X.509 is a standard developed to certify the identity of entities (individuals or machines), primarily for securing network connections, with its main application in Transport Layer Security (TLS). It employs asymmetric encryption, using a private-public key pair to authenticate entities through a signing mechanism and to encrypt sensitive information exchanges.
The X.509 standard also defines the role of the Certificate Authority (CA), an entity responsible for issuing client certificates and verifying their ongoing validity. The CA can revoke certificates and generate a Certificate Revocation List (CRL), which is distributed over the network to allow third parties to verify a certificate's current status.
This chapter is split into the following sections:
Symmetric and asymmetric encryption
Installing and customizing OpenSSL
Generating a CA Root Certificate
Generating server and user certificates
Managing certificates
Encryption is the process of transforming readable data (e.g., plaintext) into encoded, unreadable data using a predefined algorithm called a cipher and a secret token known as a key. Only authorized entities with the correct key can decrypt the data, restoring it to its original, readable form. Attempting to decrypt data without the key involves a brute-force attack, which requires testing all possible keys. With modern ciphers, this is computationally intensive and nearly infeasible within a reasonable timeframe.
Encryption algorithms are generally divided into two main categories:
Symmetric algorithms use a single key for both encryption and decryption, offering high security with lower computational effort. However, securely sharing the key between peers is essential; transmitting it openly over a network could allow a man-in-the-middle to intercept it, gaining the ability to decrypt the data. A further limitation is that symmetric algorithms cannot authenticate peer identities.
Asymmetric algorithms rely on a key pair, two related but distinct keys. A private key, also called secret key, must remain confidential, while the public key is shared. The private key can generate the public one, but the opposite is not possible or, in any case, to reconstrut the private key starting from the public key a brute-force attack is requested.
The public key can be seen as a padlock; it is able to encrypt (to lock) data, but not to decrypt them, so you can safely distribute it to the public. The private key can be seen as the only key able to open the padlock, so data encrypted by the public key can only be decripted by its coupled private key; then the private key must be kept secret to anyone.
Asymmetric encryption can also make authentication possible. Specifically, the private key can sign data producing the so-callded digital signature, so the owner of the private key can certify that some data are coming from him and only him. If anyone in the middle attempts to modify the orginal data, the signature will result broken. The signature verification can be done by everyone by means of the public key.
To secure network connections, the TLS uses both asymmetric and symmetric encryption (see e.g., Diffie-Hellman key exchange). During the initial handshaking, first the asymmetric encryption takes the scene. The two peers mutually authenticate the one towards the other by echanging their public keys and proving that they also own the related private keys by decripting a random secret mutually exchanged. Then, they agree on the use of a specific symmetric cypher algorithm and confidentially share a symmetric key thanks to the asymmetric encryption. Once the handshaking is complete, both parties have the symmetric key, and then the data stream is encrypted by the symmetric cipher that requires less computational effort. Typically, on an hourly basis the symmetric key is recreated to increse security.
The X.509 certificate scheme is a particular implementation of the asymmetric encryption. Every X.509 certificate is practically a key-pair. What is called the certificate is the public key, while the corresponding private key is simply called key. In the sequel, we will see the most important aspects related to X.509 certificates creation and signing.
DISCLAIMER
The material and methods reported in Linux Admin Smart Guide, even if tested, are provided without any guarantee. All the commands are run as privileged (root) user, so it is highly recommended to try them first on non-production machines and, in any case, to always do backups first. Linux Admin Smart Guide is not responsible for any damage or data loss caused by misformulated commands or inadvertently launched commands.
To gain a root shell, run the command sudo su -l from the shell of a regular user who is included in the sudoers list, or simply the command su -l and then providing the root password.