Table of Contents
TLS is SSL
TLS and SSL are the same protocol. In 1996, the Internet Engineering Task Force formed a group to study having a standardized version of web browser encryption. Likewise, they got together with several companies, including Microsoft and Netscape, and decided to take the SSL protocol and write it into a standard. SSL has been renamed to TLS on 1999.
History
Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting pre-existing network applications with security measures.
wikipedia
What is Public and Private Key
Basically, the public/private key pair is used in digital certificates.
To clarify, a private key is one half of the pair. The private key is created before or during the time in which the Certificate Signing Request (CSR) is created.
In addition, a CSR is a public key that is generated on a server or device according to the server software instructions.
Exchange keys
A client sends a public key request to server and server sends back the agreed public key. Furthermore, the client and server both use the same algorithm using their own private key and found the Encryption Key.
Request a certificate
There are three steps to request a certificate from a CA
- Generate Private Key
- Generate Certificate Request using Private Key
- Send the certificate to Certificate Authority (CA)
1. Generate Private Key
openssl genrsa -out cabbage.private.key 2048The command will generate a private key. After generating the private key please Keep it safe. Therefore, no matter how much cybersecurity or end-point security you have in place if private keys are mismanaged then all security measures have been undermined.
RSA
For instance, OpenSSL genrsa can be used to generate private key using
| Symmetric | RSA Key Length |
|---|---|
| 80 | 1024 |
| 112 | 2048 |
| 128 | 3072 |
| 192 | 7860 |
| 256 | 15360 |
Table 1: RSA Key Sizes (in bits) [more]
2. Generate Certificate Request using Private Key
Secondly, we need to create a Certificate Signing Request (CSR) with the previously created private key
openssl req -new -sha256 -key cabbage.private.key -out cabbage.certificate.csrreq
PKCS#10 certificate request and certificate generating utility. It can additionally create self-signed certificates for use as root CAs for example. You may find more details here
3. Send the certificate to Certificate Authority (CA)
Finally, you need to send this CSR file to Certificate Authority. CA will use the Root certificate or Intermediate Certificate to create the Certificate. In most cases, it is created in Privacy Enhanced Mail PEM format
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001 Certificate File Formats
Consequently, SSL has been around for long enough that there are too many Standards.
- .csr – This is a Certificate Signing Request.
- .pem – Defined in RFCs 1421 through 1424, this is a container format that may include just the public certificate, or may include an entire certificate chain including public key, private key, and root certificates.
- .key – This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.
- .pkcs12 .pfx .p12 – defined by RSA in the Public-Key Cryptography Standards, the “12” variant was originally enhanced by Microsoft
- .der – A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file.
- .cert .cer .crt – A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
- .crl – A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.
In brief, there are four different ways to present certificates and their components:
- PEM – Governed by RFCs, it is used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
- PKCS7 – An open standard used by Java and supported by Windows. And also this does not contain private key material.
- PKCS12 – A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. In contrast, it can contain private key material. It’s used preferentially by Windows systems. In addition, you can freely convert to PEM format through the use of OpenSSL.
- DER – The parent format of PEM. It’s useful to think of it as a binary version of the base64-encoded PEM file. But outside of Windows, it is not routinely used very much .
Off the record, this is partially copied from a StackOverflow answer
Certificate Chain
The certificate chain, also known as the certificationpath , is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificateof that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.
How certificate chains work
Certificate Conversions
Certainly, you can covert certificates online without installing any tools
Tools
There are many tools, for example, OpenSSL, Key Explorer can be used to work with certificates
OpenSSL
Ordinarily, you can use the OpenSSL utility to generate a Private Key, Certificate Signing Request (CSR) and Self-Signed Certificate. Thus, all the commands mentioned above are using OpenSSL
Helpful commands
For instance, If you want to view the server certificate in command prompt.
openssl s_client -connect your.server.com:443 -showcerts Consequently, you can use the following command to generate private key
openssl genrsa -out filename.private.key 2048Meanwhile, to create the certificate request with the private key use the command below
openssl req -new -sha256 -key filename.private.key -out filename.certificate.csrBesides, if a server certificate conversion is required from PEM to P12 format
openssl pkcs12 -export -in server.certificate.pem -inkey filename.private.key -out server.cert.combined.privatekey.p12KeyStore Explorer
Likewise, KeyStore Explorer is an open-source GUI replacement for the Java command-line utilities keytool and jarsigner. Moreover, you need JVM to install this
In addition, More about supported Features.
Online
Above all, there are some websites that you can verify TLS certificates and do the conversion. SSLShopper
References
- Pluralsight course: Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs) Module 2
- What is a private key/public key pair?
- Verifying the validity of an SSL certificate
- ECC Cipher Suites for TLS
- Finally, What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?