· What is public key infrastructure/PKI?
PKI is a process where exchange of encrypted information happens between two or more parties on interconnected servers that provide a suite of cryptographic services. It includes SSL certificates and certifying authorities. There are two related keys for communications:
i. Public Key: Used for encrypting the data so whenever data is travelling between the user and the server. An attacker will not able to see the information travelling in between since it is encrypted.
ii. Private Key: In is used to decrypt the information which was encrypted using the public key. So whenever the information reaches the server it will be decrypted by the private key.
Note: Any organization who is issuing public key and just to maintain the credibility of that key they must use a third party in order to create the confidence with the party they have to obtain a digital certificate/ SSL certificate so that person using that key can identify that these keys are legit and belongs to the same parties and validity of these certificates maintained by certificate authority (CA).
· What is SSL certificates/Digital certificates?
Certificates are digitally signed, these certificates are authentic for the particular resources and can be used by organization, all these things are managed by CA. CA creates a trust relationship between organizations and the user.
These certificates contain all those information such as subject, issuer, guarantor, validity, and many more. These information can be used to verify that which organization owns that certificate.
These certificates follow X.509 standard to promote safety, use the PKI infrastructure between different vendors. Some major information given on certificates are:
i. Version: Version supported by the x.509 are (V1, V2, V3)
ii. Serial Number: A unique number by which we can identify certificate and its domain.
iii. Signature Algorithm: Algorithm that is used to sign the certificate.
iv. Issuer: Name of CA who issued the certificate written as distinguished name (DN)
v. Validity: CA mentioned some dates until when this certificate is valid.
vi. Subject: Owner of certificate comes under DN.
vii. Public Key: Key that is used by holder.
viii. Extension: Version 3 certificates have extended attributes such as issuer name, email address, and key usage.
We can also gather the information about the SSL certificates by using following ways.
i. Crt.sh: The actually provides the information about the SSL certificates issued to the organization. This will show up all the certificates issues to the domain in the pas as well.
You can see that Initially it shows us the information about validity of certificates, who is owner and its issuer name. As soon as we click on cert id, it provide more information about the certificate.
It will provide almost all information which is needed such as revocation list, what algorithm is being used, version and more.
ii. When we open the website on the browser there is one padlock sign. Click on it
Next click on certificate, there are three tab that gives the information about certificate.
But if you are interested in more information click on “details tab”. It has a lot of information.
What is Certificate Revocation List?
It contain all those certificates that are revoked by issuing CA for example due to the compromise of the keys or the certificates has been expired. There are multiple reason of revocation such as:
i. CA issued an improper certificate.
ii. Private Key of the certificate has been stolen or compromised.
iii. CA can do revocation on violation of any other policy, misrepresentation of software or submission of false document by owner.
But from all these most common is that the private key has been stolen and CRL publisher immediately revokes the certificate.
Going to little deeper we can click on “CRL Distribution Points“, it provide a URL. Open that URL in browser. It will show all revocation list with serial no and dates.