Digital Certificates Explained

Digital Certificates Explained KB ID 0001846

Problem

From setting up PKI environments, to migrating them, and a myriad of errors and problems in between, we have a lot of content on PNL referring to digital certificates and PKI. I’ve dealt with these technologies a lot over the past 20+ years and I’m always surprised how frightened of digital certificates people are. So in the space of a few minutes I’ll try and give you a basic understanding of what PKI is, how that relates to Digital certificates, then finish off with a few certificate ‘Golden rules‘.

Solution : Digital Certificates Explained

You will see I use the terms PKI environment, and Certificate Services  and interchange those two things a lot, Certificate Services is the name of the Microsoft ‘Role” that provides Certificate Services. If you simply want to setup certificate services, then use the following link.

Microsoft PKI Planning and Deploying Certificate Services

Before you understand certificates, you need to have a basic understanding of Public Keys, and Private Keys, how this key pair is used, and what Asymmetric Cryptography is (bear with me the maths might be mind boggling, but the concept is simple).

Public Key

The public key is shared openly and is used to encrypt messages or data. It is associated with a user (or entity) and can be freely distributed to anyone. Its primary function is to ensure confidentiality by allowing others to encrypt messages that only the owner of the corresponding private key can decrypt.

Private Key

The private key is kept secret and is known only to the owner. It is used for decrypting messages or data that have been encrypted with the corresponding public key. The private key is crucial for ensuring the authenticity and integrity of the data because only the person with the private key can decrypt and access the information.

Digital Certificates Explained: How These Keys are Used for Encryption

Encryption

1. Sender obtains the recipient’s public key and uses the recipient’s public key to encrypt the message.
2. Encrypted message is sent to the recipient.

Decryption

3. The recipient, (who possesses the corresponding private key), can then decrypt the message.

The strength of the security lies in the complexity of the key pair. Asymmetric cryptography is based on mathematical principles, making it computationally infeasible for someone to calculate the private key even if they have the corresponding public key. This makes it a secure method for tasks such as secure communication, digital signatures, and online transactions.

Digital Certificates Explained: Use of Keys and Certificates

Public Key Infrastructure (PKI) is a framework that manages digital keys and certificates. it requires the following:

Key Pair Generation: The process begins with the generation of a key pair (the public and private keys) for a user or entity. As shown above the public key is shared openly, and the private key is kept secret.

Certificate Authority (CA):A Certificate Authority is a trusted third party (public) or you own (private) system for authenticating digital certificates. in a PKI system.
The user’s public key is combined with other information (such as identity details and time stamps,) and then signed by the CA to create a digital certificate.

Digital Certificates: A digital certificate is a data structure that binds a public key to an individual, device, or service. It includes the public key, and information about the entity, the digital signature of the CA, and other metadata. So the digital certificate serves as a way for others to verify the authenticity of the associated public key and ultimately the identity of the entity.

Certificate Lifecycle: Certificates have a defined lifecycle, including issuance, and expiration. Note: They can also be revoked before expiration for example if compromised, or if the associated private key is lost.

Usage in Secure Communication

When parties want to communicate securely, they exchange their digital certificates. So just like the example above, the sender encrypts data with the recipient’s public key, which they get from the certificate that the receiver has published publicly, ensuring only the recipient, with the corresponding private key, can decrypt it.
Note: Digital signatures, created using the sender’s private key, can also be attached to messages to ensure authenticity and integrity. The recipient can verify the signature using the sender’s public key.

Digital Certificates Explained: Golden Rules Of Certificates

You must trust the CA that issued (authorised) the Certificate.

Every certificate has a CA that issued/approved it you NEED TO TRUST that CA, there are several trusted Certification Authorities that are built into your computer, and these are updated regularly with normal updates. this is why if you self-sign a certificate or build your own CA – then you may need to manually get people to trust your CA before they will be trusted. Also Certificate Authorities are hierarchical (they can have parent CAs) these form a CHAIN, and you need to be able to see that chain and trust ALL the CAs in that chain, (all the way back to the Root CA).

 

Above on my (current) site certificate you can see it was issued by a CA called RapidSSL, and that CA was authorised by a Root CA called Digicert Global Root G2. This means my certificate was signed by an intermediate CA (sometimes called and Sub CA).

The Certificate needs to be In Date

Certificates a have a date they were issued and a date when they will expire, If you are not at a point in time between these two dates, then you will not trust the certificate. (Note: this can happen if the internal clock/date on YOUR machine is incorrect).

 

 

Note: A Certificate that is in date can also be revoked. This is done by the CA, which publishes a list of certificates that have been revoked, (that your computer can check.)

The Common Name (CN) and/or Subject Alternative Name (SAN)  needs to be correct.

In times gone by, the certificate CN had to be correct, but more modern browsers will require BOTH Common Name and Subject Alternative Name to be correct. these are fields in the certificate that hold the name of the entity for example mine is www.petenetlive.com (that is the Common Name) This is the address (or FQDN) that is typed into the browser window to get to the site that presents this certificate.

 

Note: That means if you are putting a certificate on ‘something‘ be that a website, or a device, the NAME needs to be both correct, and resolvable by the person (or entity) that you want to trust it, e.g. if the common name was www.petes-site.com and you needed to type in https://www.petenetlive.com to get there, it would not be trusted (even if both names resolved to the correct IP address!)

You need to trust the ‘Algorithm‘ that signed the certificate.

This is a more recent development, I mentioned above that there’s some very complicated maths going on, as time moves on the mathematics needs to get more complicated, as computers get more powerful to maintain security. So older methods of signing have been depreciated, if a certificate is using technology that’s been depreciated it will also not be trusted.

 

Here’s an example of what happens when the signature algorithm is not trusted.

ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Here’s an example of what happens if the CN or SAN values are wrong.

ERR_CERT_COMMON_NAME_INVALID

Related Articles, References, Credits, or External Links

NA

FortiGate Certificate Import Errors

FortiGate Certificate KB ID 0001791

Problem

A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;

Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.

FortiGate Certificate Problems

A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.

This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12 file like so,

Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;

Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.

We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.

And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;

[box]

openssl base64 -in /Users/petelong/Dropbox/PNL-EXPORTED-CERT -d -out /Users/petelong/Dropbox/PNL-DECODED-CERT

[/box]

Now we have decoded that certificate, we can extract the private key with the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -nocerts -out /Users/petelong/Dropbox/PNL-PRIVATE-KEY.pem

[/box]

Then to extract the identity information use the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -clcerts -nokeys -out /Users/petelong/Dropbox/PNL-IDENTITY-CERT.pem

[/box]

Import FortiGate Certificate

Now that you have those TWO files you can import them into your FortiGate, like so.

Related Articles, References, Credits, or External Links

NA

Linux (CentOS 7) Generating CSR (Certificate Signing Requests)

KB ID 0001206 

Problem

If you want to use digital certificates on your CentOS server, then you will need to generate a CSR. It does not matter if you want to purchase a publicly signed certificate, or even if you are going to sign your own. Below is how to generate a CSR for a single web host.

Note: Most cert vendors now require a minimum key length of 2048 so thats what I’m going to use. And I’m assuming you have openSSL installed (type ‘openssl version‘ to find out). 

Solution

Execute the following command

[box]

[root@WebHost ~]# openssl req -newkey rsa:2048 -nodes -keyout www.YourSite.com.key -out www.YourSite.com.csr

[/box]

The CSR Generation process will begin and you will have to answer some questions;

[box]

Generating a 2048 bit RSA private key
.........................................+++
........................+++
writing new private key to 'www.YourSite.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Teesside
Locality Name (eg, city) [Default City]:Middlesbrough
Organization Name (eg, company) [Default Company Ltd]:YourSite
Organizational Unit Name (eg, section) []:YourSite
Common Name (eg, your name or your server's hostname) []:www.YourSite.com
Email Address []:administrator@YourSite.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:YourSite

[/box]

This will actually create the CSR, now you need to get the text from the CSR, and sent it to your certificate vendor ,or sign it with your own CA.

[box]

[root@WebHost ~]# cat www.YourSite.com.csr
-----BEGIN CERTIFICATE REQUEST-----
NIIDKTCCAhECAQAwga4xCzAJBgNVBAYTAkdCMREwDwYDVQQIDAhUZWVzc2lkZTEW
MBQGA1UEBwwNTWlkZGxlc2Jyb3VnaDEUMBIGA1UECgwLUGV0ZU5ldExpdmUxFDAS
BgNVBAsMC1BldGVOZXRMaXZlMRwwGgYDVQQDDBN3d3cucGV0ZW5ldGxpdmUuY29t
MSowKAYJKoZIhvcNAQkBFhtpbmZvcm1hdGlvbkBwZXRlbmV0bGl2ZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCudW2OhXUnEIpiN2oQnREoZVAn
Cvvb07+7gZb5NgxSSc8pYab3ic6mmEabM3c/m9mLtO3m4ZSTJrU9QC91Vn6PF90K
iqApOfizUnNFEOSJptpcoLxlUWUJF8PZUn9fYZyNhp30QQ3B5ajxc4ML0BB+4Wp2
1sjJzfAvtSsFmUSCEXlJTrWnYkGpZz4dYYRlQgTniY4++M/AG9gL99XuSKcSD5K0
4qr07J9a6AYA0tXJq+yN3EzcLSBkIVDuNv84e+CyXc8RV+BkaRTr/gYGwQU4C+IG
87Lw8GC6P1adUi2mR4GMMbZLPYa14Psao4ZA/Ihk9EFS2xqXQH2AZ2nUGPM7AgMB
AAGgNTAXBgkqhkiG9w0BCQcxCgwIcGFzc3dvcmQwGgYJKoZIhvcNAQkCMQ0MC1Bl
dGVOZXRMaXZlMA0GCSqGSIb3DQEBCwUAA4IBAQAPUo4AVBajrflZQRI8MrRyndpD
s6MqZQwYlrceZVZrut+htS14ZC/GbaPC7gOvxYyS52RSW4UiG3egi6H7NnhqHjR+
Dz859bLKIut3YeCo3sK5+aCxvcGEjA1uduqKg5WFwPj5BvnsIYezq3O5Q4FvfQAy
FElb9snk0sJ6GFYifjeza8+w6CIabUpyl0kyDoAbnjnnyhR0s5/h4L7X3zqaQ0J+
OZVRyj54nLXoFDw1n8pGRb31khlEwDzXvVe9+wreCZ6lLqhDki94Uq5LenqofUlw
MPucqVIA9lgvQ8vjyTWVQYYffMRlAx7g/SdVTIhFBqq7rsh9/XHn7qfXlc4c
-----END CERTIFICATE REQUEST-----
[root@WebHost ~]#

[/box]

Related Articles, References, Credits, or External Links

NA

Active Directory Federation Services – Certificate Error ‘CNG Key’

KB ID 0001129

Problem

When installing the Active Directory Federation Services Role, you need to supply a certificate. I was running this up using a self signed wildcard certificate when this happened;

The certificate with the specified thumbprint {thumbprint} has a Cryptographic Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.

Solution

I was generating a wildcard certificate using this method. By default it uses the CNG Key, you need to specify  Legacy Key instead, (I’ve updated the post mentioned above to point out where that’s done).

Related Articles, References, Credits, or External Links

NA