PKI Certificates

Trust chain

It is importan for web developers to understand the concept of PKI such as private/public key, certificate and CA. Let us see the concepts briefly.

We are using SSL certificates subconsciously everyday. Our web browsers have pre-built root certificates which are the roots of trust.
When we visit a web page, the web server encrypts some messages and return back to the web browser. The browser realizes that the server certificate is signed by a certificat authority who is one of the pre-built authorities in the browser and then trusts the server finally.

Self-signed Certificates

In most cases, we use certificates from public CAs for https purpose. But if connections happend only in closed networks, it is efficient and convinient to use self-signed certificate as trusted root certificates.

A private root CA key and self-signed root certificate is created in a secure and closed machine. I used a hardware appliance called HSM to generate or import private root CA private key and certificate. But in small testing scenarios, it is ok just like in a common linux machine.

Plus we can make intermediate CAs if we want trust hierarchy. I made three tier of certificates comprising a single root, several intermediate, and device certificate per device.

A server creates an CSR filled with information like CN and expiration date, then sends it to an intermediate or root CA server. The CA server signs it with its pair of private key and certificate and generates the server certificate that consists of issues, subject, revocation endpoint and public key of the server.

Next time, I would like to talk about 2-way SSL which makes securer than the above 1-way SSL.