Public key cryptogrphy - How certificate validation works using certificate chain

Application of certificate-

Its widely used as a mean for identity, passing the asymmetric public key used for key exchange, also provides integrity of certificate. In case if the client or server in TLS or SSL handshake want to trust the client/server it will validate the certificate of server/client by verfying the certificate signature. 

What is digitial certificate -

When I want a server using HTTPS communication I need to purchase a SSL certificate for my domain. The reason is when a browser does ssl handshake it need to validate the authenticity of the website also need to make sure this authenticity is not tampered during the transit. For this problem we use certificate. Certificate contains mainly two parts like attributes and signature. 

Attribute contains - Issuer, Subject name like google.com, public key algorithm, public key etc.

Signature - This is crucial part of having integrity and authenticy of the certificate. For eg if I am getting an end entity ceritificate using intermidate certificate authority like godaddy.com they will compute the hash of the attributes of this certificate described above and then using private key encrypt the hash and put it in ceritificate. Now the end entity ceritificate contains the digitial signature of the intermidate certificate. 

If some client like browser want to validate the entity ceritificate it will check issuer which is godaddy.com get the intermidate ceritificate (as part of TLS handshake) get the public key from intermidate ceritificate decrypt the signature of entity certificate get the hash compute the hash of its certificate attribute and then compare this will make sure this hash is not broken also this is signed by trusted intermidate certificate. 

There are three parties involved in ceritificate generation - Root CA, Intermediate CA and end entity.

Root CA is self signed meaning it will create a digital signature using its own private key.

Intermediate CA will get the digital signature using the Root CA private key

End entity certificate will get the digital signature using the intermediate CA private key

How to get a ceritificate from Intermediatory ceritificate authority:

Step 1: You need to generate a public private key using open ssl command. Key the private key safe in vault manager like hash corp or keep it encrypted data storage.

Step 2: Go to any intermidate certificate providers like godaddy.com upload the certificate signing request (CSR) along with the public key your generated. CSR you can generate using openssl or IIS or apache server etc.

Step 3: Intermediate certificate authority update all the attributes like expiration date etc and then provide the digitial signatue using the private key.

Step 4: Now we got the domain certificate and also download the intermediate ceritificate which you need to send to client as part of TLS handshake to complete the certificate chain.

Now you got the ceritificate which you can mount in IIS or Apache server. Note this ceritificate contains public key which is used key exchange algorithms like RSA or used to encrypt data which can be decrypted by the server.

Browser/client App validating the ceritificate chain:

Browser while doing SSL or TLS handshake get the certificate as part of it will check the issuer then to intermidate get the public key validate the digital signature of domain certificate, then it will check the issuer of intermidate certificate which is Root CA like verisign, thawte, globalsign then it will check the local ceritificate store of the browser which contains all the Root CA installed as part of browser installation. So this way the ceritificate chain is validated and we know the identity of this trusted domain because the Root CA is trusted by the browser. 


Comments

Post a Comment

Popular posts from this blog

Decorators in python - Part 1

Decorators in python is very useful in data hiding and performing pre and post operation using simple function object. Below is a example of decorator and how its working in python interpretor. def sample_decorator ( func ):     def wrapper ( val ):         print ( "calling a function for pre-processing" )         return_value = func ( val )         print ( "calling post-processing function" )         return return_value     return wrapper def sample_function ( val ):     print ( f "hai from sample function { val } " ) if __name__ == "__main__" :     sample_function = sample_decorator ( sample_function )     sample_function ( 10 ) In python everything is object so what we are doing above is adding a syntatical sugar using a decorator that replaces the sample_function object with newly created sample_function object. We have created sample_function ...
Read more

Class Decorator practical uses - Part 2

Last part we have seen about function decorator and how to use it to add extensions to existing functions. We have seen how decorator are useful, today we can see about how to use class based decorator which will provide extension functionalities to existing functions. How we can configure a class decorator during creation so that we can configure a decorator for our need. Lets get started with code. def func ( msg ):     print ( f "Hai programmer we got this message { msg } for you " ) if __name__ == "__main__" :     func ( "Hello Developer" ) Now for adding a class decorator we need to understand two things one is how the constructor is invoked for a class and how functors is used while invoking an object of a class. While creating a instance of the  class like below. class MyDecorator :     def __init__ ( self , func ): obj = MyDecorator ( func ) Now we created an instance passing function as a parameter object. Since function is a first clas...
Read more