About

This article talks about how a certificate:

• is send by a sender (known also as the owner)
• and gets its signature from a trusted ca to validate the identity of the sender.

By signing a certificate, the CA tells I know this person or device: they are who they say they are

The processus is also known as issuing or producing a certificate.

A signed certificate is a certificate that have been signed

• using itself, it is called a self signed certificate (not secure or trusted ca).
• using a third Ca certificates

A certificate is insecure until it is signed, as only a signed certificate cannot be modified.

The certificate can then be used:

• on the server to identify the server and enable SSL (see How to enable SSL on a server (ie HTTPS on a web server) ?)
• on the client to validate the client identity (see What is a client certificate authentication ? (SSL/TLS Web))

Procedure

To get a certificate to install it on your own infrastructure, the process is the following:

• Create a Private Key
• Create a Certificate signing Request for that private key with some information for purpose of future Certificate.
• Send that Certificate Request to:
  • a Certificate Authority (CA)
  • or to your self if you act as your own Certificate Authority
• The certificate Authority will check the information provided in the certificate request (domain, mail, …) and may challenge it. For instance, to prove its ownership of the domain with:
  • setting a DNS TXT record
  • or hosting a file somewhere on a random path on the domain.
• Once the challenge has been satisfied, the certificate Authority signs the request, issuing (producing) a public certificate CA signed.

Automation

You can automate the process with acme client

What to do when the certificat is signed ?

After getting a certificate from your Certificate Authority (CA), you can enable SSL communcation by installing your private key together with the received Certificate on:

• your server (web server, ),
• and optionally on your Client (browser, …)