Certificates

What are x509 certificates?

• International Telecommunication Union (ITU) standard format
• Used for TLS
• Allow cascading trust of devices and services to be established

The trust model

• Certificate Authorities (CAs) are certificates that can sign other certificates
• CAs can sign other CAs and so on, as well being able to sign end-entity (leaf) certificates
• Leaf certificates cannot sign other certs
• OSes and applications (ex Firefox) will ship with trusted "root" CAs
• You can add additonal trusted root CAs

X.509 format

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7c:ae:4d:1c:51:ef:6a:4c:aa:ee:b5:39:e9:78:7a:17:c0:4c:51:ef
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: CN=OSUSEC root CA
        Validity
            Not Before: Feb  5 00:59:16 2025 GMT
            Not After : Feb  3 00:59:16 2035 GMT
        Subject: CN=OSUSEC root CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d0:5c:93:61:b1:66:e4:41:68:82:44:88:0c:ab:
                    e2:37:c4:05:ec:02:12:2c:b4:bb:29:6d:b8:f2:af:
                    77:1e:81:29:3b:22:57:a6:97:d1:cc:48:00:ed:5d:
                    41:28:9d:15:fc:c3:3e:3d:0f:1a:1a:67:ab:c8:fe:
                    bf:69:10:4b:a1
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Name Constraints: critical
                Permitted:
                  IP:10.0.0.0/255.0.0.0
                  DNS:.damsec.org
                  DNS:.osusec.net
                  DNS:.osusec.org
            X509v3 Subject Key Identifier:
                09:FA:81:A1:6C:F4:6C:82:3A:C6:E1:12:99:32:13:F0:2A:3F:15:60
    Signature Algorithm: ecdsa-with-SHA512
    Signature Value:
        30:44:02:20:2c:97:7d:e4:b6:ac:14:b4:37:18:df:fc:6b:82:
        b6:d6:d7:3b:16:6c:44:2e:1a:cf:3b:2b:aa:01:f5:8c:1d:a2:
        02:20:02:82:f9:6e:38:a0:de:f3:e1:21:bb:1b:2f:79:cc:95:
        c1:ba:39:c0:45:91:e0:df:7b:d2:eb:b6:dd:cb:60:bb

Why you should care

• Encryption is good to have
  • Gremlins can be sniffing your network
• Knowing who you are implicitely trusting can be useful
• Encypting traffic between your services can be done easily
• There is little overhead for encryption now

Using certificates

• You can purchase certificates for $$$
• You can use ACME and LetsEncrypt
• Self-signed certificates
• Create your own CA

Self signed cert example

ACME certs

• Automatic Certificate Management Environment (ACME) is a protocol for interacting with CAs
• Multiple free CAs that will provide leaf certificates:
  • LetsEncrypt
  • ZeroSSL
• Many tools to automate ACME:
  • Certbot
  • acme.sh
  • Traefik
  • Caddy
  • step-cli

Creating your own certificates

• openssl can create certificates
  • Good for small scale certificate creation
  • Allows for fine grain control of certificate properties
• SmallStep can act as a CA autority and supports ACME
  • More effort to set up
  • Can be used to automatically provision certificates for services
  • Automates away most of the tedious tasks
• Tailscale can provide certificates for services

Creating your own ACME server with SmallStep

Demo time!