These days, pretty much every website has to use Secure Socket Layer or SSL technology to secure network traffic, but it wasn't always this case. In 2016, 14% of popular websites forced
HTTPS connections, but a year later, that number had already more than doubled to 31%. Today, more than half of websites require
HTTPS to be used when making a connection, which allows data sent back and forth to travel in a secure manner, using an encrypted connection that no adversary can listen in on.
It's hard to know where to start with an introduction to this material, but I'll be making references to the family of standards used in SSL, which are called the Public-Key Cryptography Standards (PKCS).
I've read a few textbooks to try and better understand SSL, and the place I felt it was explained best was Chapter 8.6 of the "Computer Networking: A Top-Down Approach (7th Edition)" by James F. Kurose and Keith W. Ross.
There are two common ways to encode the files containing certificates and keys:
Privacy Enhanced Mail or PEM encoding, which uses a base-64 ASCII encoding of the ASN.1 format. Its implementation was specified in RFC 7468.
Distinguished Encoding Rules or DER encoding, which is the shortest possible binary representation of the underlying cryptographic data. Much like PEM encoding, it too uses the ASN.1 format.
Find the path to the SSL's configuration file:
This is a walkthrough for creating certificate signing requests (CSRs) using either
Creating a certificate signing request using
gpgsm --generate-key --output request.csr # Select the option to use an existing key, keeping your keygrip handy # When it asks you for some info, provide something similar to the line below 'CN=austin.jp,C=US,ST=California,L=Los Angeles,O=austin.jp'
Creating a Certificate Signing Request require a key. This key can be encoded in a variety of formats, including PKCS #1 and PKCS #8. using
# Using PKCS #1 private key openssl req -new -key id_pkcs1 > REQUEST.CSR # Using PKCS #8 private key openssl req -new -key id_pkcs8 > REQUEST.CSR
Submitting a Certificate Signing Request
certbot certonly --standalone --csr REQUEST.CSR
If this certificate was ever compromised, you would issue a revocation certificate. I'm not sure what you do next, however, it's unclear to me whether you'd want to update a certificate revocation list or to update the certificate authority's responder facilitating Online Certificate Status Protocol (OCSP) transmissions.
Generating a Revocation Certificate
gpg --gen-revoke email@example.com > revocation.crt
certbot command, provided by GNU Let's Encrypt, allows you to obtain a signature for use with SSL. You can either allow the
certbot program to create its own private key locally, or provide one manually.
certbot can submit a Certificate Signing Request or CSR to a Certificate Authority or CA.
Receive a certificate by submitting a CSR to
certbot certonly --standalone --csr request.csr
After you've done this, you'll receive three files
Go ahead and delete the first two, you'll only need
0001_chain.pem, which is a simple concenation of the previous two files. It's the combination of the server certificate and the intermediate certificate, which when used together, allow you to verify your identity
rm 0000_cert.pem 0000_chain.pem mv 0001_chain.pem fullchain.crt