About
This article talks about how a certificate:
- is send by a sender (known also as the owner)
- and gets its signature from a trusted ca to validate the identity of the sender.
By signing a certificate, the CA tells I know this person or device: they are who they say they are
The processus is also known as issuing or producing a certificate.
A signed certificate is a certificate that have been signed
- using itself, it is called a self signed certificate (not secure or trusted ca).
- using a third Ca certificates
A certificate is insecure until it is signed, as only a signed certificate cannot be modified.
Only a certificate signed by a third Certificate Authority assure the authenticity of the owner.
The certificate can then be used:
- on the server to identify the server and enable SSL (see How to enable SSL on a server (ie HTTPS on a web server) ?)
- on the client to validate the client identity (see What is a client certificate authentication ? (SSL/TLS Web))
Procedure
To get a certificate to install it on your own infrastructure, the process is the following:
- Create a Certificate signing Request for that private key with some information for purpose of future Certificate.
- Send that Certificate Request to:
- or to your self if you act as your own Certificate Authority
- The certificate Authority will check the information provided in the certificate request (domain, mail, …) and may challenge it. For instance, to prove its ownership of the domain with:
- setting a DNS TXT record
- or hosting a file somewhere on a random path on the domain.
- Once the challenge has been satisfied, the certificate Authority signs the request, issuing (producing) a public certificate CA signed.
Example with a self-signed certificate
You can sign it your self if you act as a Certificate Authority ( CA ). See: Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)
Automation
You can automate the process with acme client
What to do when the certificat is signed ?
After getting a certificate from your Certificate Authority (CA), you can enable SSL communcation by installing your private key together with the received Certificate on:
- your server (web server, ),
- and optionally on your Client (browser, …)