Dgitial Certificates

tech-it-^ · 02-18-2009, 12:55 PM

Hey,

I had a few questions in regards to digital certificates. I’m not a 100 percent clear as to what exactly they do. I’ve done a search and have figured out a few things but I still have a couple of questions.

I know that digital certificates are used for security purposes. That they are given to the user by a CA (certificate authority) after validating that the person is who they say they are. The cert then has a digest of information relating to the person. The cert is based off a public key infrastructure (key pairs). It includes the persons public key, expiration date of cert, etc… I realize that the CA then digitally signs the cert with a private key, which is then used as an authentication encoding for the public key that the CA distributes to programs (such as your web browser). Then, when say your browser opens up the page that has a secure connection, it uses the public key in the browser to decode the private key (signature) and if everything matches up (as if should) you connect with no problems or warning messages.

Now… I get this (I think). What I don’t get is that the public key that the CA gives to you is the same one used for the program (web browser)? If not how is it used or is it used given that the CA already digitally signed it and has its own unique public key (again, given to your browser) to decode the signature and authenticates that way?

The reason I ask is that I’m going to be using zFTPserver and am going to be issuing a secure connection via SFTP. I would have to create my own cert. I know it’s not given by the CA and will issue a warning message because of it. BUT, what I was wondering is if there’s still a public key and private key after creating the cert myself? Would I have to import it to the users that will be using the SFTP in order to avoid warning messages? How exactly does the one that I created work? Sorry for the long winded questions, but it’s starting to frustrate me that I can’t get a straight answer. Thanks guys

tech-it-^ · 02-19-2009, 10:48 AM

bump*

**johnwill** · 02-19-2009, 11:49 AM

http://en.wikipedia.org/wiki/Public_key_certificate

tech-it-^ · 02-19-2009, 01:08 PM

Thank you. I've read that article a couple of times. But it still didn't really answer my question about how I create my own certificate (for the SFTP server) and how it handles the public-private key pair. Like when I create it does it still have the public key and with my digital signature the private key? Then when I send info the user can see my public key and decrypt my message by using it... OR will they get a warning message because they will to need my private key. This is where I'm confused. How exactly does it work with my own created cert. And how can I make it work so the users connecting via SFTP don't get a warning message. Thanks for the help.

**johnwill** · 02-20-2009, 12:38 PM

You can't simply create your own certificate, you have to get one from a certifying agency.

http://www.petri.co.il/obtain_digita..._online_ca.htm

tech-it-^ · 02-20-2009, 01:45 PM

Then how come I have the option to create my own digital cert? There are self signed certs aren't there? I heard that you can create your own cert but you have to have it installed on the host and on the client machines as well (in order to bypass the warning message your browser will throw at you). I just wanted a better description of this process though. Thanks.

**johnwill** · 02-22-2009, 12:14 PM

http://office.microsoft.com/en-us/he...495581033.aspx

tech-it-^ · 02-22-2009, 06:34 PM

Thanks, I read this to but I have a hard time understanding one thing. The private key has to be shared with all computers for self signed certs in order to not get the security warning message. I thought if I sign it myself, then send a message, the person receiving the message would receive my public key and be able to decrypt my digital signature (that was encrypted with my private key). Do I have this backwards?

**johnwill** · 02-23-2009, 09:39 AM

I've never tried to create my own certificate, so I'm not sure exactly what the process is. However, I'm good with a Google search.

tech-it-^ · 02-23-2009, 11:11 AM

haha, alright. I'll have to take it for what it is. I'll punch in a few more things into the google machine lol and see what will happen. Ha, thanks.

ThePistonDoctor · 03-02-2009, 01:38 PM

If you can't find an answer, check out www.techexams.net

There are a number of people there who have high level security certs (CISSP, CISA, etc) and they can surely answer this question.

tech-it-^ · 03-03-2009, 04:43 AM

Thank you very much. I'll make sure I do that

02-18-2009, 12:55 PM	#1 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Dgitial Certificates Hey, I had a few questions in regards to digital certificates. I’m not a 100 percent clear as to what exactly they do. I’ve done a search and have figured out a few things but I still have a couple of questions. I know that digital certificates are used for security purposes. That they are given to the user by a CA (certificate authority) after validating that the person is who they say they are. The cert then has a digest of information relating to the person. The cert is based off a public key infrastructure (key pairs). It includes the persons public key, expiration date of cert, etc… I realize that the CA then digitally signs the cert with a private key, which is then used as an authentication encoding for the public key that the CA distributes to programs (such as your web browser). Then, when say your browser opens up the page that has a secure connection, it uses the public key in the browser to decode the private key (signature) and if everything matches up (as if should) you connect with no problems or warning messages. Now… I get this (I think). What I don’t get is that the public key that the CA gives to you is the same one used for the program (web browser)? If not how is it used or is it used given that the CA already digitally signed it and has its own unique public key (again, given to your browser) to decode the signature and authenticates that way? The reason I ask is that I’m going to be using zFTPserver and am going to be issuing a secure connection via SFTP. I would have to create my own cert. I know it’s not given by the CA and will issue a warning message because of it. BUT, what I was wondering is if there’s still a public key and private key after creating the cert myself? Would I have to import it to the users that will be using the SFTP in order to avoid warning messages? How exactly does the one that I created work? Sorry for the long winded questions, but it’s starting to frustrate me that I can’t get a straight answer. Thanks guys

02-19-2009, 10:48 AM	#2 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Re: Dgitial Certificates bump*

02-19-2009, 11:49 AM	#3 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,787 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Dgitial Certificates http://en.wikipedia.org/wiki/Public_key_certificate __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

02-19-2009, 01:08 PM	#4 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Re: Dgitial Certificates Thank you. I've read that article a couple of times. But it still didn't really answer my question about how I create my own certificate (for the SFTP server) and how it handles the public-private key pair. Like when I create it does it still have the public key and with my digital signature the private key? Then when I send info the user can see my public key and decrypt my message by using it... OR will they get a warning message because they will to need my private key. This is where I'm confused. How exactly does it work with my own created cert. And how can I make it work so the users connecting via SFTP don't get a warning message. Thanks for the help.

02-20-2009, 12:38 PM	#5 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,787 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Dgitial Certificates You can't simply create your own certificate, you have to get one from a certifying agency. http://www.petri.co.il/obtain_digita..._online_ca.htm __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

02-20-2009, 01:45 PM	#6 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Re: Dgitial Certificates Then how come I have the option to create my own digital cert? There are self signed certs aren't there? I heard that you can create your own cert but you have to have it installed on the host and on the client machines as well (in order to bypass the warning message your browser will throw at you). I just wanted a better description of this process though. Thanks.

02-22-2009, 12:14 PM	#7 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,787 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Dgitial Certificates http://office.microsoft.com/en-us/he...495581033.aspx __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

02-22-2009, 06:34 PM	#8 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Re: Dgitial Certificates Thanks, I read this to but I have a hard time understanding one thing. The private key has to be shared with all computers for self signed certs in order to not get the security warning message. I thought if I sign it myself, then send a message, the person receiving the message would receive my public key and be able to decrypt my digital signature (that was encrypted with my private key). Do I have this backwards?

02-23-2009, 09:39 AM	#9 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,787 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Dgitial Certificates I've never tried to create my own certificate, so I'm not sure exactly what the process is. However, I'm good with a Google search. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

02-23-2009, 11:11 AM	#10 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Re: Dgitial Certificates haha, alright. I'll have to take it for what it is. I'll punch in a few more things into the google machine lol and see what will happen. Ha, thanks.

03-02-2009, 01:38 PM	#11 (permalink)
ThePistonDoctor Registered User Join Date: Mar 2009 Posts: 58 OS: XP	Re: Dgitial Certificates If you can't find an answer, check out www.techexams.net There are a number of people there who have high level security certs (CISSP, CISA, etc) and they can surely answer this question.

03-03-2009, 04:43 AM	#12 (permalink)
tech-it-^ Registered User Join Date: Aug 2006 Posts: 320 OS: XP Pro, Vista Business, Suse Linux, Win98 SE	Re: Dgitial Certificates Thank you very much. I'll make sure I do that