Generating Signed Certificates (Part 1 – What & Why?)

Did you ever find yourself in a need to install a certificate but you were unsure how to do it? Do you feel confused with the relationship of Private Key, Public Key, CSR? Do you feel confused with the various certificate formulas? If your answer is yes, then this series of posts will discuss key certificates concepts, including a detailed step by step guide on how to generate a signed certificate and it will clearly explain the relationship between these components.

What is a Certificate?

In simple terms, a certificate is a digitally signed document that authoritatively identifies the identity of an individual or organization. It contains a public key plus some additional metadata describing the certificate. This certificate is issued & signed by a certificate authority which validates the metadata in the Certificate Signing Request (CSR) before issuing the certificate. Exact validation steps vary depend on the certificate types.

For example, in the below image, we can see a certificate for The public key is clearly shown as part of the certificate. Other “MetaData” like validity period, Subject Key Idenifier, Subject Alternative Names. Key Usage…etc are as well part of the certificate. This certificate is signed by a trusted Certificate Authority, DigiCert Secure Site ECC CA-1, in this case.

Why is a certificate needed?

In cryptography, these are two main types of encryption techniques; symmetric and asymmetric. Each has its own advantages and disadvantages.

In brief, symmetric encryption uses the same key for encryption and decryption while in asymmetric encryption two different keys are used. The public key is shared while the private key is kept private. In general, symmetric key encryption is faster than asymmetric however the challenge is on how to share the “same key”.

That’s why, it is very common to utilize the advantages of each technique; asymmetric technique is used to securely generate a “session key” that will be used by both parties to encrypt the data using symmetric encryption as shown below.

Therefore, the role of the certificate is to help the client (user) verify the identity of the resource it is trying to access (Aruba in this case). The client doesn’t need to have any prior knowledge of Aruba (no need for a common symmetric key). Public key cryptogrophy, aka asymmetric encryption, is used to verify the identity of the resource being accessed based on the certificate that is issued to this identity. The user just needs to trust the certificate authority / root authority that issued these certificate.

In the next post, we will discuss the process on how to generate signed certificates using OpenSSL.

One comment

Leave a Reply