Digital certificates. Why we need them and what are they for?

I will describe what digital certificates is and why we need them, also how to create a request for a digital certificate to send it to a certification authority. It sounds scary. But in a real life, it’s very simple. After reading these posts, you will have within 10 minutes all necessary digital keys and certificates.

Digital certificates. Some definitions and explanations

To secure transfer private information over the Internet one uses encryption, which based on digital certificates.

Public key encryption (asymmetric encryption). Encryption algorithm requires two keys. One of which is secret (private) and the second is public and may be freely distributed. The public key is required for encryption or digital signature verification. While secret key is used for decryption or digital signature creation.

Digital certificate is public key with built-in it information about the private key owner (the person’s name or company name, address, e-mail, etc….).
Public Key Infrastructure (PKI) is a system for creating and managing digital certificates.

Certification Authority (Validation Authority) sign by their key digital certificate, confirming that it really belongs to the person whose data it contains.

There are several well-known to all certification authorities (Validation Authority), which signatures are recognized by browsers and operating systems as trustable.

Therefore, to create a website that will be able to safely collect and process users personal information, it is necessary:

• first to create private and public keys;
• then send a public key together with all necessary information about the owner to a certification authorities;
• and finally, receive signed them your digital certificate and place it on the site;

After that, when someone create a secure connection to your site, the visitor’s browser will gladly report to its owner, that it trusts the site’s certificate. Then the visitor can safely transfer his/her personal information or even credit card details.

Getting the digital certificate from certification authorities costs money. The amount consequently depends on the coolness of the certification center and certificate type. Sometime it is not funny. Therefore I use for test sites self-signed certificate. In this case, the visitor’s browser will swear that the site is fake and a certificate signed by an unknown person (which is true), and it can not be trusted. But a secure connection will work fine for test purposes.

We’ll see two tasks below:

• creating own certificate services;
• creating a key and certificate request (certificate signing request) to send it to a Certification Authority.

Let’s start with the second task, as the simplest one.

How to create key and certificate request (certificate signing request) to send it to a Certification Authority

One can create the private key and certificate request for the server (service, virtual server) or user. There are some differences between them.

For a user, in the Common Name field one has to specify the user name in Latin letters (not login. Example:! Jong Dow) and a password. So that no one except the owner, who knows the password, could not use the key.

For a server in the Common Name field one has to specify the fully qualified domain name of the server (virtual server). Password usually is not specified. This is because administrator will not have to enter it each time he/she starts the server or service.

1. It is necessary to prepare the answers to the questions of paragraph 1 of the post “How to create a certificate service. Preparing”.
2. If one creates a certificate request for a user, one will need a good password. What is a good password and how to create it, I wrote in the post “What is ssh/sftp and what is it for?“. In case certificate request for server, one needs the fully qualified domain name, such as, for example,  test2.example.com.
3. In order to reduce the risk of private key loss, it is best to create it in the folder where it will be located. Although, actually, You can create it anywhere. And for this purpose You do not need to create a file structure for certificate service and to edit openSSL configuration file .
4. OpenSSL allows to create a key and a certificate request with a single command:
   For a user:
   openssl req -newkey rsa:1024 -keyout user1.key -out user1.req
   It generates a secret 1024 bit key user1.key and a certificate request user1.req in the current folder. Also the command will ask to enter prepared password twice. And later You will have to answer to questions p. 1. (See. Fig. 1).
   

   Fig. 1. Creating request for user

   And now You should secure save password for your private key, otherwise the key and signed certificate will be unusable.
   consequently, for a server:
   openssl req -newkey rsa:1024 -keyout test2.example.com.key -nodes -out test2.example.com.req
   It generates a secret 1024 bit key test2.example.com.key and a certificate request test2.example.com.req in the current folder. Now, the command will only ask You to answer to questions p. 1. (See. Fig. 2).

   

   Fig. 2. Creating request for host (server)

5. Then You should send just created certificate request to a certification authority, along with a a lot of papers (it depend of the certificate type).
6. Finally, one has to set correct (minimum) access rights tot he private key file .

I have described what it is digital certificates and why we need them, also how to create a  private key and a request for a digital certificate to send it to a certification authority.