This document discusses SSL certificates, including their purpose for server/client authentication and secure data transfer. It covers the process of requesting, signing, installing and verifying certificates from both Certificate Authorities (CAs) and self-signing. The different types of SSL certificates - DV, OV and EV - are explained along with OpenSSL tools, certificate structure, chain of trust, trust stores, certificate pinning and free certificate options like Let's Encrypt.

1. SSL Certificates & Operations
Nisheed Meethal
7 Nov’16

2. Chapters
• Purpose of SSL certificates
• Request, sign, install and verify
• CA Signed vs. Self signed
• SSL Certificate types
• DV (basic), OV (enhanced) & EV (complete)
• OpenSSL
• Certificate Structure
• Chain of trust
• Trust Stores
• Certificate pinning
• Free certificates

3. Purpose of SSL certificates
• Server [/Client] authentication for
source [/dest] validation and trust.
• Secure data transfer using encryption
SSL Communication Process
1. Server authentication (Handshake)
2. Key Exchange
3. Encrypted data transfer (Record)
Highest SSL Version, Ciphers Supported,
Data Compression Methods,
Session Id = 0,
Random Data
Selected SSL Version, Selected Cipher,
Selected Data Compression Method, Assigned
Session Id, Random Data, Server Certificate
(Client Certificate Request)
Server Hello Done
Indicates that further communication to server will be encrypted
Digest of all SSL handshake commands for integrity check
Indicates that further communication to client will be encrypted
Digest of all SSL handshake commands for integrity check

4. Request, sign, install and verify
3. Get it signed by CA, say mysite.crt
Cert verification by browser
▶ openssl genrsa -out mysite.key 4096
▶ openssl req -new -key mysite.key -out mysite.csr
2. Send mysite.csr to the CA of your choice.
1. Generate the private key and certificate signing request for your site.
4. Install the certificate
▶ openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365
CA Signed
Self Signed
1. Generate the private key and self signed certificate for 365days.
2. Install the certificate

5. SSL Certificate types (DV,OV,EV)
• DV – Domain Validated (Basic)
• Small or medium level website owners who only wish to encrypt their domain can
issue DV SSL certificate. (https://www.ycombinator.com/, https://www.nisheed.com)
• Features
• Green padlock
• Lower price
• Quick issuance within minutes
• No paper work or documentation required for validation. Validated againest the
domain. It does not guarantee the identity of the website's owner nor the actual
existence of the organization
• 99.9% mobile and web browser compatibility
• Comes up with Wildcard and Multi Domain features
• Reissue as many times as needed during the validity period
• Validation process (email,file,registrar)
• https://aboutssl.org/domain-validated-ssl-validation-process

6. SSL Certificate types (DV,OV,EV)
• OV – Organization Validated (Enhanced)
• Business identity level trust. Organization name printed in the certificate.
(https://www.intuit.com/, https://www.icicbank.com, https://www.reddit.com/ )
• Features
• Green padlock
• 1-3 days for issuance
• More trusted than DV
• Organization name is validated and part of the certificate. (Issue to Organization and
Subject are filled up)
• https://aboutssl.org/document-require-for-ov-ssl-code-signing-certificate

7. SSL Certificate types (DV,OV,EV)
• EV – Extended Validated (Complete)
• For trusted and high security sites (https://www.godaddy.com, https://www.actalis.it/,
https://www.geotrust.com/, https://www.online.citibank.co.in/ )
• Features
• Green Address Bar + Organization Name + Trust Seal
• Up to 10 business days for issuance & Very Strict Validation Process
• OV by default + High 256-bit encryption with 2048-bit Key Length
• Multi domain with SAN only.
• https://aboutssl.org/document-require-for-ev-ssl-certificate

8. OpenSSL
Read cert (online)
openssl s_client -connect www.google.com:443 < /dev/null 2>/dev/null
openssl s_client -showcerts -connect www.google.com:443 < /dev/null 2>/dev/null
Read the cert - x509 decoded (online)
openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in
/dev/stdin –text
Check expiry [startdate, fingerpring, …]
openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in
/dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]
Verify the key and cert (offline)
openssl rsa -in admin.prod-lvdc.qbo.ie.intuit.com.key -noout -modulus | openssl shasum
openssl x509 -in admin.prod-lvdc.qbo.ie.intuit.com.crt -noout -modulus | openssl shasum
Public key extraction from Private key
openssl rsa -in mysite.key -pubout > mysite.pub.key
openssl req -noout -in mysite.csr –pubkey > mysite.pub.key
Remove passphrase from privae key
openssl rsa -in mysite.key -out nopassphrase_mysite.key

9. Certificate Structure
x509 - PKIX (Public Key Infrastructure) certificate - rfc6818
Encoding
DER => Binary DER encoded certs. (appear as .cer/.crt files)
PEM => ASCII (Base64) armored data prefixed with a “—– BEGIN …” line. (appears as .cer/.crt/.pem files)
File extensions
.crt => *nix convention of binary DER or Base64 PEM
.cer => Microsoft covention of binary DER or Base64 PEM
.key => public/private PKCS#8 keys. DER or PEM.
# View cert content
▶ openssl x509 -in ServerCertificate.pem -text -noout
▶ openssl x509 -in ServerCertificate.der -inform der -text -noout
# Encoding conversion
▶ openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der
▶ openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem

10. Certificate Structure
▶ openssl s_client -connect qbo.intuit.com:443 < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text

11. ▶ openssl s_client –connect google.com:443 -showcerts < /dev/null 2>/dev/null
Google.com (EE/Leaf)
GIA (ICA)
Geotrust (ICA)
Equifax (root CA)
Chain of Trust

12. Trust Stores
• Application trust stores
• Browser
• Public keys of all major CAs come with release
• Java (tomcat,coldfusion etc.)
• Mostly there but less frequently updated.
• You need to take care if customized.
▶ /usr/local/java/jre/bin/keytool -import -v -alias
SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file
/$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore
/application/conf/jssecacerts -storepass changeit –noprompt
▶ /usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts -storepass changeit –
noprompt
▶ /usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 -
file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore
/usr/cfusion8/runtime/jre/lib/security/cacerts -storepass changeit
▶ /usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts
-storepass changeit
When should you update the application trust store?

13. Certificate pinning
HTTP Public Key Pinning, or HPKP (rfc7469).
This standard allows websites to send an HTTP header instructing the browser to remember (or
"pin") parts of its SSL certificate chain. The browser will then refuse subsequent connections that
don't match the pins that it has previously received. Here's an example of an HPKP header:
Public-Key-Pins:
pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=";
pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
max-age=259200
Public-Key-Pins-Report-Only:
max-age=2592000;
pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
report-uri="https://example.net/pkp-report"
# Generate private key and csr.
▶ openssl genrsa -out mysite.key 4096
▶ openssl req -new -key mysite.key -out mysite.csr
# Get the crt from CA
▶ openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out
mysite.pub.key
▶ openssl dgst -sha256 -binary mysite.pub.key | openssl enc -base64
# Form the header and add to web server (eg:- apache).
Header add Public-Key-Pins "max-age=500; includeSubDomains;
pin-sha256="wBVXRiGdJMKG7vQhr9tZ9br9Md4l7cO69LF2a88Au/o=";

14. Free & Open certificates
• Let’s Encrypt
• https://letsencrypt.org/getting-started/

15. Useful resources:
https://www.ssllabs.com/ssltest/
https://aboutssl.org/ssl-tools/ssl-checker.php
https://tools.ietf.org/html/rfc6818
https://certbot.eff.org/