About
This article talks about how a certificate:
- is send by a sender (known also as the owner)
- and gets its signature from a trusted ca to validate the identity of the sender.
By signing a certificate, the CA tells I know this person or device: they are who they say they are
The process is also known as issuing or producing a certificate.
A signed certificate is a certificate that have been signed
- using its own private key, it is called a self signed certificate (not secure or trusted ca).
- using a third Ca private key
A certificate is insecure until it is signed, as only a signed certificate cannot be modified.
Only a certificate signed by a third Certificate Authority assure the authenticity of the owner.
The certificate can then be used:
- on the server to identify the server and enable SSL (see How to enable SSL on a server (ie HTTPS on a web server) ?)
- on the client to validate the client identity (see What is a client certificate authentication ? (SSL/TLS Web))
Procedure
To get a certificate to install it on your own infrastructure, the process is the following:
- Create a Certificate signing Request for that private key with some information for purpose of future Certificate.
- Send that Certificate Request to:
- or to your self if you act as your own Certificate Authority
- The certificate Authority will check the information provided in the certificate request (domain, mail, …) and may challenge it. For instance, to prove its ownership of the domain with:
- setting a DNS TXT record (ie DNS01 challenge)
- or hosting a file somewhere on a random path on the domain.
- Once the challenge has been satisfied, the certificate Authority signs the request, issuing (producing) a public certificate CA signed.
Where is the signature?
The signature in a certificate can be seen in the Signature Value field
Certificate:
Data:
Version: 3 (0x2)
Subject: O=system:masters, CN=system:admin
xxxxxxxxxxxxx
xxxxxxxxxxxxx
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:44:02:20:7c:81:bd:b1:e6:a8:20:73:ab:81:19:b5:05:ee:
3b:a3:11:e6:2f:15:1f:3a:66:9b:8f:72:ee:f4:dc:d4:c1:ee:
02:20:2c:2d:82:df:67:a3:fb:92:0e:b6:40:4d:06:c7:9d:52:
de:31:e4:f4:39:ae:af:b9:65:55:34:0f:ac:db:90:ae
Example with a self-signed certificate
You can sign it your self if you act as a Certificate Authority ( CA ). See: Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)
Automation
You can automate the process with acme client
What to do when the certificat is signed ?
After getting a certificate from your Certificate Authority (CA), you can enable SSL communcation by installing your private key together with the received Certificate on:
- your server (web server, ),
- and optionally on your Client (browser, …)