Danni-Tech

Making the Complicated Simple

Security Plus PKI - What is a CERTIFICATE?

  • Key Points from This Video on Certificates:

    • What is a Certificate?

      • According to NIST, a certificate is a set of data that:
        1. Uniquely identifies an entity.
        2. Contains the entity’s public key.
        3. Is digitally signed by a third party (Certificate Authority or CA) to bind the public key to the identified entity.
      • This process ensures the integrity and authenticity of the certificate.

    • Main Components of a Certificate:

      1. Certificate Data: Holds key information about the certificate.
      2. Signature Algorithm: Specifies the algorithm used to sign the certificate.
      3. Signature: The digital signature created by the CA to ensure authenticity.

    • Fields within Certificate Data:

      • Version: Indicates the X.509 version, defining the certificate format.
      • Serial Number: A unique identifier assigned by the CA.
      • Signature Algorithm: The algorithm used by the CA to sign the certificate (e.g., RSA with SHA-256).
      • Validity Dates: Shows the certificate’s active period (“Valid From” and “Valid To” dates).
      • Subject: Identifies the owner of the certificate.
      • Issuer: Identifies the CA that issued the certificate.
      • Public Key: The public key associated with the certificate owner’s private key, used in secure communications.
      • Extensions: Optional fields providing additional features or restrictions.

    • How a Certificate is Created:

      • The Certificate Authority (CA) fills in the certificate data.
      • The data is processed through a hashing algorithm and then digitally signed using the CA’s private key.
      • This process ensures the validity of the certificate’s information.

    • Signature Algorithm:

      • Specifies both:
        1. The hashing algorithm used to hash the certificate data.
        2. The asymmetric encryption algorithm used to create the digital signature.

    • Distinguished Name (DN):

      • A hierarchical structure of attribute-value pairs that uniquely identifies the certificate’s subject and issuer.
      • Common Attribute-Value Pairs:
        • C = US: Country = United States
        • ST = California: State = California
        • L = San Francisco: Locality = San Francisco
        • O = Reddit: Organization = Reddit
        • *CN = .reddit.com: Common Name = *.reddit.com

    • Wildcard Certificates:

      • A wildcard (e.g., *.reddit.com) allows one certificate to secure multiple subdomains.
      • Covers subdomains like www.reddit.com and mail.reddit.com, but not deeper subdomains like sub.mail.reddit.com.

    • Self-Signed vs. Third-Party Certificates:

      • Self-Signed Certificate:
        • Created and signed by the organization itself.
        • Used for internal purposes to reduce costs.
        • Not trusted by default in web browsers unless manually added to a trusted root store.
      • Third-Party Certificate:
        • Issued and signed by an external, trusted Certificate Authority (CA) (e.g., GoDaddy, DigiCert).
        • Automatically trusted by most browsers and operating systems.
        • Essential for public-facing websites to establish trust with users.

    • Key Takeaways for the Security+ Exam:

      1. Understand the basic components of a certificate: Certificate Data, Signature Algorithm, and Signature.
      2. Recognize attribute-value pairs in the Distinguished Name.
      3. Know the difference between self-signed and third-party certificates.
      4. Understand the purpose of wildcard certificates for securing multiple subdomains.