A Certificate Authority (CA) is an organization entrusted to validate the identity of websites, email addresses, or companies online. A certificate authority issues digital certificates and authenticates the entity named on the certificate in a process called the chain of trust.
A certificate authority is either a root CA or an intermediary CA. This post will discuss the roles of both CA’s in the chain of trust and then walk you through generating a self-signed certificate
Chian of trust
An SSL certificate is generated when an entity makes a Certificate Signing Request (CSR) to an intermediary CA to generate an SSL certificate.
The intermediary CA will take the information in the CSR and generate an SSL certificate for the requesting entity. The SSL certificate is then authenticated by a root certificate that is stored in a machine’s key store. The process of using a root CA to authenticate an intermediate-CA’s issued certificate is called the chain of trust.
Chain of trust
Figure 1 shows that ISRG Root X1 is the root certificate, R3 is the intermediary certificate, and brogramo.com is the SSL certificate.
Root certificates are kept secure by being preinstalled on machines because they are self-signed and self-authenticating. Browsers access root certificates through a machine’s key store.
From support.apple.com: “The macOS Trust Store contains trusted root certificates that are preinstalled with macOS.”
Intermediate CAs issue certificates that are signed by the root CA’s private key. If the root CA’s private key is compromised, all the intermediary CA certificates that are signed by the root CA’s private key will also be compromised.
A certificate issued by an intermediate CA inherits the trustworthiness of the signing root CA.
The intermediate CA authenticates a named entity, and a root CA authenticates the intermediate CA. Root CA’s are self-authenticating and are subject to higher security standards.
How a browser validates a certificate
Assume that company ABC wants to secure its communication over the internet by installing an SSL certificate purchased or obtained for free from an intermediate CA, such as R3 ( aka Let’s Encrypt).
ABC will make a CSR to R3, and R3 will use the information in the CSR to generate a hashed SSL certificate for ABC and sign it with its private key. The SSL certificate generated by R3 will contain ABC’s public key.
R3 will also generate a hashed root certificate on behalf of the root CA, which will contain R3’s public key and be digitally signed by the root CA using its private key.
ABC will then install both certificates on its servers, and when a user visits ABC’s website, both certificates will get sent to the browser from ABC’s server.
The browser will then check which root CA signed the root certificate and use the root CA’s public key from its key-store to unencrypt the root certificate.
When the browser unencrypts the root certificate, it will discover that R3 is the intermediate CA who issued the SSL certificate, and since the root certificate contains R3’s public key, the browser will use R3’s public key to unencrypt the SSL certificate.
When the browser unencrypts the SSL certificate issued by R3, it will discover that the SSL certificate was issued to ABC, and it will get ABC’s public key from the SSL certificate to generate a symmetric key and encrypt it with ABC’s public key.
The browser will then send the encrypted symmetric key to ABC’s server, and the server will use its private key to unencrypt the symmetric key the browser sent. Both the browser and ABC’s server will use the symmetric key to communicate for the duration of their session.
Reference https://www.youtube.com/watch?v=heacxYUnFHA for a graphical view of this process by Dave Crabbe.
For demonstration purposes, this is how ABC’s private key will look.
-----BEGIN PRIVATE KEY----- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDloQhFMyoouItx 040qD/iil1kP34adv3PPPAGcRbD5UsS1hfsv/vA3kXwfdSPK/ONMGg9h8DPSHOwh jvRvvJ7c29Y+jooC49OxVW6F8tJEKtSZqPzkbKNdBjG4hXy4pd+Nzcvj6YEoqa/B ZA7pyJVr1VNlC2WY99tsHyHcnihcR7yidQQ5qkL5uDUOaHLv4g9KUiwz4YvRTWFI r3hRVcQZu9+8vFzvyMKs24yrACoVLyY9qc3lb3HKsS1yezypfylWgb7rBarDt7lg 03cDy+RqoUiuB+m9x9pKAQrVKWSOce3d7+gFxMjNVv9JPXsGPNFH7/T0H/nExuqQ 5an70cEPWsI2rp9ob9h+MCtXF/czWjQqSGMLkOnicLquttPiLBD8IBXqo5s7MgMJ Oyg0vzZB/xoDRk1TEejTcAe8/iTXUaRil0LrbdIvZb8VfOWLv8QGUL9gAnI048uN ckkAHjFH0m/lQR6e9HH9GYAUAwog9XbVlbOEhj6usBNX0/kOxq/br5k8LSrzcHrH wtmGR9JpOOoEQAOT+L3LTMsWeLYWL2Z8N+R9szB7cQKSGZx9SCwdQ41QgAkiXnY7 FBh+ACA/xEDXPTpFtuEh1CWpPAk6LmZOkZ3QH8fM7IkRviAl8P+HODZ0wY+Xuzct XArJMvMkjm6dhwf718qLcSmeieR4zQIDAQABAoICAHC3rUGarfUzMW/8cmzVTi0x scwy4veIRSbSw8+b/hVE5b5dOEIFGJGOXqlqbNl1bXWrzSU8LZPUEq0eaSp4Ilsz pmUqvuBQSVfhIdGqskA37ghHhWvzT/WX1sxG6kQRWD1Zad5Eftwg/18k6JUlmwNF whv1jjeaYyEd3xdWo2U46YWtfxd3Vk0SeSjLaLAL/Ylz8LK+4k0peLmfOKZkPVCM gnU42T3zBGypkNFX0VB4xoK6WZFoNSlT84UgrVReUUJfigH/1CUiiGLZKrC4YzVc WjrjM3+vHJ37CQA9w1iQ4DxzSSebwx3YuJORFFSpgemYBlvXXlmTcw0RT3GHMwaS Z05g/eWJdE89jL3J/DyICFrDvCfU0k2nDC32h8nMWXOMXLqchAonoKsOcjaeCn+f WH3YO2SUxd8+9ZqTb4yqUw8SYF7w8N7IKsGyyJqNBnnklm8dyBh3V+phfrZ8nxmE UV81Bb/1m8pRUVp+ATX+oWQXU/J0ClYA3Cv4rfjR/4PLADLGROdd7JhReXBnDObO q25+b6NRZaQrx2HbWi5ABprla4MChGIQL9x07pgGq1oCqY767miWTFJ6aMggvB15 n5/Sw6btPSwfJ2L9+3q8WcQcyAk98rByTGmg1tdom1x0ADQW5a0Vn+6L3H/8VCOC +brrwzsx0QIgiEKYtycZAoIBAQD3i6OtWwJ/n+opyxx2tVa7UXqCUh0JGBugC8OI xAj/4ekdSD0lA2Y8HTjPRJs5Pbhiw1m6Mk9D8NItHeHxEODq+SOKzjS0h+5pBI+5 Fx7cXaUhHu/vE92SHvltKj0dtqblahbIJGyvyFEMT+xOrPXUQ2kwWdJv5bXYhBi 3Byq+Is4tnAjDPAuQme9i+HJxCbbmzS7xVF1O1rj6FoQhTsrI2iIbTuVc+uqdw3H oUFob7pbTW1XWFLzjzEu/V+5tduiErjTEy6qss4zQunbzpdWqzBhn51qmuJGjDW0 J4kvkHtV5fqM/TVq2Zgj2dxOwHSk1Bm/YurrJ15nA6qFgI4PAoIBAQDteL6UPoFZ lR772x4SYlNAlFQZmVi17Oif74LtlySYRYw1ZXzIh/V2aI3aqpkXcfF55YabbBj8 mPEZv9ezWH5eI/Qv1yPs13lNwgD8ZjdeGZB6cVBy00Ibn7wGMlVSdYsfwInIZeBZ LQrOi+YBueBxPz1wcbG2LgDrL1KjuYKOn3mBmNsLSBiYPldo75lhKKXvWJry6w5J cTzpdEkgJCyQ1hzF3x57MmkxJbNcKK5Hs1dJ8SgNk1rEg+EU+DYeyMCOffBujK5I 9hYpD+4sHjy7A/WRH68aXc5DZo36yLiEO5VVvm+9enaYhKNWkLzR9TkUMwiI34AB gD3yDJdFIudjAoIBACjoLH4jQgBxHrMVW3jKcrC1wDb09tNf5oDGMOPS8WHHpUwv eds5+pUIhzDJN5V3+5ZmjddVJQAnNbQ68fFyRpjN3u+7L759kApOtKlzhqgH2Zfl kueB6Oe1BrRo7FqpoWqAire0ZB9Tsl2gfdP9zWZRgJ2vUDBBtt2U2PxdP2eJdwhC Lbm9E5uxYY9TJFbBUWKM/WPiMZnb2yM6bFe6jJKOYWHaGzSRWWpsDhzlKvflLriT zPPYJq0VBp2rRTxdLxRTX7ORwe53adfSwO6P7zZlR7N6Ovs46RebZ+yDdAomKBuD y6ms1jz4BEo4YE2rRBtQ6YhVAlklwlXnpzA0lEUCggEBAOVZCz7ji0u4oN7/hfCd c+hYGU1L9AhoUVc+HAZZRiema76aUMTfwmrkmbRJtWeWTXC8A6AR66PyFlEXHj0B R7KmKM0XjIPOq0I1D3y1P94q9IW88MSlUiCZyh919z+XdJFrA+c+tUmLHffT14Vt Pt5BBJaXx9m6XnrGDps/rF8QmGpY9ZzUuaQ3+XXIiiry9ifOPIBGEltN+VVDUOiw 5zXPBKT6U1cKnduwnKRySbfH9pLcTSGnYi+PaxA0lRhwLMCx00cBqcWfnlF0KEQF xAOe1Emf/x6I4I/p+U/vEX3sidLxBLxMDURKPfJ6AVMJ8mGW1DRVHyzT7X/bNzG3 fx8CggEAPc7vDtN3PDi9qp5tx+3VrDh+Odac7esApHQ5IoMZP/CEwVydT/iEFw1a DcqLRIyWvl50fhTQqPUum8FB4oHKFcpV+8g6ymxQcTjD4OmQ4+9y894IwghnVqFl jRmqhRM3iov8QjT84rAm/TusmGiivQoL75w/3CJyrHPe+tqLUIUc0enpA2TMCKfY eJgpaY7CQ9hYQz4E4gA6mPfy1bWuHs1GjuSG9pnxmmykxZVUDBoOXHNxFN9wMpLW vUxI3B0Lo8YQhBNxFHZBswyTL86mYgw19NdfzXjrHw9p6Lnvm1BkBetIedcpT8MX BmpILaK7Mxa0ciRaOqQEXfN6x4tDmw== -----END PRIVATE KEY-----
Why would you want to use a CA for security?
Using a CA for security is a common practice in securing communications. The chain of trust described above outlines the security benefits of using a CA-signed certificate. Without CAs, online security would be degraded and the chain of trust would not exist.
What are the advantages of using a CA?
Self-signed and CA-signed certificates have different benefits. CA-signed certificates are third-party verified, suitable for use by anyone, and some are free to download.
Self-signed certificates are free to generate but require maintenance costs and are only suitable for use by the generating agency.
One major benefit of using a CA-signed certificate is preventing man-in-the-middle attacks.
Assume that someone intercepts a request to example.com and replies with their own certificate, the browser would still know that the certificate is invalid.
If the attacker states that they issued the certificate, the browser will automatically know that the attacker is not a trusted intermediary CA, and if the attacker fakes that R3 issued the certificate, the browser would be unable to unencrypt the SSL certificate using R3’s public key and will issue a security warning.
Other benefits of using a CA include public trust, third-party verification, and data protection.
How to Generate a self-signed certificate using Java keytool on Mac
First, download Java on your machine.
Open the terminal and cd to the bin file containing the keytool.exe file:
Create a certificate
sudo keytool -genkey -keyalg RSA -alias selfsigned -keypass myPassword123 -keystore keystore.jks -storepass myPassword123 -validity 36 -keysize 248
Replace ‘myPassword123’ with your own password and remember your entry.
Enter your Mac password when prompted and then answer the questions about your organization.
Export the certificate
sudo keytool -export -alias selfsigned -storepass myPassword123 -file server.cer -keystore keystore.jks
Print the certificate to the console
keytool -printcert -file server.cer
Show the certificate in the file system
ls will show all the files in the current directory.