Introduction
A Certificate Authority (CA) is an organization entrusted to validate the identity of websites, email addresses, or companies online. A certificate authority issues digital certificates and authenticates the entity named on the certificate in a process called the chain of trust.
A certificate authority is either a root CA or an intermediary CA. This post will discuss the roles of both CA’s in the chain of trust and then walk you through generating a self-signed certificate
Chian of trust
An SSL certificate is generated when an entity makes a Certificate Signing Request (CSR) to an intermediary CA to generate an SSL certificate.
The intermediary CA will take the information in the CSR and generate an SSL certificate for the requesting entity. The SSL certificate is then authenticated by a root certificate that is stored in a machine’s key store. The process of using a root CA to authenticate an intermediate-CA’s issued certificate is called the chain of trust.
Figure 1
Chain of trust
Figure 1 shows that ISRG Root X1 is the root certificate, R3 is the intermediary certificate, and brogramo.com is the SSL certificate.
Root CA
Root certificates are kept secure by being preinstalled on machines because they are self-signed and self-authenticating. Browsers access root certificates through a machine’s key store.
From support.apple.com: “The macOS Trust Store contains trusted root certificates that are preinstalled with macOS.”
Intermediate CAs issue certificates that are signed by the root CA’s private key. If the root CA’s private key is compromised, all the intermediary CA certificates that are signed by the root CA’s private key will also be compromised.
Intermediate CA
A certificate issued by an intermediate CA inherits the trustworthiness of the signing root CA.
The intermediate CA authenticates a named entity, and a root CA authenticates the intermediate CA. Root CA’s are self-authenticating and are subject to higher security standards.
How a browser validates a certificate
Assume that company ABC wants to secure its communication over the internet by installing an SSL certificate purchased or obtained for free from an intermediate CA, such as R3 ( aka Let’s Encrypt).
ABC will make a CSR to R3, and R3 will use the information in the CSR to generate a hashed SSL certificate for ABC and sign it with its private key. The SSL certificate generated by R3 will contain ABC’s public key.
R3 will also generate a hashed root certificate on behalf of the root CA, which will contain R3’s public key and be digitally signed by the root CA using its private key.
ABC will then install both certificates on its servers, and when a user visits ABC’s website, both certificates will get sent to the browser from ABC’s server.
The browser will then check which root CA signed the root certificate and use the root CA’s public key from its key-store to unencrypt the root certificate.
When the browser unencrypts the root certificate, it will discover that R3 is the intermediate CA who issued the SSL certificate, and since the root certificate contains R3’s public key, the browser will use R3’s public key to unencrypt the SSL certificate.
When the browser unencrypts the SSL certificate issued by R3, it will discover that the SSL certificate was issued to ABC, and it will get ABC’s public key from the SSL certificate to generate a symmetric key and encrypt it with ABC’s public key.
The browser will then send the encrypted symmetric key to ABC’s server, and the server will use its private key to unencrypt the symmetric key the browser sent. Both the browser and ABC’s server will use the symmetric key to communicate for the duration of their session.
Reference https://www.youtube.com/watch?v=heacxYUnFHA for a graphical view of this process by Dave Crabbe.
Private key
For demonstration purposes, this is how ABC’s private key will look.
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDloQhFMyoouItx
040qD/iil1kP34adv3PPPAGcRbD5UsS1hfsv/vA3kXwfdSPK/ONMGg9h8DPSHOwh
jvRvvJ7c29Y+jooC49OxVW6F8tJEKtSZqPzkbKNdBjG4hXy4pd+Nzcvj6YEoqa/B
ZA7pyJVr1VNlC2WY99tsHyHcnihcR7yidQQ5qkL5uDUOaHLv4g9KUiwz4YvRTWFI
r3hRVcQZu9+8vFzvyMKs24yrACoVLyY9qc3lb3HKsS1yezypfylWgb7rBarDt7lg
03cDy+RqoUiuB+m9x9pKAQrVKWSOce3d7+gFxMjNVv9JPXsGPNFH7/T0H/nExuqQ
5an70cEPWsI2rp9ob9h+MCtXF/czWjQqSGMLkOnicLquttPiLBD8IBXqo5s7MgMJ
Oyg0vzZB/xoDRk1TEejTcAe8/iTXUaRil0LrbdIvZb8VfOWLv8QGUL9gAnI048uN
ckkAHjFH0m/lQR6e9HH9GYAUAwog9XbVlbOEhj6usBNX0/kOxq/br5k8LSrzcHrH
wtmGR9JpOOoEQAOT+L3LTMsWeLYWL2Z8N+R9szB7cQKSGZx9SCwdQ41QgAkiXnY7
FBh+ACA/xEDXPTpFtuEh1CWpPAk6LmZOkZ3QH8fM7IkRviAl8P+HODZ0wY+Xuzct
XArJMvMkjm6dhwf718qLcSmeieR4zQIDAQABAoICAHC3rUGarfUzMW/8cmzVTi0x
scwy4veIRSbSw8+b/hVE5b5dOEIFGJGOXqlqbNl1bXWrzSU8LZPUEq0eaSp4Ilsz
pmUqvuBQSVfhIdGqskA37ghHhWvzT/WX1sxG6kQRWD1Zad5Eftwg/18k6JUlmwNF
whv1jjeaYyEd3xdWo2U46YWtfxd3Vk0SeSjLaLAL/Ylz8LK+4k0peLmfOKZkPVCM
gnU42T3zBGypkNFX0VB4xoK6WZFoNSlT84UgrVReUUJfigH/1CUiiGLZKrC4YzVc
WjrjM3+vHJ37CQA9w1iQ4DxzSSebwx3YuJORFFSpgemYBlvXXlmTcw0RT3GHMwaS
Z05g/eWJdE89jL3J/DyICFrDvCfU0k2nDC32h8nMWXOMXLqchAonoKsOcjaeCn+f
WH3YO2SUxd8+9ZqTb4yqUw8SYF7w8N7IKsGyyJqNBnnklm8dyBh3V+phfrZ8nxmE
UV81Bb/1m8pRUVp+ATX+oWQXU/J0ClYA3Cv4rfjR/4PLADLGROdd7JhReXBnDObO
q25+b6NRZaQrx2HbWi5ABprla4MChGIQL9x07pgGq1oCqY767miWTFJ6aMggvB15
n5/Sw6btPSwfJ2L9+3q8WcQcyAk98rByTGmg1tdom1x0ADQW5a0Vn+6L3H/8VCOC
+brrwzsx0QIgiEKYtycZAoIBAQD3i6OtWwJ/n+opyxx2tVa7UXqCUh0JGBugC8OI
xAj/4ekdSD0lA2Y8HTjPRJs5Pbhiw1m6Mk9D8NItHeHxEODq+SOKzjS0h+5pBI+5
Fx7cXaUhHu/vE92SHvltKj0dtqblahbIJGyvyFEMT+xOrPXUQ2kwWdJv5bXYhBi
3Byq+Is4tnAjDPAuQme9i+HJxCbbmzS7xVF1O1rj6FoQhTsrI2iIbTuVc+uqdw3H
oUFob7pbTW1XWFLzjzEu/V+5tduiErjTEy6qss4zQunbzpdWqzBhn51qmuJGjDW0
J4kvkHtV5fqM/TVq2Zgj2dxOwHSk1Bm/YurrJ15nA6qFgI4PAoIBAQDteL6UPoFZ
lR772x4SYlNAlFQZmVi17Oif74LtlySYRYw1ZXzIh/V2aI3aqpkXcfF55YabbBj8
mPEZv9ezWH5eI/Qv1yPs13lNwgD8ZjdeGZB6cVBy00Ibn7wGMlVSdYsfwInIZeBZ
LQrOi+YBueBxPz1wcbG2LgDrL1KjuYKOn3mBmNsLSBiYPldo75lhKKXvWJry6w5J
cTzpdEkgJCyQ1hzF3x57MmkxJbNcKK5Hs1dJ8SgNk1rEg+EU+DYeyMCOffBujK5I
9hYpD+4sHjy7A/WRH68aXc5DZo36yLiEO5VVvm+9enaYhKNWkLzR9TkUMwiI34AB
gD3yDJdFIudjAoIBACjoLH4jQgBxHrMVW3jKcrC1wDb09tNf5oDGMOPS8WHHpUwv
eds5+pUIhzDJN5V3+5ZmjddVJQAnNbQ68fFyRpjN3u+7L759kApOtKlzhqgH2Zfl
kueB6Oe1BrRo7FqpoWqAire0ZB9Tsl2gfdP9zWZRgJ2vUDBBtt2U2PxdP2eJdwhC
Lbm9E5uxYY9TJFbBUWKM/WPiMZnb2yM6bFe6jJKOYWHaGzSRWWpsDhzlKvflLriT
zPPYJq0VBp2rRTxdLxRTX7ORwe53adfSwO6P7zZlR7N6Ovs46RebZ+yDdAomKBuD
y6ms1jz4BEo4YE2rRBtQ6YhVAlklwlXnpzA0lEUCggEBAOVZCz7ji0u4oN7/hfCd
c+hYGU1L9AhoUVc+HAZZRiema76aUMTfwmrkmbRJtWeWTXC8A6AR66PyFlEXHj0B
R7KmKM0XjIPOq0I1D3y1P94q9IW88MSlUiCZyh919z+XdJFrA+c+tUmLHffT14Vt
Pt5BBJaXx9m6XnrGDps/rF8QmGpY9ZzUuaQ3+XXIiiry9ifOPIBGEltN+VVDUOiw
5zXPBKT6U1cKnduwnKRySbfH9pLcTSGnYi+PaxA0lRhwLMCx00cBqcWfnlF0KEQF
xAOe1Emf/x6I4I/p+U/vEX3sidLxBLxMDURKPfJ6AVMJ8mGW1DRVHyzT7X/bNzG3
fx8CggEAPc7vDtN3PDi9qp5tx+3VrDh+Odac7esApHQ5IoMZP/CEwVydT/iEFw1a
DcqLRIyWvl50fhTQqPUum8FB4oHKFcpV+8g6ymxQcTjD4OmQ4+9y894IwghnVqFl
jRmqhRM3iov8QjT84rAm/TusmGiivQoL75w/3CJyrHPe+tqLUIUc0enpA2TMCKfY
eJgpaY7CQ9hYQz4E4gA6mPfy1bWuHs1GjuSG9pnxmmykxZVUDBoOXHNxFN9wMpLW
vUxI3B0Lo8YQhBNxFHZBswyTL86mYgw19NdfzXjrHw9p6Lnvm1BkBetIedcpT8MX
BmpILaK7Mxa0ciRaOqQEXfN6x4tDmw==
-----END PRIVATE KEY-----Why would you want to use a CA for security?
Using a CA for security is a common practice in securing communications. The chain of trust described above outlines the security benefits of using a CA-signed certificate. Without CAs, online security would be degraded and the chain of trust would not exist.
What are the advantages of using a CA?
Self-signed and CA-signed certificates have different benefits. CA-signed certificates are third-party verified, suitable for use by anyone, and some are free to download.
Self-signed certificates are free to generate but require maintenance costs and are only suitable for use by the generating agency.
One major benefit of using a CA-signed certificate is preventing man-in-the-middle attacks.
Assume that someone intercepts a request to example.com and replies with their own certificate, the browser would still know that the certificate is invalid.
If the attacker states that they issued the certificate, the browser will automatically know that the attacker is not a trusted intermediary CA, and if the attacker fakes that R3 issued the certificate, the browser would be unable to unencrypt the SSL certificate using R3’s public key and will issue a security warning.
Other benefits of using a CA include public trust, third-party verification, and data protection.
How to Generate a self-signed certificate using Java keytool on Mac
First, download Java on your machine.
Open the terminal and cd to the bin file containing the keytool.exe file:
cd /Library/Java/JavaVirtualMachines/YOUR_JAVA_VERSION/Contents/Home/bin/Create a certificate
sudo keytool -genkey -keyalg RSA -alias selfsigned -keypass myPassword123 -keystore keystore.jks -storepass myPassword123 -validity 36 -keysize 248Replace ‘myPassword123’ with your own password and remember your entry.
Enter your Mac password when prompted and then answer the questions about your organization.
Export the certificate
sudo keytool -export -alias selfsigned -storepass myPassword123 -file server.cer -keystore keystore.jksPrint the certificate to the console
keytool -printcert -file server.cerShow the certificate in the file system
lsls will show all the files in the current directory.