Certificate Format Basics

-


Certificates are amazing. They are all standardized, there's a single, universal, secure format that most everyone uses, just about anyone can manage them, and a single validation failure in a chain can no longer cause production outages.

Now that the jokes are out of the way, if you're anything like me you find it difficult to keep track of the certificate formats, how they're encoded, which formats allow for the private key to be included and which don't, why exactly I need to use one format of certificate on this box but it needs to be converted before I put it on Windows, etc. But certificates actually play a vital role in security and they're important to understand.

I won't be covering all certificate formats today, but I'll cover several -- including the most common ones and what differentiates them from other certificate formats. Note I define certificate format as the defined formatting of the certificate (defined in an RFC or otherwise), and certificate type as describing a certificate's use. Here is a great breakdown on the different certificate types. If you have questions about something not covered here feel free to comment below and I'll do my best to answer.

.pem

This is one of the most powerful certificate formats as a single .pem file can contain your entire certificate chain and key pair! That is your root, intermediate, and primary/domain certificate, csr, and key-pair all in one!

The easiest way to remember what makes PEM different is that it's really just a file with base64 encoded data that can represent up to and including everything you need / obtain from your CA for your certificate chain to be complete. Or you may find just a couple of the items in the chain. Only way to know what's in it is open it and find out.


.pem example
.pem example (certificate + csr)


.cer / .cert / .crt

See .pem above. Windows just recognizes this as a certificate while it does not recognize .pem.


.p7b / .p7c

Also Base64 encoded, this format is recognized by several platforms. While out of the scope of this post, the RFCs they're based on define the actual format/standard (PKCS#7 and CMS). These can contain varying numbers and types of certificates (root, intermediate, etc.) but will never include the private key.

.pfx / .p12

The '12th' standard in PKCS (Public Key Cryptography Standards). These formats are password protected and encrypted by symmetric key. PFX is the predecessor to PKCS#12. These can contain all certificates in the chain as well as the private key. OpenSSL can conveniently convert these certificate formats to a .pem to split out if desired.

Additional Reading

I'd encourage reading up on the RFCs surrounding PKCS#7, PKCS#12, and others (maybe other blog posts or articles explaining the RFCs...they can get dry at times).

While some of the knowledge above is due to experience, much of it is due to reading, watching videos, and experimenting with OpenSSL. In no particular order, here are some reference links you may find useful:

Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more