Scribd
Upload
10 views5 pages

Tutorial9 Digital Certificate

This document provides an overview of digital certificates, explaining their components, the role of Certificate Authorities (CAs), and their use in secure communication protocols like TLS/SSL. It includes a tutorial on creating self-signed certificates using OpenSSL on Ubuntu, as well as a demonstration of a simple TLS server and client implemented in Python. Key points emphasize the binding of public keys to identities, certificate verification, and the tools utilized for these processes.

Uploaded by

Minh Quang Hoàng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views5 pages

Tutorial9 Digital Certificate

This document provides an overview of digital certificates, explaining their components, the role of Certificate Authorities (CAs), and their use in secure communication protocols like TLS/SSL. It includes a tutorial on creating self-signed certificates using OpenSSL on Ubuntu, as well as a demonstration of a simple TLS server and client implemented in Python. Key points emphasize the binding of public keys to identities, certificate verification, and the tools utilized for these processes.

Uploaded by

Minh Quang Hoàng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

TUTORIAL 9 – DIGITAL CERTIFICATE

1. Introduction to Digital Certificates

1.1 Conceptual Overview

• A Digital Certificate is an electronic document used to prove the ownership of a


public key.
• It binds a public key to an entity's identity, signed by a trusted Certificate Authority
(CA).
• Used in protocols like TLS/SSL to enable secure communication over insecure
networks.
• Standardized by the X.509 certificate format.

1.2 Key Components of a Digital Certificate

• Subject: Entity owning the certificate (person, organization, device).


• Public Key: The entity's public key.
• Issuer: The CA issuing and signing the certificate.
• Validity Period: Certificate lifetime.
• Signature: CA’s digital signature over certificate contents.

1.3 Certificate Authorities (CAs)

• Trusted third parties that issue and sign certificates.


• Root CAs sign intermediate CAs, forming a chain of trust.
• Verification involves checking signatures up the trust chain.

2. Tools & Setup on Ubuntu


Install OpenSSL and required tools:

sudo apt update


sudo apt install openssl
3. Demonstration 1: Creating and Using Self-Signed
Certificates
We create a CA, generate a server certificate signed by that CA, and verify the certificate.

3.1 Step 1: Create a Root CA

# Generate private key for CA


openssl genpkey -algorithm RSA -out ca.key -aes256 -pass pass:capassword

# Create self-signed root certificate valid for 1 year


openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt \
-passin pass:capassword \
-subj "/C=US/ST=NY/L=New York/O=Example CA/CN=example-ca"

3.2 Step 2: Create Server Private Key and CSR

openssl genpkey -algorithm RSA -out server.key

openssl req -new -key server.key -out server.csr \


-subj "/C=US/ST=NY/L=New York/O=Example Server/CN=localhost"

3.3 Step 3: Sign Server CSR with CA

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt -days 365 -sha256 -passin pass:capassword
3.4 Step 4: Verify the Certificate

openssl verify -CAfile ca.crt server.crt

Expected output:

makefile
Copy
server.crt: OK

4. Demonstration 2: Simple TLS Server and Client Using


Created Certificates
We use Python’s ssl module to create a TLS server and client that use the generated
certificates for secure communication.

4.1 Python TLS Server (tls_server.py)

import socket
import ssl

HOST = '127.0.0.1'
PORT = 8443

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile='server.crt', keyfile='server.key')
context.load_verify_locations(cafile='ca.crt')
context.verify_mode = ssl.CERT_REQUIRED # Require client cert for mutual TLS (optional)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:


sock.bind((HOST, PORT))
sock.listen(5)
print(f"TLS server listening on {HOST}:{PORT}")
with context.wrap_socket(sock, server_side=True) as ssock:
conn, addr = ssock.accept()
print(f"Connection from {addr}")

data = conn.recv(1024)
print("Received:", data.decode())

conn.sendall(b"Hello, secure client!")

4.2 Python TLS Client (tls_client.py)

import socket
import ssl

HOST = '127.0.0.1'
PORT = 8443

context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile='ca.crt')


context.load_cert_chain(certfile='server.crt', keyfile='server.key') # Optional for mutual
TLS

with socket.create_connection((HOST, PORT)) as sock:


with context.wrap_socket(sock, server_hostname='localhost') as ssock:
print(f"Connected to {HOST}:{PORT} with {ssock.version()}")

ssock.sendall(b"Hello, secure server!")


data = ssock.recv(1024)
print("Received:", data.decode())

4.3 Running the Example

1. Run the server:


python3 tls_server.py

2. In another terminal, run the client:

python3 tls_client.py

Expected output:

• Server prints received message from client.


• Client prints received message from server.
• Communication is encrypted and authenticated via digital certificates.

5. Summary and Key Points


Aspect Description
Digital Certificate Binds public key to identity with CA signature
Generate key pairs, CSR, sign with CA (self-signed or
Certificate Creation
trusted)
Verification Verify certificate chain and signatures
TLS Communication Use certificates for encrypted, authenticated channels
Tools Used OpenSSL for certificates, Python ssl module for demo

You might also like