In the previous article, we analyzed some basic concepts of SSL/TLS and why they are secure, especially the concepts of public key and private key. Another important document is CA certificate. For the official explanation of CA certificate, please refer to the explanation of encyclopedia. Here we can simply think that CA certificate is the two-dimensional code of a website, This two-dimensional code includes some information about the server, such as the organization where the server is located, the supported encryption algorithms, and more important public key information.

X.509

When we use mbedtls, we will find the name of X.509, and we will encounter this concept in other places. Here we only make a popular explanation: certificates are issued by special certification bodies, so there are n kinds of certificate formats. X.509 is a de facto certificate standard, and many applications support the X.509 Standard Specification.

Learn more about x509 certificates

Sample certificate

The certificate we see is usually a file named xxxx.crt or xxx.pem. Here we take the certificate used for the sample program in the alicloud IOT Platform SDK as an example to directly view the certificate content, as follows:

Obviously, in addition to finding that the character pairs are very neat, we are confused and forced. We are completely a Book of heaven and a pile of random codes. So how to analyze the content of this certificate? The certificates mentioned earlier are in standard format (X.509). This certificate is published externally and contains public key, so there is no confidentiality, so we can view the certificate in reverse through the openss tool that generates the certificate. The command is as follows:

How to convert crt into pem format

openssl x509 -in ali_crt.pem -inform pem -noout -text

1

The parsed contents are as follows:

ubuntu@VM-0-17-ubuntu:/opt/ssl$ openssl x509 -in ali_crt.pem -inform pem -noout -text

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        04:00:00:00:00:01:15:4b:5a:c3:94

    Signature Algorithm: sha1WithRSAEncryption

    Issuer: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

    Validity

        Not Before: Sep  1 12:00:00 1998 GMT

        Not After : Jan 28 12:00:00 2028 GMT

    Subject: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

    Subject Public Key Info:

        Public Key Algorithm: rsaEncryption

            RSA Public-Key: (2048 bit)

            Modulus:

                00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:

                83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:

                63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:

                8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:

                70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:

                15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:

                6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:

                89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:

                54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:

                92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:

                75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:

                c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:

                bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:

                ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:

                63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:

                48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:

                07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:

                90:cf

            Exponent: 65537 (0x10001)

    X509v3 extensions:

        X509v3 Key Usage: critical

            Certificate Sign, CRL Sign

        X509v3 Basic Constraints: critical

            CA:TRUE

        X509v3 Subject Key Identifier: 

            60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B

Signature Algorithm: sha1WithRSAEncryption

     d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:

     7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:

     08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:

     f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:

     56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:

     94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:

     8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:

     64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:

     2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:

     c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:

     5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:

     e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:

     e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:

     a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:

     29:26:69:e0

How to view the contents of a certificate

Certificate specification

Let's take the above parsed certificate as an example to introduce the contents of the certificate:

• Version number: the version number of the specification. The current version is 3 and the value is 0x02 serial number:
• The serial number of the sweater assigned by the license issuing authority shall not exceed 20 bytes at most. In this example, it is: 04:00:00:00:01:15:4b: 5A: c3:9
• Signature algorithm: the algorithm used for digital certificate locking. In this example, sha1WithRSAEncrypti is used
• Issuer: the identification information of the issuing unit, which can be understood as the address, name and other information of the issuing unit. Here are some abbreviations: CN: country name ST: state or provision name L: locality name o: organization name CN: common name. Here, CN is the most important identification, representing the name of the issuing authority. The Validity period will be introduced later
• The validity period of the certificate, including the start and end time. Subject: the identification information (Distinguished Name) of the certificate owner, which is similar to that of the Issuer.
• Subjet Public Key Info: information related to the protected Public Key: Public Key algorithm Algorithm: the algorithm adopted by the public key; Subject Unique Identifier: the content of the public key. Issuer Unique Identifier: the unique information representing the issuer. It is only supported in version 2 and 3. Optional; Subject Unique Identifier: represents the unique information of the entity with the certificate. It is only supported in version 2 and 3. It is optional Extensions (optional): some optional extensions may include: Subject Key Identifier: the secret key identifier of the entity, which distinguishes multiple pairs of secret keys of the entity; Basic Constraints: indicates whether it belongs to CA; Authority Key Identifier: the public Key Identifier of the certificate issuer; CRL Distribution Points: the issuing address of the revocation file;

Key Usage: the purpose or function information of the certificate.

In addition, the certificate issuer also needs to use its own private key to add a signature to the certificate content to prevent others from tampering with the certificate content.

openssl rsa keys/

Validity: the validity period of the certificate. When debugging and verifying the certificate, it will verify whether the machine time is within the validity period of the certificate. This is easy to ignore. After all, in some embedded machines, the system clock is not very important, so it may not be the real clock. At this time, the certificate verification will fail.

How to verify certificate expiration

Reference article:

ssl security certificate knowledge

convert to PEM

Check SSL Certificate Chain Order with Openssl

Check SSL certificate

two way ssl authentication

create ssl certificate