Certificates from Scratch - X.509 Certificates explained
Vložit
- čas přidán 29. 04. 2024
- What are X.509 Certificates? What is a "Certification Authority" or CA? How can we create our own CA? How can we sign our own Server certificates? How does LetsEncrypt work? How do private and public keys work? What is a certificate Chain or a Chain of Trust? The answers are in this video.
The XCA Tool can be obtained here: hohnstaedt.de/xca/
More Info on my Cheat Sheet Repo here: github.com/onemarcfifty/cheat...
0:00 about certificates
2:42 Certificate Chains / CA
7:15 private keys
9:14 how do private/public keys work?
12:38 how does Letsencrypt work ?
14:18 We create our own CA and certificates
16:42 When and how to use a self signed CA
CZcams: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/onemarcfifty
Patreon: / onemarcfifty
Blog: www.onemarcfifty.com - Věda a technologie
Excellent, there are not many well-explained X.509 certificate videos online, this is super valuable, and thank you for putting this series together, looking forward to the next one.
Thank you very much!
His explanations are the best!
Thanks. Now I understand TLS altogether.
While I understand the certificates now, I should have had this video on my playlist ~5 years ago. This is excellent. I'll use your channel to recommend to my team - your IPv6 videos rock, so does your OpenWRT tutorials. Keep it up! Thanks for the effort.
Hi Robert, thank you very much!
Excellent stuff Marc. Thanks!!!
Thank you sooo much Marc. This is easily one of the best explanations about certificates I’ve come across.
Great content and presentation. Not only that, you just seem like a genuinely nice person. Subscribed.
Marc my friend, this is an outstanding video! Wow, I wish I had seen this about 2 years ago. Now I totally understand certificates. Thank you so very much! You are an excellent teacher!
Simply amazing! Looking forward to see an espisode on key management and distribution.
Always love when I see a new video drop, these are gold
Awesome - thanks a lot ;-)
What a coincidence! I was, this morning, looking at possibilities of using Certificates for authentication on SSH connection. And you start a new serie on Certificates right at that time!!! I'm SOOO looking forward to see the rest of the serie! Thanks!
Hi Alexandre - great minds think alike ;-)
You did a great job explaining this while showing the video the whole process so everybody can follow all the use cases and security concerns. Thank you so much!
Glad it was helpful! Thank you so much!
Nice! Marс, you have a talent to explain complex things in simple terms
Thank you very much Konstantin!
you are born to teach ! a great video and up to your usual, fantastically high standards... looking forward to the continuation of this series... many thanks Marc.
Hi Damien, thank you very much! the next episodes will come out next Monday(s) at 5 PM Berlin time ;-)
This is fantastic! Thank you for making the topic so easy to understand. Certificates are certainly something I struggle with a lot!
Hi Rodrigo - it was exactly the same for me until I bought a book on the topic ;-) All I do is share my learnings from it really ;-)
Really great video. Loved the way he explained the entire process.
i've been looking for good explanation of that topic for a while. This is incredible good one. Thank you!
Glad you enjoyed it! Many thanks for the feedback!
Besser als ich dachte
Man merkt, da hat man sicht richtig viel Mühe gegeben!
Excellent explanation! Thank you so much for the effort.
Best video describing certificates that I have ever seen.
Thank you so much Marc. I think your explanation is the simplest and clearest one I've ever dealt with.
I don't see the time when you will public next episodes.
Hi Gabriele, it will be today - Monday at 5 PM Berlin time. the third episode will be next week, same time.
Great job again Marc ! I can't wait for the next episode on the keys management, I'm struggling with that for month.
Hi Thibault, what's your use case ? Do you want to manage keys for multiple people ? Have a look at OpenXPKI for example.
@@OneMarcFifty Hey Mark ! Thanks for your reply. I'm self learning certificates on a Mikrotik router and I try to figure out what key usage for which purpose. Can you give examples ?
Amazing video, I am studying for my exam and this video helped me understand the process alot better!
You saved me 200 USD. Thanks so much!
Awesome video, incredibly helpful, thankyou!
Practical approach and clear as always. Thank you.
Thank you very much ;-)
Amazing class as usual Marc,
Thanks!!
Juan.
Hi Juan, many thanks!
Really awesome explanation. I've watched many of these tutorials and this is the best.
Hi, thank you so much. I am glad that you liked it !
I learned a lot from the info you provided. CA and CA. Best of the best. Thank you sir☺☺
Awesome, glad it could help ;-) Thank you !
Thanks Marc!
Finally i understand this, ehat incredible class!!
well explained, thanks
Thank you so much, it's very clear now :)
You are a wonderful teacher
Hi Lakshamanan, thank you so much!
Great content ! Thank you!
Really well done, thank you so much and kudos for your channel
Hi Luca, many thanks for the feedback!
Dude well done. Put link to playlist or next video too please.
Amazing video thanks for share all your knowledge, in this simple way, you makes look all so easy and simple...
My pleasure 😊 Glad you liked it!
thx Mark... as always... high value information... 🙂;-)
Thank you very much ;-)
Well done Marc… Danke schun…
That bass is amazing
Thanks Conrad ;-)
that is amazing !
YEEEEEEEEEEEEEEEESSSSSSSSSSS I just stumbled on this recently so now Im interested to learn it and behold, one of the greatest teaching channels on youtube drops a video on it perfect!
Awesome - many thanks ;-)
Awesome!!! thank you
When is the next episode up? Tomorrow?
Excellent content as usual!
Thank you ;-) Next Monday !
Hi, thanks for the video. I was following your instruction using XCA tool but it doesn't show the treeview for some reason. There is a plain view/tree view button but it doesn't show the tree view either. Not sure what I am doing wrong.
Thanks this was really helpfull!
Hi Tim, glad it helped, many thanks!
Hi Tim, glad it helped, many thanks!
Hi Tim, glad it helped, many thanks!
Great vid! I hope in the future you might want to explain how to use/setup SCEP and OCSP. I've been struggling to use openssl for signing certs for my WPA2 enterprise at home. It worked okay last year but this year my iOS phone does not want to trust the certificate while it does have the CA cert pushed and trusted via MDM.
Hi Joey, I might have a look into those - thanks for the hint ;-)
Csr has private and public key??? Does CA sign the certificate with servers private key? Or servers private and public key???
8:49, Public key of R3 isn't stored on the onemarcfifty certificate to verify the signature on it. It's stored on it's own certificate which is a part of the certificate chain.
The private key of R3 is used to generate the signature present on the onemarcfifty certificate during the CSR. This signature can be verified using the public key present on R3 certificate during verification. Isn't this correct?
Hi Marc! Excellent video as usual, thanks for the tidy knowledge!
Could you explain how to apply this solution to remote access OpenWrt?
Hi Danilo, you mean remote accessing the Web interface (LuCI) from the internet, correct? You would need a reverse proxy running on the router and requesting client Certificates for that.
I have a use case for self signed certificates. Old style FTP sends everything in clear text. If I configure my server with a certificate, it becomes a FTPS server like using a certificate turns HTTP into HTTPS. At times one only wants to avoid sending everything in an easily read form, on an internal network Self signed certs can be more a tool for privacy rather than the tight trust and security a bank or commercial business requires.
Hi Jeffrey, great use case - thanks for sharing ;-)
GREAT to say the least, watched so many videos but the concents u cleared, WoW. howcome this is all free ? any place I can donate ?
Well explained, I am getting more and more understanding of certificates. One point I do not understand is about X509 is the naming standard or what kind it is.
Certificate is a general word and so can have many meanings and take many forms. For example, a high school diploma is a certificate. "X.509" is the specific standard (set by the International Telecommunication Union/ITU) for certificates of this type and format. So while a "Certificate" can take any shape and form, a "X.509" certificate will only take a specific shape and form that makes it compatible anywhere X.509 certificates are used/accepted. X.509 is the standard used for SSL/TLS so any valid SSL certificate will be a X.509 compliant certificate.
Big brother coming if we give all authority, to government with a blind trust. Trust is paramount. how many still have absolute trust in all that is government given their performance over the last 3 years, and still is ongoing to this day,
Hi, many thanks for your feedback. Please do however keep in mind that neither TLS certificates nor Certification Authorities have anything to do with the government - those are independent companies really.
@@OneMarcFifty all technology is created by DARPA n given to AWS GCP and Microsoft….GillBates moron couldn’t invent anything but the harvard dropout is a good story…
Please do video on Tailscale on OpenWRT
Hi, I usually do not make videos about 3rd party services. I will however make a video on WireGuard troubleshooting soon.
I still don't get what a signature is 😅
Hello,
Great video, you cover some topics that aren't covered very well in CZcams. 2 questions I have:
1. What exactly is an X509 certificate? You never mention that explicitly. What are the other types of certificates?
2. In your "How Does LetsEncrypt Work" section, it's a little confusing how a CA verifies the host. How does a DNS lookup verify that the person who requests a certificate owns the domain? Can't I just go to the LetsEncrypt website and request a certificate for Google? How does a DNS lookup prove that the requester controls that IP?
(1) X.509 is ruled by RFC 5280. Alternate Certificates are e.g. PGP. In a nutshell an X.509 Cert is a public key plus some text around it (Issuer, purpose, Validity etc.) that is SIGNED with the private key of the CA. (2) There is no verification of the person, only the host. Let's say you request a cert for abcde.google.com from your host with IP x.x.x.x - Letsencrypt would then do a DNS Lookup for abcde.google.com - but as they won't get your IP in return (because you can't make an A entry in Google's DNS), they know that you are NOT in control of google.com.
@@OneMarcFifty So does that mean that the server that contains the website files (the host) must be the one to make the request for the certificate? In practice, I'd assume that someone would need to physically open a browser in the host, navigate to LetsEncrypt website and fill out their form? From what you've described I can't use my development computer to request a certificate for a server storing the website right?
That’s correct. The request needs to be made from the server that the DNS name points to. You could however copy that certificate to a server in your LAN wit the same name there.
In the first part of the video where you download a certificate in chrome, you mention that you are downloading it in pkcs7 format. Is this format just the default in Chrome, or did you do something in Chrome to select the format?
Great video also. You just found yourself a new subscriber :-)
Hi, I just found it was easier to add to chrome in PKCS7 - you could use PEM full chain as well. Works easier with Firefox
Awesome, many thanks !!!
@@OneMarcFifty Thx for the reply. Is there any specific reason for this? I'm really confused about the different certificate and key formats, so I'm trying to learn what the differences are and what they are used for.
@@duskern It's historic mainly - different applications over time have used different formats. See this article here for a comparison comodosslstore.com/resources/a-ssl-certificate-file-extension-explanation-pem-pkcs7-der-and-pkcs12/
I've always thought of a certificate as being a public key (with private key optionally included, if you have it) that has additional "properties", including proof of who issued the certificate, and what the certificate can be used for. The whole topic of what a certificate can be used for is confusing. I know about web services and code signing, but there seems to be a lot of other uses that I'm not so familiar with.
Hi Brian, you are right - a certificate is basically a public key with some text around. In order to use it, you need a private key. Just - another key pair comes into play - the CA that signed it. And if you trust that CA then you can trust the certificate.
@@OneMarcFifty can you do a video on the certificate use property?
@@OneMarcFifty So if you make a forgetry of this CERTIFICATE you should be im legal prosecution...but my wife ist Advisor, Barrister not my business 🤔
I am sorry - I don’t really understand you. What is forgetry? What does Barrister mean?
@@OneMarcFifty i think he meant "forgery". Which isn't really possible. I didn't follow the rest either.
Too many adds
hi , can i contact you pls ?
No
@@rahulsingh-iq4gd No !!! 🤔
@@xyz3188 bhai sooja 😂