What is Root Certificate Authority (root CA)?and How trust works in HTTPS
Root CA is a self-signed certificate with Pubic Key Infrastructure (PKI) and it is top of the trust chain which used to connect the web securely.
These Root CA certificate stored securely in offline to prevent form private key theft.If a root CA is compromised global trust will broken.
What is Digital Certificate?
Digital Certificate contains:
Public Key
Organization details
Expiry date
Domain Name
Digital Signature form intermediate CA
What is Certificate Authority?
Certificate Authority is a global trusted third party digitally signs a certificate for a organization. Browsers already trust these authorities like Digicert, Let's Encrypt because in operating system, vendor already pre-installed a root CA signed these intermediate CA so browser trusts the these authorities automatically.
How trust chain look?
root CA [self-signed]
|
|
|
intermediate CA [signed by root]
|
|
|
Server Certificate [signed by intermediate]
How it works in HTTPS?
Client sends request through a browser to a server.
Server sends a certificate signed by intermediate CA with details of public key , domain , organization details etc ...
Root CA verifies by checking:
Is this certificate signed by trusted CA?
Is domain matching?
Is it certificate expired?
If everything is verified then browser begins the TLS handshake and start the encrypted session if not browser shows warning.
For clear understanding let's see real world examples:
If you visit a website https://google.com, how you know this website is legitimate and who gives them authority it is original and legitimate website from google.
Here comes Certificate Authority they verifies the google server certificate and digitally singed them and here trust begins.
Lab Section:
Creating our own root CA certificate using Openssl
In this lab we build simple trust chain between server and our browser with no intermediate CA.
Step 1: - Generate Root CA private key
openssl genrsa -out myCA.key 2048
- Created a private RSA key and this is our Root CA private key.
Step 2: - Create self-signed root CA certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1024 -out myCA.pem
We are creating self-signed root CA certificate using our private key.
Important flags explained:
-x509 -> create self signed certificate.
-key myCA.key -> signing using our private key
-out myCA.pem -> certificate file
Step 3: - Generate a server private key
openssl genrsa -out server.key 2048
- Creating Server private key.
Step 4: - Create Certificate Signing Request
openssl req -new -key server.key -out server,csr
We are creating certificate signing request and it contains organization details,domain name and request to be signed.
This is how real real companies request certificates from CAs
Step 5: - Sign Server certificate using our own root CA
openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 365 -sha256
Now we took the certificate signing request file by using our Root CA private key we created the digital certificate and attached to server certificate (server.crt)
Now the server certificate is signed by our Root CA
Step 6: - Trust the root CA
- Now we have to import the root CA myCA.pem file to trusted CA store because browser can't automatically trust the Root CA and browser begin connection without warning.
My Journey:
Building my own root CA helped me to understand how the trust structure engineered on the internet and this is my first technical blog as I begin to document my cyber security journey to improve my career goal to next level and I welcome feedback for further improvement and thank you for reading my blog.