If you want to wrap your mind around digital certificates, you have got to get really groovy with public key infrastructure or PK AI. Now, if you're watching this series by episode and the previous episode, I said that PK AI was a trust model. And that's absolutely true. But PK is much, much more than that. Think about what it stands for public key infrastructure. pk is the infrastructure that we use for just about every real world application that uses public keys, which is really digital certificates.
So I wish they didn't call it public key infrastructure. I wish they call it a digital certificate public infrastructure, but I'm not in charge of the universe. So we call it pk. So what I want to do first in this episode is review the idea of PK as a trust model, and we're going to build from that. So what I got here is a bunch of different servers. These are web servers that need certificates.
Here's an email that needs certificates. Here could be a wireless system that you Use of certificates. Yeah, some wireless networks use certificates as well. So there's all kinds of stuff out there that needs certificates. And not only do they need certificates, but they need to be able to get a certificate, a good trusted certificate when they want it. They need to trust other people's certificates.
So if this guy doesn't pay their bill, or if they decide to become evil, we need a mechanism that says, oh, that certificates no good anymore. So PK is not just about trust PK is about distribution. It's about control, maintenance, relocation, all of this stuff when it comes to digital certificates. All right, so let's start off with this. So what I have here is a PCI model. So up at the top, is a certificate authority.
Now a certificate authority is an organization so like VeriSign, thought a summit GoDaddy, there's a billion of them out there. And they will have what we call a root certificate at the very, very top of their structure. So at the top of this structure is some kind of computer storage In here are is one literally one root certificate. It's not even signed, because who's going to sign it? It's verisign. And they're the king.
Anyway, this particular system right here, goes ahead and distributes certificates to intermediate systems. See, you don't want this computer mess with you. It is public access. But we don't want people to get to it. Because this is like the holy Certificate of Antioch here. And if this thing gets messed up, or corrupted or anything, the entire infrastructure of PK messes up, at least for verisign.
So this tends not to be a system that's queried or access very often. Instead, we have all of these intermediate certificate authorities that are being trusted by the root authority. And then these guys in and of themselves, will create trusts to all these different guys here. So if this guy right here, wants a certificate, and we're going to use VeriSign, we're going to Go online to verisign. And we can do actually handle all this online, we can hand the mark public key and all that stuff online, take care of all that. And it gets entered in to a situation where it trusts one of these get the idea.
So really what happens is you'll have a certificate that isn't necessarily trusted by him, but it's trusted by one of his intermediates, who is then trusted by this, and then you create what's known as a certification path. This path is really important, because this is the entire maintenance and control structure for any given type of pk. Now, we got to be careful with PK, because first of all, PK is not a standard. There is no standard at all out there that says this is how you'll do it. Well we do have is one particular standard pkcs, which was invented by the RSA Corporation back in the early 90s. And pkcs, which is not a standard.
It's just the way RSA does it has become the de facto standard for a lot of PK AI systems out there. So pretty much. If you want to do PK in the real world, you're gonna have to follow pkcs. Now, the other thing I want to add to this is that all of PK is based on a very, very old standard called x dot 509. x dot 509 is really nothing more than a standard that says, If I'm far away, and I want to query a database at another place far away, how do I go about it? How do we distribute? How do we store information?
How do we organize stuff in hierarchies so that we can access data on a timely basis x dot 509 in and of itself isn't even really used anymore. But the way we query and talk and do all this stuff, is a cornerstone to x 509. Now, this all sounds great. But what I want to do right now is I want to dive in, I got a little laptop here, just a generic laptop and it's got some certificates on it. Let's go ahead and take a moment and take a look at some certificates and understand how they tie in, how they work and how they tie together. PK and pkcs.
The best place to find certificates is usually through a web browser. Now, what's interesting is that there is no complete standard that says where you're going to store certificates on a computer. But the web people because they have so much e commerce have done a pretty good job of standardizing where things are stored. So you can open up any web browser doesn't matter which web browser you use. In this case, I'm using Chrome and you can access your certificates where to go. There it is.
So in Chrome, I went to Settings advanced, I just hit manage certificates. Tada. Okay, so here are certificates. And yes, you can actually get to this from your control panel on Windows as well. Alright, so anyway, what I want to do, the certificates that you're looking at here mainly are, you see there it says root certificates, and then intermediate certificates. So what you're looking at here are really copies of the root and intermediate certificates that are copied to your system.
This is just done for speed. So anytime you go to eBay, for example, you don't actually have to query the intermediate certificate authority that you've already got the certificate sitting right here, and you can compare his certificate to the one that comes down from eBay or whatever, and you get instantaneous. It's good or it's bad. So anyway, so here are our root certificates. Here's our intermediate certificates. And then we have personal certificates.
I'm going to save that for a minute. Let's go ahead and talk about a few things here. So first of all, you'll see we've got three different choices here. We can have certificates for client authentication. So this is basically web 90% of the time. We have email.
So we have different certificates that are used for email. And then we have advanced purposes. Advanced purposes is actually kind of interesting. Let me see if I can find a good example. So trusted publishers. So for example, I have a very expensive program called Air magnet installed on here.
And every time I run it, it actually has a certificate to make sure it's a legitimate copy and all this kind of stuff. And I think it's like some kind of Avery label maker or something like that. So let's skip advance purposes. And for right now, let's just go to all. So we're seeing everybody. And let's start with a root certificate.
So I'm just going to pick one arbitrary root certificate here, it doesn't really matter which one I pick. Here's a GoDaddy certificate. And let's take a look at this guy. So I just double clicked it in Windows, and I can actually look at the certificate itself. So basically, this is used for authentication primarily for web more than anything else. And you can see some validates, but this first screen is kind of boring.
So here's where it's interesting is under the details. So we're going to have different versions. There are different versions of certificates based on how much information you need, how much money you're going to spend and make some more secure some type of internal serial number. This is a root certificate, so it doesn't really have a serial Because it is the root. Here are the algorithms remember, what we're doing with these is that we are encrypting some amount of data. And then we are then hashing it.
So it tells us how it's actually being done. That tells us who's issuing it. Now, I want you to look, you're very careful. And you see that Oh, you Oh, and see, that is all x dot 509 nomenclature. And it's just the way we organize all this stuff. Here's a valid date valid to here is the some generic subject in here.
Here's the actual public key itself. So this is the actual public key because remember, that's why certificates exist because they passed around public keys. The only other thing that's particularly interested in here's a thumbprint, which is kind of like a manufacturer's serial number. It's a unique identifier for this particular certificate, and it can be used for a lot of really important stuff. Now, last thing, I want to show you the certification path, you'll see that this guy is at the absolute top of the certification path. Well He better be He's root certificate.
So we don't see any other certificates here, but that's about to change. Alright, so I want to do this again, except this time, I want to go to an intermediate certificate. So let's take a look at some intermediate certificates. See if there's a GoDaddy in here, there is okay, so what I want to do now is go to this guy, and let's double click on it. Now, at first glance, this is going to look pretty similar, but I want to show you there's going to be some very big differences here. Notice that the serial number at least has some values in it now.
But it still has a public key, all that same stuff that we saw before. There's a CRL CRL distribution points. We're going to talk about that a little bit later in this episode. And so that's the basic guide. Now in this case, you'll notice because he's an intermediate authority, he actually points to the route authority right there. So the certification path in this particular case, you have an intermediate and says that is where the roots comes from.
That was fun. Let's do it. One more time. This time, what I want to do is I actually have some personal certificates in here. The reason I have personal certificates as for email, I use them for I have a web server built in here and a lot of other stuff like that. So what I want to do now is break this down a little bit further and show you one of my certificates.
Okay, so first of all, you'll notice it says you have a private key that corresponds to the certificate. Well, that's very true, because well, it's my certificate, by golly, and this is, so I should have that. And then as we go in here, again, you'll see most of the same information we saw before, you'll see that this one ties to an email address as opposed to a website. And it actually defines the type of key it is and all this. There's that CRL distribution point which is going to be important later. And now if we take a look at the certification path here, you'll see that it actually has quite a bit of path to it.
So that's the route authority and there's two levels of intermediate before we actually get to me on this particular system. Okay. So those are the certificates that are in my computer. That's great. But where do these certificates come from? Well, most of these come actually from the web browsers themselves.
When you install a web browser, it has a whole bunch of certificates already in there, root and intermediate ready to go. In fact, people fight hard to get Firefox or Internet Explorer or whatever to include their particular certificates. So it's a big deal. Also, these certificates these root and intermediate certificates are updated all the time. I always get terrified when somebody isn't updating their systems because a big part of the head and certificate update. So that's where those certificates come from.
And remember, the certificates that are on your system, for the most part are only there as root and intermediate so that when you get that eBay certificate or whatever it is, you can do a quick comparison of that certificate based On the information on the certificates, you already have to verify whether it's good. Okay? But if I'm a web server, or if I want to do email, where do those certificates come from? Well, first of all, it is trivial to get an certificate generation tool. They come with windows that come with Linux, you can always make your own certificate Now, obviously, no one's signed it. So it's a unsigned certificate, but you can always make your own very, very quickly.
And if you try to plug that into a web server, or send somebody an email, it's going to be a big sign pops up saying, whoo, this is an unsigned certificate. Do you want to continue? Yes, no. So if you want a signed certificate, you go online to VeriSign, Komodo, Swati, whoever's out there. And you usually have to buy these things. So you go online, and you set some stuff up in there, you hand them your public key and other information, you hand that all to them.
You hit Enter, and then hand them a credit card usually, and then you get a certificate, the certificates in the old days used to come through the mail, and you'd actually have to import them into your computer. Today for the most part, what you do is it'll say your certificates ready, and you go to a website and you click on something. And literally through the connection, your new certificate is brought into your web server, your email client, whatever it might be. The challenge we have here is that certificates don't have our nice standardized format like Word documents or Excel spreadsheets, what we do have is the pkcs numbers. So what I want to do right now is I'm going to go back into the system and let's do a little exporting and take a look at pkcs. Okay, so what I've got here is I went back in and taking a look at my certificates.
Now, in this particular case, I'm actually showing you my personal certificates that I went ahead and downloaded these I went to Komodo and got these certificates. Now, what I want to show you is how we can export a certificate. So in this case, I'm going to just pick one of these arbitrarily and I'm going to hit X support. And windows comes with this nice little wizard. Now here's the first big question it asks, Do I want to export the private key or not because remember, a certificate, by definition does not have the private key. So I'm going to say No, do not export the private key.
Now it's given me some options as to how I want to export it. Now, some of these versions up here are used for more specific versions. But in general, we're going to go to pkcs. Number seven, so this is a pkcs. Seven. And if there are other certificates in the certification path, I can add those here as well if I want to.
Alright, so remember, the goal here is that we're going to export this to a file. So I'm going to call it Fred and I believe it's pointing to my desktop. Let's see what happens. Yeah, yeah. Export was successful. Outstanding.
All right. So you can see that I now have exported this certificate. This is not something you need to do very often. It's a rare session. Where you need to export, it is done for backup, we see people do it for that reason. And back in the old days, if you wanted to move to a new system or something like that, you could do a manual export as well.
And if you see, we can click on it and actually look at the certificate itself, just like we saw before. So I can put that on thumb drive, do anything I want. So what I want to do now is I'm going to export it again. Except this time, I'm going to do a little bit differently. This time, we're going to say yes, export the private key. Now remember, the private key is precious.
And it's something that should be secured under a password and encrypted and all that. And believe me, that's going to happen. So you'll see that when we export the certificate as well as the corresponding private key. So it's really two things we're exporting. It says pkcs 12. So make sure you know pkcs 12 is really more than just a certificate, delete the private key.
The export is successful if we were actually moving this to new system, we want to do that extended properties is just extra stuff. I'm going to skip that for right now. Now look what it's asking me to do right here, it's asking me to punch in a password. Because we don't want this thing to be casually laying on my desktop where anybody can grab my private key. So we're going to go ahead and hit next. And we got to give it another name.
I'm going to call it Timmy. And the export was successful. Alright, so let me close this. And let's take a look. In this case. First of all, you see the icons totally different.
It has a pf x file extension. And if I double click this, it I can't really just look at it because it's a package. And what it's going to try to do is actually import it into my system. I don't want to do that because it's already in there. But it's important that you remember pkcs seven is a way that we store certificates as individual files pkcs 12 is not only the certificate, but also the private key and it's actually a package Oh So let's go ahead and take one more quick look at the certificate. through here, I have to go through all this because I said that do the entire certification path.
Now I want to go back into details. And let's take a look at this right here. CRL distribution points. Now you'll notice that that is a path. CRL is something very important. Let's talk about that.
CRL stands for certificate revocation list. The CRL, which you notice is a path is a really, really important part of our whole PK AI system. You see, the challenge that we have here is that your computer is counting on certificates that are actually already stored locally on your system. And because of the nature of hashing and encryption and all that, it's hard. They're pretty trustworthy, but things can happen. What if VeriSign went out of business?
Oh, I don't even think about that or what have come up. got captured by evil terrorists and they were doing naughty things, the problem we have is that we can have real time problems with our certificates. So we need some kind of way to check and see if even the local certificates are bad to say nothing about the certificate that we just got from eBay. So this is important. So what we have originally was the crls. And if you remember that, that was just a little URL that gives your system the opportunity to very quickly lose pretty fast can go to that URL.
And literally, there's a list of a bunch of thumbprint numbers. And these numbers which are unique to individual certificates, say this one's bad, and it even says why they're bad. So you can, this is all done automatically. You don't have to do anything, but your browser, whatever it might be, we'll go in and use it in the CRL. Do a quick check to make sure everything's copacetic and happy. Now crls are great.
We've used them for decades. But the problem with crls is that it can take up to depends on who you're talking to. But as much as 24 hours to react to a ban certificate in some fashion. Now keep in mind when I say that I'm not talking about expired certificates, I'm not talking about certificates that you go to www.ebay.com. And all of a sudden, the certificates for www.ie boy calm or something like that those are issues that are built in to your system to take care of that. I'm talking about something that wouldn't normally be caught a certificate that's been revoked for some reason or another.
And that's where the crls really have a bit of a problem because it can take so long. And that's why we turn to a more modern feature called online certificate status protocol or ocsp. ocsp. Were very similarly to CRL. But the one big difference is it's pretty much real time it's virtually real time in terms of being able to check whether a certificate is good or not. crls are starting to fade and ocsp is the beautiful thing that we're using today.
So that my friends is a very Like touch and certainly good enough for security plus level touch on public key infrastructure. public key infrastructure is amazing stuff. And it's really gives us that first opportunity to dig in and understand certificates. Make sure you know why we have certificates. Make sure you know what a certificate looks like, make sure you know what a certification path is. Some of the things that we mentioned within the certificate are important.
And make sure you know your pkcs cause you're gonna see it on the exam.