pair), but are different.

This means a message encrypted with a public key cannot be decrypted with the same public key.

To decrypt the message you require the private key.

If this type of key arrangement were used with your car. Then you could lock the car, and leave the key in the lock as the same key cannot unlock the car.

SSL/TLS use public and private key system for data encryption and data Integrity.

Benefits of Using SSL certificate

SSL certificate installed website,client apps (kafka, rabbitmq, java app) to build trust with their visitors and helps to secure their sensitive information from unauthrize users or hackers.

Scop of SSL certificate:

Kafka and its client like producer, consumer and other kafka broker.
Kafka and Zookeeper
Mqtt and its client like MqttFx
Website
Java and dot net application uses SSL to secure communication
Secure Internet-of-Things (IoT) Devices Against Attack

PreRequisite

OpenSSL has the benefit of being free and open source. It’s a cryptographic library that includes command-line tools for generating and managing digital certificates, which you can configure to serve as a certificate authority. You can generate private keys, Public Key create CSRs, install certificates, and view certificate information.

Linux user

To check whether the openssl package is installed on your Linux system, open your terminal, type.If the openssl package is not installed on your system, you can install it with your distribution’s package manager:

Ubuntu and Debian

>> sudo apt install openssl

`Windows User`

URL: https://slproweb.com/products/Win32OpenSSL.html

Step 1 – Download OpenSSL installer Win64 OpenSSL v3.0.0 EXE | MSI 140MB Installer

Step 2 – Setup Environment Variables

Now set the environment variables to function OpenSSL properly on your system. You are required to set OPENSSL_CONF and Path environment variables.

Press Windows + R keys together to open run window, Then type “sysdm.cpl” in the Run dialog box and hit Enter. Alternatively, you can open Command Prompt and type the same command to open System Properties

Go to “Advanced” tab and click on “Environment variables”.

Set OPENSSL_CONF Variable:

Click to “New” button then dialog box appear, fill following entry

 Variable name: OPENSSL_CONF
 Variable value: c:\OpenSSL-Win32\bin\openssl.cfg

Set Path Variable:

Go to System variables box, here you will find “Path” variable and then append your openSSL dir up to “bin” folder

Step 3 – Run OpenSSL

Open a command prompt on your system and type openssl to open OpenSSL prompt.

Creating Self-Signed SSL Certificate

To create a new Self-Signed SSL Certificate, use the openssl req command:

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out public.crt -keyout private.key

Let’s breakdown the command and understand what each option means:

-newkey rsa:4096 – Creates a new certificate request and 4096 bit RSA key. The default one is 2048 bits.
-x509 – Creates a X.509 Certificate.
-sha256 – Use 265-bit SHA (Secure Hash Algorithm).
-days 3650 – The number of days to certify the certificate for. 3650 is ten years. You can use any positive integer.
-nodes – Creates a key without a passphrase.
-out public.crt – Specifies the filename to write the newly created certificate to. You can specify any file name.
-keyout private.key – Specifies the filename to write the newly created private key to. You can specify any file name.

Output:

Country Name (2 letter code) [AU]: IN

State or Province Name (full name) [Some-State]: Noida

Locality Name (eg, city) []: NSEZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]: Knoldus Inc

Organizational Unit Name (eg, section) []: IT

Common Name (e.g. server FQDN or YOUR name) []:www.knoldus.com

Email Address []: xyz@knoldus.com

Use the ls command to verify that the files were created:

>> ls

public.crt private.key

Creating Self-Signed SSL Certificate without Prompt/online command

self-signed SSL certificate without being prompted for any question use the -subj option and specify all the subject information:

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out public.crt -keyout private.key -subj "/C=IN/ST=UP/L=Noida/O=Knoldus Inc/OU=IT Department/CN=www.knoldus.com"

The fields, specified in -subj line are listed below:

C= – Country name. The two-letter ISO abbreviation.
ST= – State or Province name.
L= – Locality Name. The name of the city where you are located.
O= – The full name of your organization.
OU= – Organizational Unit.
CN= – The fully qualified domain name.

Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.

Verify the certificate’s content

openssl x509 -in public.crt -text -noout

The following certificate formats are acceptable:

DER-encoded X.509 certificate (.cer, .der, .crt)
PEM-wrapped DER-encoded X.509 certificate (.pem, .crt, .b64)
DER-encoded PKCS #7 certificates (.p7, .p7b, .p7c)

Conclusion#

I have shown how to generate a self-signed SSL certificate using the openssl tool. Now that you have the certificate, you can configure your application to use it.