How a certificate is signed ? (known also as issuing or producing)

Certificate Validity Period Not Before Not After Portecle

About

This article talks about how a certificate:

  • is send by a sender (known also as the owner)
  • and gets its signature from a trusted ca to validate the identity of the sender.

By signing a certificate, the CA tells I know this person or device: they are who they say they are

The process is also known as issuing or producing a certificate.

A signed certificate is a certificate that have been signed

A certificate is insecure until it is signed, as only a signed certificate cannot be modified.

Only a certificate signed by a third Certificate Authority assure the authenticity of the owner.

The certificate can then be used:

Procedure

To get a certificate to install it on your own infrastructure, the process is the following:

  • Create a Private Key
  • Create a Certificate signing Request for that private key with some information for purpose of future Certificate.
  • Send that Certificate Request to:
  • The certificate Authority will check the information provided in the certificate request (domain, mail, …) and may challenge it. For instance, to prove its ownership of the domain with:
    • setting a DNS TXT record (ie DNS01 challenge)
    • or hosting a file somewhere on a random path on the domain.
  • Once the challenge has been satisfied, the certificate Authority signs the request, issuing (producing) a public certificate CA signed.

Where is the signature?

The signature in a certificate can be seen in the Signature Value field 

Certificate:
    Data:
        Version: 3 (0x2)
        Subject: O=system:masters, CN=system:admin
        xxxxxxxxxxxxx
        xxxxxxxxxxxxx
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:44:02:20:7c:81:bd:b1:e6:a8:20:73:ab:81:19:b5:05:ee:
        3b:a3:11:e6:2f:15:1f:3a:66:9b:8f:72:ee:f4:dc:d4:c1:ee:
        02:20:2c:2d:82:df:67:a3:fb:92:0e:b6:40:4d:06:c7:9d:52:
        de:31:e4:f4:39:ae:af:b9:65:55:34:0f:ac:db:90:ae

Example with a self-signed certificate

You can sign it your self if you act as a Certificate Authority ( CA ). See: Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

Automation

You can automate the process with acme client

What to do when the certificat is signed ?

After getting a certificate from your Certificate Authority (CA), you can enable SSL communcation by installing your private key together with the received Certificate on:




Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to validate a certificate signed by the CA private key. In the chain, it's the Root certificate or the intermediate certificates....
Certbot (letsencrypt | letsencrypt-auto)

Certbot is an acme client (Let’s Encrypt CA) (or any other CA) to issue SSL certificates. Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority...
Certificate Validity Period Not Before Not After Portecle
Certificate and chain verification

A certificate check is an authentication known as Sender Authentication (or asymmetric authentication). The signature of the certificate is verified with the public key to check if it was signed...
Challenge of ownership

challenge are actions that permits to verify the ownership of a private key. They are used during the CA certificate signing verification To get a domain validated certificate, you need to prove the...
Certificate Validity Period Not Before Not After Portecle
Cryptography - X.509

A x.509 certificate is the specification / version of certificate in the X.509 Public Key Infrastructure (PKI) It's the most common and used format of a certificate. certificate and X.509 certificate...
Certificate Validity Period Not Before Not After Portecle
Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed. This article shows you how to create a self-signed...
Certification Chain Path Chrome Dev
Cyrptography - Certificate chain

A certificate can have been issued (signed) by another CA creating a chain (or path). See certificate chain There are several types of certificate: root certificate. The root of the tree. (All root...
Domain Validate Certificate
Domain Validated Certificates (DV)

Domain Validated certificates are server signed certificates where the ownership of the domain was checked. There is no identifying organizational information for these certificates and thus should never...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).



Share this page:
Follow us:
Task Runner