9 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

 

This chapter covers

  • Inspecting X.509 digital certificates for key fields that developers need to know
  • Verifying X.509 certificates to decide if a certificate is trustworthy
  • Common certificate validation failure reasons

In the last chapter, we explored how public key cryptography solves the shared secret problem by utilizing a key pair: a public key and a private key. The private key remains confidential and must be securely stored, while the public key can be freely distributed without requiring protection.

Let’s imagine we need to establish a secure connection between a client and a server of Acme Inc. You might think this is an easy task, but there are things to consider. For example, a client and server wishing to communicate securely exchange public keys during the connection setup process. The exchange of public keys happens over an unsecured connection because we first need the keys to setup the encryption between the client and server. An attacker can intercept the public key exchange and replace the server’s public key with the attacker’s public key (figure 9.1).

Figure 9.1 Public keys are exchanged over an insecure connection can be modified by a man in the middle attacker. The client needs a way to validate that the public key it received from the server has not been tampered with. Using X.509 digital certificate the client can determine who the public key belongs to.

9.1 Inspecting X.509 Digital Certificates

9.1.1 Inspecting X.509 certificates with OpenSSL CLI

9.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

9.1.3 Viewing The Fields of an X.509 Digital Certificate

9.1.4 Subject fields: Identify the public key and its owner.

9.1.5 Issuer Field: Identifies who created the certificate.

9.1.6 Validity Fields

9.1.7 X.509 Digital Certificate Encoding Formats

9.2 Verifying X.509 Digital Certificates

9.2.1 Verifying the GitHub.com X.509 Certificate

9.3 Summary