SSL Certs and Certificate Authorities

What is CA (Certificate Authority)?

CA is en entity issues digital certificate.

  • any entity can potentially become their own certificate authority.
  • most websites use certificates issued by commercial CAs

What is a SSL Certificate

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.

SSL Certificates bind together:

  • A domain name, server name or hostname.
  • An organizational identity (i.e. company name) and location.

An organization needs to install the SSL Certificate onto its web server to initiate a secure session with browsers.

In order for a browser to trust a SSL Certificate(without security warnings), the cert must contain the domain name of website using it, be issued by a trusted CA, and not have expired.

How does SSL work between client and server?

img_ssl_how_it_works_1.jpg

img_ssl_how_it_works_1.jpg

SSL Certificate chain

certificate-chain-of-trust.jpg

certificate-chain-of-trust.jpg

Distinguished name (DN) is a term that describes the identifying information in a certificate. Depending on the identification policy of the CA that issues a certificate, the DN can include a variety of information.

More about DN - IBM

The chain terminates with a Root CA Certificate. The Root CA Certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

In order to make the SSL certificate compatible with all clients, it is necessary that all the Intermediate Certificates are installed.

Who decides a CA can be trusted?

Pre-installed Root Store is trusted

Browsers and devices trust a CA by accepting the Root Certificate into its root store – essentially a database of approved CAs that come pre-installed with the browser or device.

CAs usually create a number of Intermediate CA (ICA), which will be used to issue end entity certificates, such as SSL Certificates.

CAs should not issue Digital Certificates directly from the root distributed to the carriers, but instead via one or more of their ICAs. This is because a CA should follow best security practices by minimizing the potential exposure of a Root CA to attackers.

dnsimple-ssl-chain-robowhois.png

dnsimple-ssl-chain-robowhois.png

Public Key Infrastructure (PKI)

A PKI supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.

PKI is an infrastructure in which many things happen and is not a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work.

PKI is itself often used as a synonym for a CA implementation - wikipedia

Without PKI, there would be no assurance of the identity (authentication) of the other party.

pki-infra.gif

pki-infra.gif

More about PKI

Wiki - PKI