Secure Communication - Learning Module

Loading content...

0/227

Certificate Authorities

The Trust Brokers of the Internet

When you visit https://bank.example.com, how does your browser know it's actually communicating with your bank and not a sophisticated imposter? The answer lies in a global infrastructure of trust called the Public Key Infrastructure (PKI), at the heart of which stand Certificate Authorities (CAs).

Certificate Authorities are trusted third parties that vouch for the binding between public keys and identities. When your browser sees a certificate signed by a CA in its trust store, it accepts that the public key in the certificate genuinely belongs to the entity named in the certificate.

This trust model has enabled secure e-commerce, online banking, and private communication for billions of users. Yet it remains one of the most criticized components of internet security—a single compromised CA can undermine trust in the entire system. Understanding how CAs work, what they protect against, and their limitations is essential for any security practitioner.

What You Will Learn

By the end of this page, you will understand the complete lifecycle of X.509 certificates, from issuance to validation. You'll explore CA architecture, trust hierarchies, certificate chains, revocation mechanisms, and modern enhancements like Certificate Transparency that address PKI's inherent weaknesses.

Understanding PKI and Certificates

The Public Key Infrastructure (PKI) is a framework for managing public key cryptography at scale. Its core problem: how can parties who have never met verify each other's public keys?

The Public Key Binding Problem:

Public key cryptography enables authentication—if Alice has Bob's public key, Bob can prove his identity by signing a challenge with his private key. But how does Alice obtain Bob's genuine public key?

Direct exchange: Alice and Bob meet in person. Doesn't scale.
Key server: Trusted server holds everyone's keys. Single point of failure.
Web of Trust: Users sign each other's keys (PGP model). Hard to bootstrap.
Certificate Authorities: Trusted authorities vouch for key bindings. The dominant model.

X.509 Certificates:

An X.509 certificate is a digitally signed document that binds a public key to an identity. The structure (defined in RFC 5280) includes:

Certificate ::= SEQUENCE {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING
}

TBSCertificate ::= SEQUENCE {
    version              [0] Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID       [1] IMPLICIT UniqueIdentifier OPTIONAL,
    subjectUniqueID      [2] IMPLICIT UniqueIdentifier OPTIONAL,
    extensions           [3] Extensions OPTIONAL
}

Key X.509 Certificate Fields
Field	Description	Example
Subject	Entity the certificate is issued to	CN=www.example.com, O=Example Inc
Issuer	CA that signed the certificate	CN=DigiCert TLS RSA SHA256 2020 CA1
Serial Number	Unique identifier within CA	0x0123456789ABCDEF
Validity	Valid from / valid to dates	2024-01-01 to 2025-01-01
Subject Public Key	The bound public key	RSA 2048-bit / ECDSA P-256
Signature Algorithm	Algorithm used to sign	sha256WithRSAEncryption
Extensions	Additional constraints and info	SAN, Key Usage, EKU, AIA

Critical Certificate Extensions:

Subject Alternative Name (SAN): Lists all hostnames the certificate is valid for. Modern certificates primarily use SAN rather than Common Name.
Key Usage: Specifies permitted operations (digitalSignature, keyEncipherment, keyCertSign)
Extended Key Usage (EKU): Further restricts usage (serverAuth, clientAuth, codeSigning)
Basic Constraints: Indicates if the certificate can sign other certificates (CA:TRUE/FALSE)
Authority Information Access (AIA): URLs for CA certificate and OCSP responder
CRL Distribution Points: URLs where revocation lists are published

Certificate Encoding

Certificates are encoded in ASN.1 DER (binary) format, often wrapped in Base64 as PEM files (-----BEGIN CERTIFICATE-----). Tools like openssl x509 -text decode and display certificate contents for inspection.

CA Types and Trust Hierarchies

Certificate Authorities operate in hierarchies to balance security with operational flexibility. Understanding this structure is crucial for certificate chain validation and trust management.

CA Types:

Root CAs:

Self-signed certificates (issuer = subject)
Stored in trust stores of operating systems and browsers
Extremely high security requirements (often offline, in HSMs)
Long validity periods (10-25 years)
Compromise is catastrophic and irreversible for that root

Intermediate (Subordinate) CAs:

Signed by root or other intermediate CAs
Perform day-to-day certificate issuance
Shorter validity periods than roots
Can be revoked if compromised without replacing roots
Often specialized by product line or region

Issuing CAs:

Leaf-level CAs that directly issue end-entity certificates
May be further specialized or constrained
Highest volume of signing operations

Converting Mermaid diagram...

Certificate Chains:

End-entity certificates must be verified by building a chain to a trusted root:

End-Entity Certificate
    ↓ verified by signature from
Intermediate CA Certificate
    ↓ verified by signature from
Root CA Certificate
    ↓ found in
Trust Store (trusted anchor)

Chain Building and Validation:

Receive certificates: Server sends its certificate plus intermediates
Build chain: Find a path from end-entity to trusted root
Verify signatures: Each certificate's signature verified with issuer's public key
Check validity: All certificates within validity period
Check revocation: Verify no certificate is revoked (CRL/OCSP)
Check constraints: Name constraints, path length, key usage all satisfied
Hostname validation: Certificate SANs match requested hostname

Cross-Signing:

New CAs often get cross-signed by established roots for immediate trust:

Let's Encrypt ISRG Root X1 (new, may not be in old trust stores)
                   ↑ cross-signed by
DST Root CA X3 (widely trusted, expired Sept 2021)

Clients trust either path, maximizing compatibility.

Chain Configuration Errors

The most common TLS deployment error is failing to send intermediate certificates. The server must send the complete chain (except the root). Clients may lack the intermediate and cannot build a valid path, causing trust failures that are often misinterpreted as server configuration issues.

Certificate Issuance Process

Certificate issuance follows a defined process to ensure CAs only issue certificates to legitimate requesters. The rigor of this process determines the level of assurance the certificate provides.

Certificate Signing Request (CSR):

The requester generates a key pair and creates a CSR containing:

Subject information (organization name, domain name)
Public key
Proof of possession of private key (self-signed)

# Generate private key
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

# Generate CSR
openssl req -new -key server.key -out server.csr \
    -subj "/C=US/ST=California/L=San Francisco/O=Example Inc/CN=www.example.com"

# Inspect CSR
openssl req -in server.csr -text -noout

Domain Validation (DV):

The CA verifies the requester controls the domain. Methods include:

HTTP Challenge: Place a CA-specified file at /.well-known/acme-challenge/
DNS Challenge: Create a specific TXT record in DNS
Email Verification: Respond to email sent to admin contact addresses
TLS-ALPN Challenge: Serve a CA-specified certificate on port 443

ACME Protocol Flow (Let's Encrypt):

1. Client → CA: Request authorization for domain.com
2. CA → Client: Here's a token; prove control via HTTP or DNS
3. Client: Places token at http://domain.com/.well-known/acme-challenge/[token]
4. CA: Verifies challenge from multiple network vantage points
5. CA → Client: Authorization granted
6. Client → CA: Submit CSR for domain.com
7. CA → Client: Signed certificate (and chain)

Certificate Validation Levels
Level	Validation	Trust Indicators	Use Cases
Domain Validation (DV)	Control of domain only	Padlock only	Personal sites, APIs
Organization Validation (OV)	Domain + org identity verification	Padlock + org name in cert	Business websites
Extended Validation (EV)	Rigorous legal entity verification	Org name in address bar (deprecated)	High-value sites (banks, etc.)

Organization and Extended Validation:

OV Certificates: CA verifies the organization exists and is the domain owner

Phone verification against official records
Business registration verification
Callback to verified phone numbers

EV Certificates: Most rigorous verification

Legal existence verification (articles of incorporation)
Operational existence verification (bank account, listings)
Physical address verification
Authorized requester confirmation
Annual renewal of verification

The Decline of EV Visual Indicators:

Browsers originally displayed EV certificates with green address bars and organization names. This has been largely removed:

Chrome removed EV visual distinction (2019)
Firefox removed green bar (2019)
Research showed users didn't notice or understand the indicators
EV is now primarily a compliance/liability distinction, not user-facing

ACME and Automation

The ACME protocol (RFC 8555) automates certificate issuance and renewal. Let's Encrypt pioneered this approach, enabling certificates to be issued in seconds and renewed automatically. Tools like certbot, acme.sh, and Caddy handle the entire process, eliminating manual certificate management.

Certificate Validation in Practice

When your browser or application validates a certificate, it performs a complex series of checks. Understanding this process is essential for diagnosing certificate errors and building secure systems.

Complete Validation Algorithm:

Certificate Validation Steps

•Chain Building: Construct path from end-entity certificate to a trusted root anchor, using Subject-Issuer matching and Authority Key Identifier extensions
•Signature Verification: For each link in chain, verify the issuer's signature on the issued certificate using the issuer's public key
•Validity Period: Confirm current time falls within notBefore and notAfter of every certificate in chain
•Revocation Checking: Query OCSP responders or check CRLs to ensure no certificate in chain is revoked
•Name Constraints: Verify end-entity name is within any name constraints imposed by intermediate CAs
•Policy Constraints: Check certificate policies and policy mappings if required by application
•Key Usage: Confirm certificates are used for appropriate purposes (e.g., keyCertSign for CA certs, digitalSignature for TLS)
•Extended Key Usage: Verify serverAuth EKU for server certificates, clientAuth for client certificates
•Basic Constraints: Ensure CA certificates have CA:TRUE; end-entity has CA:FALSE or absent
•Path Length: Verify pathLenConstraint is respected (limits intermediate CA depth)
•Hostname Verification: Match requested hostname against Subject Common Name or Subject Alternative Names
•Algorithm Strength: Reject weak algorithms (MD5, SHA-1, < 2048-bit RSA)

Hostname Verification Details:

Hostname matching is often the source of validation bugs:

Certificate SANs: www.example.com, example.com, api.example.com

Request for www.example.com  → Match (exact)
Request for example.com      → Match (exact)  
Request for api.example.com  → Match (exact)
Request for mail.example.com → NO MATCH (not in SANs)
Request for www.example.org  → NO MATCH (wrong domain)

Wildcard Certificates:

Certificate SAN: *.example.com

Request for www.example.com    → Match
Request for api.example.com    → Match
Request for example.com        → NO MATCH (wildcard doesn't match empty string)
Request for sub.www.example.com → NO MATCH (wildcard matches one label only)

Common Validation Errors:

Common Certificate Validation Errors
Error	Cause	Solution
Certificate expired	notAfter in the past	Renew certificate
Hostname mismatch	Requested name not in SANs	Issue certificate with correct SANs
Unknown issuer	Missing intermediate or untrusted root	Configure complete chain
Certificate revoked	CA revoked the certificate	Request new certificate
Self-signed certificate	No chain to trusted root	Use CA-issued certificate
Invalid signature	Certificate modified or algorithm unsupported	Check certificate integrity

Never Disable Validation

Developers sometimes disable certificate validation during development (CURL_OPT_SSL_VERIFYPEER=false, NODE_TLS_REJECT_UNAUTHORIZED=0). This code must NEVER reach production. Disabling validation defeats the entire purpose of TLS authentication, enabling trivial MITM attacks.

Certificate Revocation

When a private key is compromised, an organization changes, or a certificate is no longer valid, it must be revoked before its natural expiration. However, distributing revocation information to all relying parties is one of PKI's hardest problems.

Certificate Revocation Lists (CRL):

CRLs are CA-signed lists of all revoked certificate serial numbers:

CRL Structure:
- CRL Version
- Issuer (CA that issued revoked certificates)
- This Update (CRL issue date)
- Next Update (expected next CRL)
- Revoked Certificates List:
    - Serial Number, Revocation Date, Reason Code
    - Serial Number, Revocation Date, Reason Code
    ...
- CRL Signature

CRL Problems:

Size: Popular CAs may revoke millions of certificates; CRLs become huge
Latency: CRLs are cached; revocations don't take effect immediately
Privacy: Downloading CRLs reveals what sites user visits (indirectly)
Reliability: CRL servers must be highly available; failures cause soft-fails

Online Certificate Status Protocol (OCSP):

OCSP provides real-time, per-certificate revocation checks:

Client → OCSP Responder: Is certificate [serial] from [issuer] revoked?
OCSP Responder → Client: Good / Revoked / Unknown
                         + signature + validity period

OCSP Advantages:

Small response size (specific to one certificate)
Fresher revocation information
Cacheable responses reduce load

OCSP Problems:

Privacy: OCSP responder learns user's browsing history
Performance: Adds round-trip latency to every connection
Reliability: OCSP server downtime affects all users
Soft-Fail: Most browsers continue if OCSP is unavailable, defeating the purpose

OCSP Stapling

•Server fetches its own OCSP response periodically
•Includes signed OCSP response in TLS handshake
•Client validates OCSP without contacting responder
•No privacy leak or additional latency
•Configured via ssl_stapling on in nginx

OCSP Must-Staple

•Certificate extension requires stapled response
•Connection fails without valid staple
•Prevents soft-fail security degradation
•Requires reliable OCSP infrastructure
•Added via tlsfeature extension at issuance

Short-Lived Certificates:

An alternative approach: issue certificates with very short validity (days to hours). Revocation becomes unnecessary because compromised certificates expire quickly.

Advantages:

No revocation infrastructure needed
Compromise window is small
Forces automation (reduces stale certificates)

Disadvantages:

Requires robust automated issuance
Higher CA load
Clock synchronization more critical

Browser Revocation Checking Reality:

Despite the importance of revocation, browser behavior is pragmatic:

Chrome: Uses CRLSets (Google-curated subset of revocations) pushed via browser updates. Does not check OCSP by default.
Firefox: OCSP checking with soft-fail. CRLite (compressed revocation data) in development.
Safari: OCSP checking with soft-fail.

The industry consensus is that traditional revocation checking is unreliable. Short-lived certificates and improved browser-side solutions are preferred.

Revocation Is Hard

The 'revocation problem' remains partially unsolved. Production guidance: configure OCSP stapling, consider short-lived certificates (weeks, not years), and use certificate automation to enable rapid replacement when incidents occur.

CA Compromises and Misissuance

The CA trust model's Achilles heel is that any trusted CA can issue certificates for any domain. A single compromised or malicious CA can issue fraudulent certificates that browsers will trust. History has shown this is not merely theoretical.

Notable CA Incidents:

Major CA Security Incidents
Year	CA	Incident	Impact
2011	DigiNotar	Complete compromise by attackers	Fraudulent *.google.com cert used for MITM in Iran. CA distrusted and dissolved.
2011	Comodo	Registration account compromised	Fraudulent certs for major sites (gmail, yahoo, skype). Quickly revoked.
2015	CNNIC	Intermediate CA misissued certificates	China's CNNIC allowed subordinate CA to issue unauthorized certs. Constrained by browsers.
2015	Symantec	Test certificates for google.com	Issued test certs for domains they didn't control. Led to gradual distrust.
2017	WoSign/StartCom	Backdating, misissuance, SHA-1	Multiple compliance failures. Removed from browser trust stores.
2019	DarkMatter	UAE surveillance concerns	Trust never granted by Mozilla due to surveillance allegations.

Attack Scenarios:

State-Level Attacks: Governments can compel domestic CAs to issue surveillance certificates. A trusted CA in Country X can issue a certificate for any domain, enabling state-level MITM attacks on encrypted traffic.

CA Key Compromise: If an attacker obtains a CA's private key, they can issue unlimited fraudulent certificates. This is why root CA keys are kept offline in HSMs with extreme physical security.

Validation Bypass: Weaknesses in domain validation allow attackers to obtain certificates for domains they don't control (BGP hijacking to intercept validation traffic, compromised DNS, etc.).

Consequences of Misissuance:

Browser Distrust: CAs that misissue certificates face browser distrust—the ultimate penalty
Revocation Rush: Fraudulent certificates must be found and revoked
Trust Degradation: Each incident erodes confidence in the CA system
User Vulnerability: Users affected by fraudulent certificates have no defense

The Weakest Link Problem

Your browser trusts hundreds of root CAs. A compromise of ANY of them can result in fraudulent certificates for your domain. You have no control over which CAs browsers trust, and attackers need only compromise the weakest one. Certificate Transparency was developed specifically to address this fundamental weakness.

Certificate Transparency

Certificate Transparency (CT) is a system of public logs that record all issued certificates. It transforms certificate issuance from a private transaction into an auditable, public process.

The CT Vision:

If every certificate is logged publicly:

Domain owners can monitor for unauthorized certificates
Misissuance is detectable rather than invisible
CAs are held accountable for all certificates they issue
The attack window shrinks from 'until expiration' to 'until detection'

CT Architecture:

Converting Mermaid diagram...

CT Components:

1. CT Logs: Append-only cryptographic logs (Merkle trees) that record certificates:

Anyone can submit certificates
Log operators are separate from CAs
Merkle trees provide efficient inclusion proofs
Logs are auditable and tamper-evident

2. Signed Certificate Timestamps (SCT): When a log accepts a certificate, it returns an SCT—a promise to include the certificate:

SCT = {
    version: v1,
    log_id: <hash of log's public key>,
    timestamp: <milliseconds since epoch>,
    extensions: <future use>,
    signature: <log's signature over the above>
}

3. SCT Delivery: SCTs must reach the client to prove logging. Three methods:

Embedded in Certificate: CA submits pre-certificate, gets SCTs, embeds in final cert
TLS Extension: Server provides SCTs during TLS handshake
OCSP Stapling: SCTs included in stapled OCSP response

4. Monitors: Services that watch CT logs for certificates affecting specific domains:

Domain owners run monitors or use services
Alert when any certificate is logged for their domains
Enables rapid detection of misissuance

CT Enforcement:

Chrome requires SCTs for all certificates issued after April 2018. Certificates without valid SCTs from multiple logs are rejected. This makes CT mandatory for web certificates, not optional.

CT Monitoring Example
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Check CT logs for certificates issued for a domain
# Using crt.sh (Certificate Search)
 
# Find all certificates for example.com
curl -s "https://crt.sh/?q=example.com&output=json" | jq '.[0:5]'
 
# Monitor for new certificates (example service: Facebook CT Monitor)
# Subscribe to alerts at https://developers.facebook.com/tools/ct/
 
# Inspect SCTs in a certificate
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
    openssl x509 -noout -text | grep -A 20 "Certificate Transparency"
 
# Verify SCTs with openssl (requires CT log public keys)
# Mozilla maintains a list of trusted logs at:
# https://wiki.mozilla.org/CA/Included_Certificates

CT Effectiveness

CT has proven highly effective. Numerous misissuance incidents have been detected through log monitoring, including test certificates, validation failures, and suspicious patterns. Domain owners now have visibility into all certificates issued for their domains, fundamentally changing the CA trust dynamic.

Additional Trust Mechanisms

Certificate Transparency augments but doesn't replace the CA system. Additional mechanisms provide defense-in-depth against certificate misissuance.

CAA (Certificate Authority Authorization):

DNS records that specify which CAs are authorized to issue certificates for a domain:

; Only DigiCert and Let's Encrypt may issue
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issue "letsencrypt.org"

; No wildcard certificates allowed
example.com.  CAA  0 issuewild ";"

; Report violations to security team
example.com.  CAA  0 iodef "mailto:security@example.com"

CAs are required to check CAA before issuance. Violating CAA isn't cryptographically prevented but creates clear CA compliance failures.

DANE (DNS-Based Authentication of Named Entities):

TLSA DNS records specify exactly which certificates are valid for a domain:

; Pin the exact certificate for www.example.com
_443._tcp.www.example.com. TLSA 3 1 1 <SHA-256 hash of certificate>

; Usage field options:
; 0 - PKIX-TA: Pin a CA certificate
; 1 - PKIX-EE: Pin end-entity with PKIX validation
; 2 - DANE-TA: Trust anchor assertion (no PKIX)
; 3 - DANE-EE: Pin specific certificate (no PKIX)

DANE Limitations:

Requires DNSSEC (not universally deployed)
Limited client support (no major browsers implement)
Useful for email (SMTP) where server-to-server trust is simpler

Trust Enhancement Mechanisms Comparison
Mechanism	Protection	Deployment	Limitation
CT	Detects misissuance post-facto	Mandatory for web certs	Detection, not prevention
CAA	Restricts which CAs may issue	DNS record + CA compliance	CAs must check; not enforced by clients
DANE	Pins specific certificates via DNS	Requires DNSSEC	Poor browser support
HPKP (deprecated)	Pinned public keys in HTTP header	Was browser-enforced	Removed due to operational risks

HTTP Public Key Pinning (HPKP) — A Cautionary Tale:

HPKP allowed sites to tell browsers to accept only specific public key pins:

Public-Key-Pins: pin-sha256="base64+hash"; max-age=5184000;
                 pin-sha256="base64+backup-hash";

Why It Was Removed:

Misconfiguration could permanently lock users out of a site
Pin expiry outlasted some site lifetimes
Attackers could maliciously set pins (ransom attacks)
Operational complexity was extreme

HPKP was deprecated and removed from browsers in 2020. The lesson: mechanisms that can cause permanent self-denial-of-service are operationally unacceptable.

Expect-CT Header:

Expect-CT: max-age=86400, enforce, report-uri="https://example.com/ct-report"

Signals that the site expects CT enforcement. Useful during transition to mandatory CT and for gathering compliance reports.

Practical Recommendations

For most deployments: (1) Configure CAA records restricting issuance to your CAs, (2) Monitor CT logs for your domains using a service like crt.sh or your CA's monitoring, (3) Use short-lived certificates with automated renewal, (4) Configure OCSP stapling. These provide strong defense without operational complexity.

Summary: Certificate Authorities

Certificate Authorities form the trust foundation for secure communication on the internet. While imperfect, the CA system—augmented by Certificate Transparency and other mechanisms—enables billions of secure connections daily.

Key Takeaways

•PKI Solves Key Distribution: CAs bind public keys to identities through digitally signed X.509 certificates, enabling authentication without prior relationship.
•Trust Hierarchies: Root CAs are implicitly trusted; they sign intermediate CAs; intermediates issue end-entity certificates. Chain validation builds trust from anchors.
•Validation Levels: DV (domain control), OV (organization verification), EV (rigorous entity verification) provide different assurance levels.
•Certificate Validation: Comprehensive process including chain building, signature verification, revocation checking, and hostname matching.
•Revocation Challenges: CRLs don't scale; OCSP has privacy/reliability issues; OCSP stapling and short-lived certificates are preferred solutions.
•CA Risks: Any trusted CA can issue certificates for any domain; compromised CAs are catastrophic. Historical incidents prove this is not theoretical.
•Certificate Transparency: Public logs of all certificates enable detection of misissuance; now mandatory for web certificates.
•Defense Mechanisms: CAA restricts authorized CAs; CT enables monitoring; DANE provides DNS-based pinning (limited adoption).

What's Next:

With trust established through certificate authentication, secure channels require another critical component: key exchange. The next page explores the cryptographic protocols that enable two parties to establish shared secrets over public channels, even when eavesdroppers observe every message.

Page Complete

You now understand the Certificate Authority ecosystem—the trust infrastructure enabling secure internet communication. You can evaluate certificate validation, configure CA-related security mechanisms, and understand both the strengths and fundamental limitations of the PKI model.

Certificate Authorities

The Trust Brokers of the Internet

What You Will Learn

Understanding PKI and Certificates

The Public Key Infrastructure (PKI) is a framework for managing public key cryptography at scale. Its core problem: how can parties who have never met verify each other's public keys?

The Public Key Binding Problem:

Direct exchange: Alice and Bob meet in person. Doesn't scale.
Key server: Trusted server holds everyone's keys. Single point of failure.
Web of Trust: Users sign each other's keys (PGP model). Hard to bootstrap.
Certificate Authorities: Trusted authorities vouch for key bindings. The dominant model.

X.509 Certificates:

An X.509 certificate is a digitally signed document that binds a public key to an identity. The structure (defined in RFC 5280) includes:

Certificate ::= SEQUENCE {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING
}

TBSCertificate ::= SEQUENCE {
    version              [0] Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID       [1] IMPLICIT UniqueIdentifier OPTIONAL,
    subjectUniqueID      [2] IMPLICIT UniqueIdentifier OPTIONAL,
    extensions           [3] Extensions OPTIONAL
}

Key X.509 Certificate Fields
Field	Description	Example
Subject	Entity the certificate is issued to	CN=www.example.com, O=Example Inc
Issuer	CA that signed the certificate	CN=DigiCert TLS RSA SHA256 2020 CA1
Serial Number	Unique identifier within CA	0x0123456789ABCDEF
Validity	Valid from / valid to dates	2024-01-01 to 2025-01-01
Subject Public Key	The bound public key	RSA 2048-bit / ECDSA P-256
Signature Algorithm	Algorithm used to sign	sha256WithRSAEncryption
Extensions	Additional constraints and info	SAN, Key Usage, EKU, AIA

Critical Certificate Extensions:

Subject Alternative Name (SAN): Lists all hostnames the certificate is valid for. Modern certificates primarily use SAN rather than Common Name.
Key Usage: Specifies permitted operations (digitalSignature, keyEncipherment, keyCertSign)
Extended Key Usage (EKU): Further restricts usage (serverAuth, clientAuth, codeSigning)
Basic Constraints: Indicates if the certificate can sign other certificates (CA:TRUE/FALSE)
Authority Information Access (AIA): URLs for CA certificate and OCSP responder
CRL Distribution Points: URLs where revocation lists are published

Certificate Encoding

CA Types and Trust Hierarchies

Certificate Authorities operate in hierarchies to balance security with operational flexibility. Understanding this structure is crucial for certificate chain validation and trust management.

CA Types:

Root CAs:

Self-signed certificates (issuer = subject)
Stored in trust stores of operating systems and browsers
Extremely high security requirements (often offline, in HSMs)
Long validity periods (10-25 years)
Compromise is catastrophic and irreversible for that root

Intermediate (Subordinate) CAs:

Signed by root or other intermediate CAs
Perform day-to-day certificate issuance
Shorter validity periods than roots
Can be revoked if compromised without replacing roots
Often specialized by product line or region

Issuing CAs:

Leaf-level CAs that directly issue end-entity certificates
May be further specialized or constrained
Highest volume of signing operations

Converting Mermaid diagram...

Certificate Chains:

End-entity certificates must be verified by building a chain to a trusted root:

End-Entity Certificate
    ↓ verified by signature from
Intermediate CA Certificate
    ↓ verified by signature from
Root CA Certificate
    ↓ found in
Trust Store (trusted anchor)

Chain Building and Validation:

Receive certificates: Server sends its certificate plus intermediates
Build chain: Find a path from end-entity to trusted root
Verify signatures: Each certificate's signature verified with issuer's public key
Check validity: All certificates within validity period
Check revocation: Verify no certificate is revoked (CRL/OCSP)
Check constraints: Name constraints, path length, key usage all satisfied
Hostname validation: Certificate SANs match requested hostname

Cross-Signing:

New CAs often get cross-signed by established roots for immediate trust:

Let's Encrypt ISRG Root X1 (new, may not be in old trust stores)
                   ↑ cross-signed by
DST Root CA X3 (widely trusted, expired Sept 2021)

Clients trust either path, maximizing compatibility.

Chain Configuration Errors

Certificate Issuance Process

Certificate issuance follows a defined process to ensure CAs only issue certificates to legitimate requesters. The rigor of this process determines the level of assurance the certificate provides.

Certificate Signing Request (CSR):

The requester generates a key pair and creates a CSR containing:

Subject information (organization name, domain name)
Public key
Proof of possession of private key (self-signed)

# Generate private key
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

# Generate CSR
openssl req -new -key server.key -out server.csr \
    -subj "/C=US/ST=California/L=San Francisco/O=Example Inc/CN=www.example.com"

# Inspect CSR
openssl req -in server.csr -text -noout

Domain Validation (DV):

The CA verifies the requester controls the domain. Methods include:

HTTP Challenge: Place a CA-specified file at /.well-known/acme-challenge/
DNS Challenge: Create a specific TXT record in DNS
Email Verification: Respond to email sent to admin contact addresses
TLS-ALPN Challenge: Serve a CA-specified certificate on port 443

ACME Protocol Flow (Let's Encrypt):

1. Client → CA: Request authorization for domain.com
2. CA → Client: Here's a token; prove control via HTTP or DNS
3. Client: Places token at http://domain.com/.well-known/acme-challenge/[token]
4. CA: Verifies challenge from multiple network vantage points
5. CA → Client: Authorization granted
6. Client → CA: Submit CSR for domain.com
7. CA → Client: Signed certificate (and chain)

Certificate Validation Levels
Level	Validation	Trust Indicators	Use Cases
Domain Validation (DV)	Control of domain only	Padlock only	Personal sites, APIs
Organization Validation (OV)	Domain + org identity verification	Padlock + org name in cert	Business websites
Extended Validation (EV)	Rigorous legal entity verification	Org name in address bar (deprecated)	High-value sites (banks, etc.)

Organization and Extended Validation:

OV Certificates: CA verifies the organization exists and is the domain owner

Phone verification against official records
Business registration verification
Callback to verified phone numbers

EV Certificates: Most rigorous verification

Legal existence verification (articles of incorporation)
Operational existence verification (bank account, listings)
Physical address verification
Authorized requester confirmation
Annual renewal of verification

The Decline of EV Visual Indicators:

Browsers originally displayed EV certificates with green address bars and organization names. This has been largely removed:

Chrome removed EV visual distinction (2019)
Firefox removed green bar (2019)
Research showed users didn't notice or understand the indicators
EV is now primarily a compliance/liability distinction, not user-facing

ACME and Automation

Certificate Validation in Practice

Complete Validation Algorithm:

Certificate Validation Steps

•Chain Building: Construct path from end-entity certificate to a trusted root anchor, using Subject-Issuer matching and Authority Key Identifier extensions
•Signature Verification: For each link in chain, verify the issuer's signature on the issued certificate using the issuer's public key
•Validity Period: Confirm current time falls within notBefore and notAfter of every certificate in chain
•Revocation Checking: Query OCSP responders or check CRLs to ensure no certificate in chain is revoked
•Name Constraints: Verify end-entity name is within any name constraints imposed by intermediate CAs
•Policy Constraints: Check certificate policies and policy mappings if required by application
•Key Usage: Confirm certificates are used for appropriate purposes (e.g., keyCertSign for CA certs, digitalSignature for TLS)
•Extended Key Usage: Verify serverAuth EKU for server certificates, clientAuth for client certificates
•Basic Constraints: Ensure CA certificates have CA:TRUE; end-entity has CA:FALSE or absent
•Path Length: Verify pathLenConstraint is respected (limits intermediate CA depth)
•Hostname Verification: Match requested hostname against Subject Common Name or Subject Alternative Names
•Algorithm Strength: Reject weak algorithms (MD5, SHA-1, < 2048-bit RSA)

Hostname Verification Details:

Hostname matching is often the source of validation bugs:

Certificate SANs: www.example.com, example.com, api.example.com

Request for www.example.com  → Match (exact)
Request for example.com      → Match (exact)  
Request for api.example.com  → Match (exact)
Request for mail.example.com → NO MATCH (not in SANs)
Request for www.example.org  → NO MATCH (wrong domain)

Wildcard Certificates:

Certificate SAN: *.example.com

Request for www.example.com    → Match
Request for api.example.com    → Match
Request for example.com        → NO MATCH (wildcard doesn't match empty string)
Request for sub.www.example.com → NO MATCH (wildcard matches one label only)

Common Validation Errors:

Common Certificate Validation Errors
Error	Cause	Solution
Certificate expired	notAfter in the past	Renew certificate
Hostname mismatch	Requested name not in SANs	Issue certificate with correct SANs
Unknown issuer	Missing intermediate or untrusted root	Configure complete chain
Certificate revoked	CA revoked the certificate	Request new certificate
Self-signed certificate	No chain to trusted root	Use CA-issued certificate
Invalid signature	Certificate modified or algorithm unsupported	Check certificate integrity

Never Disable Validation

Certificate Revocation

Certificate Revocation Lists (CRL):

CRLs are CA-signed lists of all revoked certificate serial numbers:

CRL Structure:
- CRL Version
- Issuer (CA that issued revoked certificates)
- This Update (CRL issue date)
- Next Update (expected next CRL)
- Revoked Certificates List:
    - Serial Number, Revocation Date, Reason Code
    - Serial Number, Revocation Date, Reason Code
    ...
- CRL Signature

CRL Problems:

Size: Popular CAs may revoke millions of certificates; CRLs become huge
Latency: CRLs are cached; revocations don't take effect immediately
Privacy: Downloading CRLs reveals what sites user visits (indirectly)
Reliability: CRL servers must be highly available; failures cause soft-fails

Online Certificate Status Protocol (OCSP):

OCSP provides real-time, per-certificate revocation checks:

Client → OCSP Responder: Is certificate [serial] from [issuer] revoked?
OCSP Responder → Client: Good / Revoked / Unknown
                         + signature + validity period

OCSP Advantages:

Small response size (specific to one certificate)
Fresher revocation information
Cacheable responses reduce load

OCSP Problems:

Privacy: OCSP responder learns user's browsing history
Performance: Adds round-trip latency to every connection
Reliability: OCSP server downtime affects all users
Soft-Fail: Most browsers continue if OCSP is unavailable, defeating the purpose

OCSP Stapling

•Server fetches its own OCSP response periodically
•Includes signed OCSP response in TLS handshake
•Client validates OCSP without contacting responder
•No privacy leak or additional latency
•Configured via ssl_stapling on in nginx

OCSP Must-Staple

•Certificate extension requires stapled response
•Connection fails without valid staple
•Prevents soft-fail security degradation
•Requires reliable OCSP infrastructure
•Added via tlsfeature extension at issuance

Short-Lived Certificates:

An alternative approach: issue certificates with very short validity (days to hours). Revocation becomes unnecessary because compromised certificates expire quickly.

Advantages:

No revocation infrastructure needed
Compromise window is small
Forces automation (reduces stale certificates)

Disadvantages:

Requires robust automated issuance
Higher CA load
Clock synchronization more critical

Browser Revocation Checking Reality:

Despite the importance of revocation, browser behavior is pragmatic:

Chrome: Uses CRLSets (Google-curated subset of revocations) pushed via browser updates. Does not check OCSP by default.
Firefox: OCSP checking with soft-fail. CRLite (compressed revocation data) in development.
Safari: OCSP checking with soft-fail.

The industry consensus is that traditional revocation checking is unreliable. Short-lived certificates and improved browser-side solutions are preferred.

Revocation Is Hard

CA Compromises and Misissuance

Notable CA Incidents:

Major CA Security Incidents
Year	CA	Incident	Impact
2011	DigiNotar	Complete compromise by attackers	Fraudulent *.google.com cert used for MITM in Iran. CA distrusted and dissolved.
2011	Comodo	Registration account compromised	Fraudulent certs for major sites (gmail, yahoo, skype). Quickly revoked.
2015	CNNIC	Intermediate CA misissued certificates	China's CNNIC allowed subordinate CA to issue unauthorized certs. Constrained by browsers.
2015	Symantec	Test certificates for google.com	Issued test certs for domains they didn't control. Led to gradual distrust.
2017	WoSign/StartCom	Backdating, misissuance, SHA-1	Multiple compliance failures. Removed from browser trust stores.
2019	DarkMatter	UAE surveillance concerns	Trust never granted by Mozilla due to surveillance allegations.

Attack Scenarios:

CA Key Compromise: If an attacker obtains a CA's private key, they can issue unlimited fraudulent certificates. This is why root CA keys are kept offline in HSMs with extreme physical security.

Validation Bypass: Weaknesses in domain validation allow attackers to obtain certificates for domains they don't control (BGP hijacking to intercept validation traffic, compromised DNS, etc.).

Consequences of Misissuance:

Browser Distrust: CAs that misissue certificates face browser distrust—the ultimate penalty
Revocation Rush: Fraudulent certificates must be found and revoked
Trust Degradation: Each incident erodes confidence in the CA system
User Vulnerability: Users affected by fraudulent certificates have no defense

The Weakest Link Problem

Certificate Transparency

Certificate Transparency (CT) is a system of public logs that record all issued certificates. It transforms certificate issuance from a private transaction into an auditable, public process.

The CT Vision:

If every certificate is logged publicly:

Domain owners can monitor for unauthorized certificates
Misissuance is detectable rather than invisible
CAs are held accountable for all certificates they issue
The attack window shrinks from 'until expiration' to 'until detection'

CT Architecture:

Converting Mermaid diagram...

CT Components:

1. CT Logs: Append-only cryptographic logs (Merkle trees) that record certificates:

Anyone can submit certificates
Log operators are separate from CAs
Merkle trees provide efficient inclusion proofs
Logs are auditable and tamper-evident

2. Signed Certificate Timestamps (SCT): When a log accepts a certificate, it returns an SCT—a promise to include the certificate:

SCT = {
    version: v1,
    log_id: <hash of log's public key>,
    timestamp: <milliseconds since epoch>,
    extensions: <future use>,
    signature: <log's signature over the above>
}

3. SCT Delivery: SCTs must reach the client to prove logging. Three methods:

Embedded in Certificate: CA submits pre-certificate, gets SCTs, embeds in final cert
TLS Extension: Server provides SCTs during TLS handshake
OCSP Stapling: SCTs included in stapled OCSP response

4. Monitors: Services that watch CT logs for certificates affecting specific domains:

Domain owners run monitors or use services
Alert when any certificate is logged for their domains
Enables rapid detection of misissuance

CT Enforcement:

Chrome requires SCTs for all certificates issued after April 2018. Certificates without valid SCTs from multiple logs are rejected. This makes CT mandatory for web certificates, not optional.

CT Monitoring Example
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Check CT logs for certificates issued for a domain
# Using crt.sh (Certificate Search)
 
# Find all certificates for example.com
curl -s "https://crt.sh/?q=example.com&output=json" | jq '.[0:5]'
 
# Monitor for new certificates (example service: Facebook CT Monitor)
# Subscribe to alerts at https://developers.facebook.com/tools/ct/
 
# Inspect SCTs in a certificate
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
    openssl x509 -noout -text | grep -A 20 "Certificate Transparency"
 
# Verify SCTs with openssl (requires CT log public keys)
# Mozilla maintains a list of trusted logs at:
# https://wiki.mozilla.org/CA/Included_Certificates

CT Effectiveness

Additional Trust Mechanisms

Certificate Transparency augments but doesn't replace the CA system. Additional mechanisms provide defense-in-depth against certificate misissuance.

CAA (Certificate Authority Authorization):

DNS records that specify which CAs are authorized to issue certificates for a domain:

; Only DigiCert and Let's Encrypt may issue
example.com.  CAA  0 issue "digicert.com"
example.com.  CAA  0 issue "letsencrypt.org"

; No wildcard certificates allowed
example.com.  CAA  0 issuewild ";"

; Report violations to security team
example.com.  CAA  0 iodef "mailto:security@example.com"

CAs are required to check CAA before issuance. Violating CAA isn't cryptographically prevented but creates clear CA compliance failures.

DANE (DNS-Based Authentication of Named Entities):

TLSA DNS records specify exactly which certificates are valid for a domain:

; Pin the exact certificate for www.example.com
_443._tcp.www.example.com. TLSA 3 1 1 <SHA-256 hash of certificate>

; Usage field options:
; 0 - PKIX-TA: Pin a CA certificate
; 1 - PKIX-EE: Pin end-entity with PKIX validation
; 2 - DANE-TA: Trust anchor assertion (no PKIX)
; 3 - DANE-EE: Pin specific certificate (no PKIX)

DANE Limitations:

Requires DNSSEC (not universally deployed)
Limited client support (no major browsers implement)
Useful for email (SMTP) where server-to-server trust is simpler

Trust Enhancement Mechanisms Comparison
Mechanism	Protection	Deployment	Limitation
CT	Detects misissuance post-facto	Mandatory for web certs	Detection, not prevention
CAA	Restricts which CAs may issue	DNS record + CA compliance	CAs must check; not enforced by clients
DANE	Pins specific certificates via DNS	Requires DNSSEC	Poor browser support
HPKP (deprecated)	Pinned public keys in HTTP header	Was browser-enforced	Removed due to operational risks

HTTP Public Key Pinning (HPKP) — A Cautionary Tale:

HPKP allowed sites to tell browsers to accept only specific public key pins:

Public-Key-Pins: pin-sha256="base64+hash"; max-age=5184000;
                 pin-sha256="base64+backup-hash";

Why It Was Removed:

Misconfiguration could permanently lock users out of a site
Pin expiry outlasted some site lifetimes
Attackers could maliciously set pins (ransom attacks)
Operational complexity was extreme

HPKP was deprecated and removed from browsers in 2020. The lesson: mechanisms that can cause permanent self-denial-of-service are operationally unacceptable.

Expect-CT Header:

Expect-CT: max-age=86400, enforce, report-uri="https://example.com/ct-report"

Signals that the site expects CT enforcement. Useful during transition to mandatory CT and for gathering compliance reports.

Practical Recommendations

Summary: Certificate Authorities

Key Takeaways

•PKI Solves Key Distribution: CAs bind public keys to identities through digitally signed X.509 certificates, enabling authentication without prior relationship.
•Trust Hierarchies: Root CAs are implicitly trusted; they sign intermediate CAs; intermediates issue end-entity certificates. Chain validation builds trust from anchors.
•Validation Levels: DV (domain control), OV (organization verification), EV (rigorous entity verification) provide different assurance levels.
•Certificate Validation: Comprehensive process including chain building, signature verification, revocation checking, and hostname matching.
•Revocation Challenges: CRLs don't scale; OCSP has privacy/reliability issues; OCSP stapling and short-lived certificates are preferred solutions.
•CA Risks: Any trusted CA can issue certificates for any domain; compromised CAs are catastrophic. Historical incidents prove this is not theoretical.
•Certificate Transparency: Public logs of all certificates enable detection of misissuance; now mandatory for web certificates.
•Defense Mechanisms: CAA restricts authorized CAs; CT enables monitoring; DANE provides DNS-based pinning (limited adoption).

What's Next:

Page Complete