Certificates - CompTIA Security+ SY0-701 - 1.4

00:01

A digital certificate is a file that contains both a public key

00:05

and a digital signature.

00:07

You can think of this as a digital version

00:10

of an identification card.

00:11

But in reality, it has so many more capabilities

00:14

than simply providing authentication.

00:16

One of the characteristics we're constantly

00:19

striving for in IT security is that of trust.

00:22

Whenever we're allowing someone access to a system,

00:25

we're trusting that the person using that username

00:28

and password really is the person that we'd

00:30

like to provide access.

00:32

A digital certificate is a way to provide that trust.

00:35

We can create a digital certificate,

00:37

have a certificate authority digitally sign that certificate

00:41

so that we know that if the certificate authority trusts

00:44

that person, then we should also trust that person as well.

00:48

There are other ways to provide trust

00:49

with digital certificates.

00:51

One of those methods is through the use of a web of trust.

00:53

Instead of having a centralized certificate authority,

00:56

we can have multiple individuals sign

00:59

each other's certificate, thereby creating

01:02

this web of trust.

01:03

If we trust our friend and our friend

01:05

has signed the digital certificate

01:07

of a third party, then therefore,

01:09

we can trust the third party as well.

01:11

But of course, you don't necessarily

01:12

need a third-party certificate authority to provide trust,

01:16

especially if you're just creating certificates

01:18

within your own organization.

01:20

In that case, you may want to use the certificate

01:22

tools that are built into Microsoft Windows Domain

01:24

Services.

01:25

And there are many other third-party software options

01:28

to provide your own certificate authority.

01:31

If you're in a web browser and you're connected securely

01:34

to a website, you'll notice there's

01:35

a lock in the address bar.

01:37

And if you click that lock, you'll

01:38

be able to see the details of the certificate associated

01:41

with that web server.

01:42

You'll notice that your browser is

01:44

able to show you the information about the certificate

01:46

for that web server regardless of what websites

01:49

you might be connected to.

01:50

That's because all of these different websites

01:53

are using a single certificate format that everyone can read.

01:57

The standard for that format is called an X.509 format.

02:01

And sometimes, you'll hear people

02:02

refer to the X.509 certificate.

02:04

And they're referring to the standardized format

02:07

for a digital certificate.

02:09

There is an amazing amount of information stored

02:11

in these digital certificates.

02:12

You have a serial number, a version,

02:14

and a signature algorithm.

02:16

You can see who issued the digital certificate, the name

02:19

of the holder of the digital certificate,

02:21

the public key, and other information as well.

02:24

In this video, we'll look at some of these characteristics

02:27

inside of this certificate.

02:28

And we'll talk about how we can use those to help better secure

02:31

our networks.

02:32

Having a method of creating trust between yourself

02:36

and someone trying to gain access to your systems

02:38

is a foundational part of IT security.

02:41

The real challenge, of course, is,

02:43

how do you trust something that up to this point

02:45

has been an unknown entity?

02:47

For example, when we use our browser

02:49

to visit a website for the very first time,

02:51

how does our browser know that we're

02:53

connecting to the right website and creates that trust

02:56

between you and that resource?

02:58

One way to provide this trust is to have a third party

03:01

vouch for the site that you're connecting to so

03:04

that if the third party trusts the site, then

03:06

therefore, I should be able to trust the site as well.

03:09

We often refer to this inherently trusted component

03:12

as the root of trust.

03:14

This might be provided through hardware or software.

03:17

Or there may be firmware or some other component that provides

03:20

trust for a particular system.

03:22

If we have a mobile phone or a website,

03:24

we may be using hardware security modules, Secure

03:28

Enclave, a certificate authority, or some other method

03:31

that provides us with some level of trust

03:34

for this particular system.

03:36

The method of trust that's built in to all of our browsers

03:39

is one that allows us to understand

03:41

if we're connecting to a website that can be trusted

03:44

or not trusted.

03:45

When you're connecting to a website for the very first

03:47

time, it would be great if we could get some feedback

03:50

on whether this site can be trusted

03:52

or whether it's untrusted.

03:53

So we'll use a trusted third party, an authority of sorts,

03:57

called a certificate authority.

03:59

The certificate authority is one that

04:01

digitally signs the certificates that

04:03

are stored on that website.

04:05

And your browser trusts the certificate authority.

04:08

So when you visit this website for the very first time,

04:10

you can view their certificate and see that their certificate

04:13

was digitally signed by a certificate authority

04:16

that your browser already trusts.

04:18

Therefore, you also will trust this third-party website.

04:22

This provides a real-time validation

04:24

that this website is one we can trust.

04:26

And it's this process that occurs to every website we

04:29

visit throughout our workday.

04:31

This process that a browser uses to trust a website

04:35

is built into the internals of the browser that you're using.

04:38

And if you look at the list of certificate authorities

04:41

that are trusted by your browser,

04:43

you will see there are hundreds of certificate

04:45

authorities listed.

04:46

This means the website can purchase a certificate from any

04:50

of these hundreds of certificate authorities,

04:52

put that digitally signed certificate

04:54

on their web server.

04:55

And as long as they're in the list of your browser,

04:58

they'll be trusted.

04:59

In this example, the certificate authority

05:01

is in charge of digitally signing this certificate

05:04

that you put on your website server.

05:05

But we're not really purchasing a digital signature.

05:08

When we purchase a certificate, we're

05:10

really purchasing the validation process

05:13

that a certificate authority goes through.

05:15

The certificate authority is going

05:16

to go through a series of verifications

05:18

to make sure that the person receiving

05:20

that digital signature is truly the owner

05:23

of that particular website.

05:25

That is the trust part that is built into this certificate

05:28

authority.

05:28

And it's how we can trust any of these websites

05:31

that we visit throughout the day.

05:33

Let's say that we would like to create a certificate

05:35

for our web server.

05:36

We'd like to send that certificate to a certificate

05:39

authority to be validated, have them digitally sign it,

05:42

and return that back to us.

05:43

The process to do this is relatively simple.

05:46

We would first create what is effectively

05:48

a digital certificate by using our public key,

05:51

add the identifying information about what

05:54

server this might be connected to

05:55

and information about our organization,

05:57

and combine those together to create a Certificate Signing

06:01

Request, or a CSR.

06:03

That CSR is sent to a certificate authority.

06:06

The certificate authority now does the validation process.

06:09

They confirm that the certificate that you're

06:12

asking for is one that is really for a web server

06:14

that you own and control.

06:16

And if they agree that this is a valid certificate,

06:19

they will use their private key to digitally sign

06:22

the certificate and send it back to you.

06:24

It's this middle part where the validation

06:26

is occurring that is so important

06:28

to this entire process.

06:29

If the certificate authority doesn't

06:31

provide this validation, then we can't

06:33

trust any of the certificates from that CA.

06:36

That's why this validation process is so important,

06:39

because that's where we get trust associated

06:41

with this digital certificate.

06:44

So far, we've been talking about using a public CA that

06:47

is built into everyone's browser in the world

06:50

to be able to provide trust.

06:51

But if you have your own internal applications

06:54

and your own internal web servers

06:56

and these will only be connected to by people inside

06:59

of your organization, then you can be your own certificate

07:03

authority.

07:04

For this to work, we would install our own certificate

07:06

authority software inside of our organization.

07:09

We would then take the public certificate

07:11

for that certificate authority, and we

07:13

would install it on everyone's computer

07:15

inside of our organization.

07:17

That way, everyone's machine would trust the certificate

07:20

authority we run internally, the same way that they

07:23

would trust a certificate authority that was external.

07:26

And you'll find that this is relatively common for medium-

07:29

to large-sized organizations that have

07:31

their own internal services.

07:32

They can create their own certificates

07:34

using an internal CA.

07:36

There are many software packages that

07:38

allow you to create your own certificate authority.

07:41

Microsoft has their Windows Certificate Services

07:43

that you see here.

07:44

There's OpenCA and many other third-party software packages.

07:49

So now we've created our own certificate authority

07:52

for everything that is internal to our organization.

07:55

And if we have an application or user that needs a certificate,

07:58

we don't have to go outside to a public CA.

08:01

We can simply use our internal CA

08:03

to create those certificates.

08:05

The process for creating a digital certificate,

08:07

having the certificate authority digitally sign

08:10

that certificate, and distributing it back

08:12

to the end user is exactly the same

08:14

as you would use with an external CA.

08:16

The only difference is we're using our internal CA

08:19

to provide the trust and provide digital signatures for all

08:22

of our certificates.

08:24

As long as you've installed your internal certificate authority

08:27

certificate to the trusted chain on all of your devices,

08:30

it works exactly the same as an external or public CA.

08:34

All of these devices will inherently

08:36

trust anything they're connecting

08:37

to because you've digitally signed

08:39

those with the internal CA.

08:42

If you're visiting a website in your browser

08:44

and you click the lock that is in the address bar,

08:47

you'll be able to see all of the details of that certificate.

08:50

And if you scroll through this web server certificate,

08:52

you may see a section called Subject Alternative Name.

08:56

Sometimes, we refer to this as a wildcard certificate

08:59

because it allows you to put the name of a domain

09:02

with an asterisk associated with the name of the device.

09:06

This means the certificate that we've created

09:08

can be used for any device that happens

09:10

to share that fully qualified domain

09:13

name listed in the Subject Alternative Name.

09:16

For example, in this certificate,

09:17

there are large number of DNS names that are listed.

09:20

One of these is birdfeeder.live, which

09:22

is one of my certificates.

09:24

And you can see it has an *.birdfeeder.live.

09:27

That means that this certificate could

09:29

be used for www.certificate.live,

09:32

ftp.certificate.live, mail.certificate.live,

09:36

and so on.

09:37

From an administration perspective,

09:39

this makes it very easy to create a single certificate

09:42

and distribute that certificate to a large number of devices

09:45

within your organization.

09:47

As long as that device is associated with that domain

09:50

name, this certificate will be valid for that service.

09:54

There may be times when we're decommissioning a web server,

09:57

and we would like that certificate

09:59

to no longer be valid.

10:00

Or maybe we're concerned that an attacker has gained access

10:04

to our certificates.

10:05

So we would like to revoke all of those certificates

10:07

and create some that are new.

10:09

One of the ways that we can provide this revocation

10:12

is through the use of a CRL, or a Certificate Revocation List.

10:16

This is a list of all of the certs that have been revoked.

10:19

And we keep this list on the certificate authority itself.

10:23

This administrative process of creating and then revoking

10:26

certificates is one that is built into any certificate

10:29

authority.

10:30

But there might be other reasons for providing some way

10:33

to revoke a certificate.

10:35

We found this out in April of 2014,

10:37

when we discovered an attack that

10:39

could have a web server provide a third party with the web

10:43

server's private key.

10:45

We refer to this attack as Heartbleed.

10:47

And it was due to a vulnerability in the OpenSSL

10:50

application library.

10:52

We had to revoke all of our certificates

10:54

and create brand-new certificates once this OpenSSL

10:58

code was updated.

10:59

All of our old certificates were moved to the certificate

11:02

revocation list.

11:03

And our newer certificates were then

11:05

installed into all of our web servers.

11:08

You can see how important it is to have

11:10

some method for revoking this trust which had previously

11:14

been installed onto a particular service.

11:16

You can find where this list of revoked certificates

11:19

happens to be by looking into the details

11:22

of your certificate.

11:23

If you click the lock on the address bar of your browser,

11:26

you can scroll through the certificate

11:28

and find a section that's called CRL Distribution Points.

11:32

This will include a list of URIs,

11:34

or Uniform Resource Identifiers, that are effectively

11:38

a link to the CRL file.

11:41

So this tends to be a multistep process.

11:43

Your browser connects to a third-party website.

11:45

That third-party website provides your browser

11:48

with its certificate.

11:49

Your browser then looks through the cert

11:51

to find the CRL distribution points

11:54

and then follows one of those URIs to download the CRL list.

11:58

From there, your browser can look through this list

12:01

and make sure that this certificate is not one

12:04

that's listed as being revoked.

12:06

As long as it's not in the list, you

12:07

can continue with your browsing session.

12:09

But if this certificate from this third-party website

12:12

is listed in this CRL, your browser

12:15

knows that is now a site that is not trusted.

12:17

This certificate is not valid.

12:19

And it will not allow you access to that web server.

12:23

As you can imagine, it's not very

12:24

efficient to have a single file that

12:26

lists out all the revocations for a certificate authority.

12:29

It would be great if we could have a more efficient process

12:32

that didn't involve us going to a third-party site

12:34

and downloading a big list of revocations.

12:37

Fortunately, we've created a protocol

12:39

that does exactly that.

12:40

This is OCSP, or the Online Certificate Status Protocol.

12:45

Relying on the certificate authority

12:47

to provide a list of all of these revocations

12:49

to anyone who might be visiting our website

12:52

is inherently inefficient.

12:54

To make this process more efficient,

12:56

we can put the status of our certificates

12:58

onto our web servers itself.

13:00

This is accomplished by sending status messages

13:03

about the validity of your certificate

13:06

during the SSL handshake that occurs when you first

13:08

connect to a web server.

13:10

This is referred to as OCSP stapling

13:13

because we're embedding the status of this certificate

13:15

within the handshake of this server.

13:18

We obviously can't trust a third-party web server

13:21

to truthfully tell us the status of the certificate.

13:23

So this OCSP protocol uses a digital signature by the CA

13:28

to validate its status.

13:30

Most browsers today support OCSP for the Online Certificate

13:34

Status Protocol, which means the browser itself can handle

13:37

all of the checks for revocation when you

13:39

visit a third-party website.

13:41

If you're not stapling the status into the handshake

13:44

message, you could use a third-party server

13:47

to provide the OCSP status information.

13:50

This is easily added to the certificate.

13:52

And it's much more efficient than downloading

13:54

an entire certificate revocation list from your CA.

13:57

If your organization is using very outdated browsers,

14:01

you may find that OCSP is not an option.

14:03

And even some of the newer browsers

14:05

say that they support using OCSP but unfortunately don't

14:09

implement the checks properly to be able to confirm

14:12

the status of a certificate.

14:14

Most modern browsers support OCSP.

14:16

But you might want to check your browser

14:18

and see that it really performs the validation when you connect

14:21

to a website so that you can tell what the status is

14:24

of those certificates.