CompTIA Security+ SY0-601 – 3.9 Implement public key infrastructure. Part 2

4. Fields on a certificate

In this video I’m going to be talking about the fields on a certificate and what are the fields you need to know for your exam. So in the last one we saw how we can get a certificate request. We actually requested one for a web server. So let’s say you got the request, you installed it on the web server and you’re ready to go. Now you want to take a look at the fields on the certificate. So we’re are some of these fields on these certificates that we need to know. For exam. Well before we do that we actually have to get a certificate on a screen going. So let’s go, let’s open up Google and we’re going to Google Google. That’s what we’re going to do. We’re going to Google Google. I’m going to take a look at the Google certificate. Here is what I want to examine. So I’m going to click on this little lock, I’m going to click on certificates and here is the Google certificate.

Now let’s go through the fields here. This is what we’re looking at. Now you notice there’s three main fields right from the front to buy and from. Now this is issued to Google by. Basically Google is so big they can trust themselves. If you look at Amazon, Amazon is not going to have this. Amazon is not a certificate authority. So this is issued to Google by Google. Now I know this is Google because if you check the certification path and we’ll come to this in another video, what these paths are, but you can see this, google’s owner root CA that’s issuing that. So here we have issue to Google by Google’s intermediate certificate authorities and it’s valid from. And two, you guys see that, right? It’s valid from. So notice we have here eleven three to 126 21.

Now about three months or so on their certificates. Let’s take a look at another one just to give you guys. Now I want you guys to notice that asterisk there, it’s called a wild card certificate. We’ll come back to that later. So if I go and I take a look at the Amazon one, so this one wasn’t issued to itself. You’ll notice that this one issued to Amazon. Buy digit cert is the issue in CA here. Valid from and to. So this one is about a year. They can keep this certificate in here. Now remember three things. All these certs basically have three things. Issue two, buy and valid from. Now this two, issue two. This is known as the CN or a common name. This is basically the name, the fully qualified FQDN of the domain that the certificate is associated with.

This certificate can really only be associated with www. amazon. com. Google has a wild card certificate and that means that they can use the certificate for almost anything Google. com. So maybe mail Google. com, they can use a certificate for login or VPN or whatever they want subdomain Google. com they can use it for because this is a wild card certificate. So if your browser comes to a computer where the CA name, the common name doesn’t match the domain, it gives you an error. If your browser comes to a website where the CA is not trusted, it gives you an error. If your computer comes to a certificates expire, it gives you an error. Let me show you what that looks like. So if I go to a website called Bad SSL, the Bad SSL is just a website that has bad certificates on purpose.

So you can show users what it looks like.So if you come to a website that where the CM name didn’t match, you would get an error that says, hey, common name is invalid. All right? So if I take a look at this certificate, so let’s say you just advanced and you still want to proceed. You can see that this certificate here that they are using here. So notice this is asterisks badssl. com this is wrong that hosted that SSL. I do want to point out that that asterisk only applies to one level back. So it can only be something@badssl. com it can’t be something that SSL. So that’s why you’re getting that error there. If you ever go to a domain oops, I actually closed that. Let’s open that back again. If you go to a domain name with an expired certificate, you’re going to see that certificate dates are invalid.

If you go to a certificate from an untrusted root CA, you’re going to get that, all right? It’s going to basically be the same thing. The certificate authority is invalid. So these are the three things that your browser will trust. Now, if your browser has an issue, any type of problems with it, it’ll prompt you. So users know those certificates are bad. Now, the other fields here, we want to take a look on the certificates. We’re going to go to details. So all certificates will come with a number that is generally always version three. Here is the serial number. This is a unique number that’s assigned just to the certificate. This uniquely identifies the certificate from Google. We talked about digital signatures, remember digital signature. Now the CA has signed this certificate. The digital signature algorithm here is basically Sha 256 and RC.

If you remember from digital signatures, it’s a hash, an algorithm, and it’s an Asymmetric key. You have your signature hash from Google, right? This coming from Google certificates from two, the expiration date. Now the subject, the subject is Google. This is a wild card certificate, but it’s telling me Google in Mountain View, California. Here is Google’s public key. So this is an ECC certificate. And the other one I want to mention right here is going to be something called the subject alternative names. So these are additional names that this certificate can be applied to. And you notice Google has quite a lot. So this certificate can be applied to a variety of different DNS names with it. So that’s all this is. If I take a look at the Amazon, one will all be the same as they follow a standard format.

Here you have your version, your serial number, your signature algorithm. The only difference here is you got your expiration date, you got who is it issued to? Amazon. And here you have your RSA key that they have. So notice Google had that ECC, that elliptic curve. Good for you to see this. So you know how we’re using these asymmetric algorithms and they have the subject of alternative names, and they’re going to be using this for a variety of different names here also. Okay, so these are some key points here on the certificate that I need you guys to know when it comes to different fields on a certificate. Certificate. Now, all certificates basically follow the same format, and we’ll have all certificates who basically have all of these same fields.

5. Certificate formats

In this video. I’m going to be going over really quickly some certificate format. Now this is a topic that you don’t need to get into because that’s something you can really control, but you just need to have an understanding of what these formats are, basically what they store basically. So all certificates need to follow a standard format. Now certificates follows what is known as the X 509 standard certificates and they have different formats within them. So let’s go through this relatively quickly. Again, you’re not going to get tested hell out of you on this thing, but something you should understand. Okay? So the first thing up is what is known as a der CER distinguished encoding rules or Der. This is the most popular encoding format for the X 509 certificates.

These files are generally stored in binary and they’re generally stored as a dot der dot CRT or dot C R. So if you ever see one of these extensions, they’re probably going to be a der certificate. Also PEM, this is also stored, this PM sends privacy enhanced nails. Now this is not just used for email, it’s used for a lot of different things including our SSL on our websites and so on. This is actually stored not just in binary because you can’t read it when it’s stored in binary. But this is stored in an ASCII text format. And an ASCII text format basically looks like this. So where’s my web server? So remember we had earlier in the course we had exported a web request. It would look something like this, not very readable but much more better than a binary.

Aski is basically using our letters, our letters and numbers to be shown. I mean it’s still not readable to us but hey, it’s something. The other one you have is what is known as a P twelve. So a P twelve format is basically a binary base and these types you just hold to really hold private keys. The other one is the older version to the P twelve known as the PFK PFX personal Information exchange, old version also to hold primary keys. If you ever need to transport those private keys you would use this and then the P seven B is the ASCII format used to share keys. Okay, so make a note of these things. You may see these pop up on your exam probably, probably not. Just be familiar with what exactly are the certificate formats.

6. Certificate types

In this video I’m going to be talking about two certificate concepts called certificates staple in, pinning. And then we’ll also talk of the variety of different types of certificates that we have out there. Let’s get started. So the first concept I want to mention is something called certificates staplet. Certificates staple in is based basically helping the Ocsr. So you remember in the previous video the Ocsr is basically what’s validated and those certificates are still valid and they haven’t been revoked. So one way of helping this process and making this process a lot quicker is to basically do what’s called staple them. So let me draw you guys a quick diagram here and show you what I mean. So let’s say you have actual user. So the user wants to go to Amazon. So Amazon has a certificate but you also have the Ocsr. So in reality when Amazon wants to send you a certificate, amazon sends it to you.

You send it to the Ocsr. The Ocsr basically validates and says, hey, that certificate from Amazon is good, and sends you back and says, yeah, you can use it. This process can be cumbersome and take a long time. So what Amazon can do is Amazon could basically go and get the staple, quote unquote itself. Amazon can go and says, hey man, I’m Amazon, can you validate my certificate? The Ocsr then validates the certificate. Here’s what Amazon digitally signs the pin into the certificate and then sends it to you. So now you’re saying now you received a certificate with this information and since it was already digitally signed with the CAS information, you know it’s true and that it actually came from the Ocsr. So this certificate stapling, the other term is called certificate pinning.

Now certificate pinnan is when the CA is telling you, okay, the information on the certificate is going to be the same for a while. There’s going to be no changes to the certificate. And that way if there’s any changes to my certificate within the next few minutes or a few hours or a few days, it’s not real to reject the changes. This is going to help secure your certificate. So that is known as certificate pinnacle. Okay, the next part of this video we want to talk about is going to be the different types of certificates that are out there. Now one type of worry spoke about is something called a self signed certificate. One type I want to mention is something called a wild card certificate. So wildcard certificates or certificates like on Amazon, this is not a wild card. It doesn’t have the wild card.

This can only be really used for Amazon. com. But when we go to Google and we take a look at their certificate, this would be a wild card certificate. So they could use this for mail@google. com and so on. So anything with that subdomain they can use that for. Another place we can use certificate would be to do code signing. So code signing is when programmers write application, they can then use the certificates to sign the code. That way if there’s any changes in manipulation in the code, they’ll be able to detect it. You can also give certificates to machines and computers. That way you can allow computerbased authentication. Emails can use certificates to help encrypt email and do digital signatures. Users can use emails certificates to log in.

If you remember the EAP authentication, we use certificates in that type of authentication in order to log in to wireless networks. You can also use it to log into wired networks also. Now, when it comes to validation, there’s really two validations. There’s domain validation. This is generally very quick. And then there’s Extended Validation, where they do an extensive background check on you to verify who you are. So this one is going to take a very long time. I’ll show you guys what I mean by this. So generally when you go and you get a certificate, you have to do some verification. So if we go to Digestor, and I was a digital cert earlier, so here we are, a digital cert, and we want to get a certificate. If I go to certificates in here, you’ll notice I have business certificates here, and then I have Secure SSL.

And then I have what is known as secure site EV certificate. So you’ll notice extended validations SSL, standard SSL notices, EV certificates. So what exactly is an EV certificate? So Standard certificate may only verify basically the domain. Basically, they’ll check the domain registration information to verify that, okay, the guy requesting it is the guy in the domain, the central domain registry information. But when you go and you get an EV certificate and notice there’s a bunch of these Secure Site EV pro and variations of them. Here’s another one. Now, these certificates are going to be much more expensive than you would. There is a manual verification step to confirm the legal, physical and operational existence of an entity.

The entity has improperly authorized the issues of the certificate. The entity has a right to use the domain name. These are just some of the things that it’s checking. So it’s not just verifying, okay, bob. com is asking for a certificate, and that is actually bob. com, not just the domain name, but it’s more of a full validation. You can actually see that. So generally, like they’ll say sometimes on it. So if I go to PayPal here and I click certificate notice this is Digitsert Extended Validation certificate here. So PayPal went through a lot more to get this certificate, okay? So these were the different types of certificate. Once again, we covered a lot in this video. Make sure to review it, to make sure you know what it is.