mostly using
openssl
tool to manage X.509 Certificates
crypto#Public-Key Cryptography Standards (PKCS)
Public key certificate - Wikiwand
X.509 - Wikiwand
X.509 — Cryptography documentation
x509 package - crypto/x509 - Go Packages
The X.509 elephant in the certificate room: Do other certificate standards even exist? : r/crypto
X.509 数字证书与 SSL/TLS | Jckling's Blog
Abstract Syntax Notation One (ASN.1)
X.680 : Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation
ASN.1 - Wikiwand
ASN.1 Made Simple - Introduction
RFC 6025 - ASN.1 Translation
RFC 5911 - New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME
RFC 5912 - New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
PKI
The authentication of server relied on Certificate Authorities (CA) and a public key infrastructure using X.509 certificates.
The server register with a CA who sign the server's public key with the key of CA for a fee. The client, after receiving the public key from server, verifies server's signature of session randoms and the certificate chain.
The Dark Side of Digital Trust
Public-Key Infrastructure (X.509) (pkix)
RFC 5280· - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
RFC 7250 - Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
draft-ietf-cose-cbor-encoded-cert-13 - CBOR Encoded X.509 Certificates (C509 Certificates)
service-identity documentation host name verification to full RFC 6125
pyca/service-identity: Service Identity Verification for Python
Public Key Infrastructure 101 - IDManagement
Everything you should know about certificates and PKI but are too afraid to ask
Never DIY Your PKI
The State of Certificates for Identity Based Security
PKI Problems: 7 reasons why teams struggle | Keyfactor
What’s the difference between DV, OV & EV SSL certificates?
Domain-validated certificate - Wikiwand
Extended Validation Certificate - Wikiwand
Different levels of identity checks required in TLS/SSL certificates:
Domain Validation (DV): web domain verification
Organization Validation (OV): validating a domain’s owner as well as organization type, name, status, phone number and organization blocklist check
Extended Validation (EV): adding validation of the organization’s registration number, jurisdiction, operational existence, domain fraud check and blocklist checks
Certificate Transparency (CT)
Certificate Transparency - Wikiwand
How CT Works : Certificate Transparency adds two intermediate CA
What is Certificate Transparency? | DigiCert FAQ
what is Certificate Transparency - Phind
Delegated Credentials
short living "subcerts" signed by server cert
better balance between security and reliability
Delegated credential - Wikiwand
RFC 9345 - Delegated Credentials for TLS and DTLS
Delegated Credentials for TLS
Delegated credentials: Improving TLS security - Engineering at Meta
Validating Delegated Credentials for TLS in Firefox - Mozilla Security Blog
Delegated credentials: Improving TLS security - Engineering at Meta
Keyless SSL
Cloudflare's proprietary protocol for using key server
discussion on how the server secret key is used
use Delegated Credentials instead
How does keyless SSL work? | Forward secrecy | Cloudflare
Keyless SSL: The Nitty Gritty Technical Details
Cert Revocation
OSCP and CRL, both are not ideal
Certificate revocation - Wikiwand
Online Certificate Status Protocol vs Certificate Revocation Lists
OCSP vs CRL Explained
Certificate revocation list - Wikiwand CRL covered in RFC 5280 X.509 PKI
Let’s Encrypt 的六天有效 TLS certificate 計畫 – Gea-Suan Lin's BLOG
RFC 2585 - Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP CRL with FTP and HTTP
Online Certificate Status Protocol - Wikiwand alternative to CRL, less data, response of status of a particular cert signed by CA
RFC 6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
What is OCSP and how does it work? | Ascertia | Blog
SSL OCSP Exchange
The Slow Death of OCSP | Feisty Duck
Ending OCSP Support in 2025 - Let's Encrypt
Chrome does certificate revocation better | ZDNET
why standard revocation mechanism won't work, Chrome don't use OSCP
Trusted CA
Linux's trusted CA certs are store in /etc/ssl/certs/
:
fd . '/etc/ssl/certs/' -e pem | xargs -d"\n" -n1 -I@ -P(nproc) openssl x509 -in @ -text -noout
Rouge CA
As it turns out, CA may not be trust-worthy after all. There are many instances of CA issuing fraudulent certificates (willingly or being hacked).
https 技术鉴赏 - YouTube
How CT Works : Certificate Transparency the issuance of cert is accompanied by a SCT record on blockchain
RFC 9162: Certificate Transparency Version 2.0
certificate-transparency/docs/SCTValidation.md at master · google/certificate-transparency · GitHub
How CT Works : Certificate Transparency
Engineering deep dive: Encoding of SCTs in certificates - Let's Encrypt
What is Certificate Transparency? - SSL Certificates - Namecheap.com
How the Comodo certificate fraud calls CA trust into question | Ars Technica
Google warns of unauthorized TLS certificates trusted by almost all OSes [Updated] | Ars Technica
Google Chrome will banish Chinese certificate authority for breach of trust | Ars Technica
Trust issues: Know the limits of SSL certificates | InfoWorld
Free public certificate authorities: Nice idea, big flaw | InfoWorld
http://arstechnica.com/search/?ie=UTF-8&q=+Certificate+Authorities
Timestamp Authority (TSA)
RFC 3161 - Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
RFC 5816 - ESSCertIDv2 Update for RFC 3161
Trusted timestamping - Wikiwand
What is a timestamping authority? | Ascertia | Blog
Free Time Stamp Authority
sigstore/timestamp-authority: RFC3161 Timestamp Authority
TLS Cert
- go to Google
- view cert info
- export/download cert
# view cert info
openssl x509 -inform PEM -in certificate.pem -noout -text
# dump key
openssl x509 -inform PEM -in certificate.pem -pubkey -noout > public_key.pem
# For RSA keys
openssl rsa -inform PEM -pubin -in public_key.pem -modulus -noout
# For ECDSA keys
openssl ec -inform PEM -pubin -in public_key.pem -pubout -text
# For Ed25519 keys
openssl pkey -inform PEM -pubin -in public_key.pem -pubout -text
Key/Cert Types (Encodings)
X.690 - Wikiwand
BER: Basic Encoding Rules
DER: Distinguished Encoding Rules, subset of BER
CER: Canonical Encoding Rules, subset of BER where string are chopped in 1000 bytes chunks
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
PEM, DER, CRT, and CER: X.509 Encodings and Conversions - SSL.com
tls - What's the difference between X.509 and PKCS#7 Certificate? - Information Security Stack Exchange ❗!importanpt
SSH vs. X.509 Certificates
RFC 1421 - Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures PEM
RFC 4716 - The Secure Shell (SSH) Public Key File Format use ssh-keygen
to generate/convert OpenSSH keys
Appendix A: MIME Types — OpenSSL PKI Tutorial
Matching a Private Key to a Public Key
key: no meta data, just the prime numbers and modulus
cert: with meta data
X.509 is the PKI protocol and defines the actual certificate (container) format
DER, PEM, PKCS#7, PKCS#8, PKCS#12 are encoding standards
PEM (Privacy Enhanced Mail) base64 DER, with text headers and footers
File extensions: .pem
, .key
, .csr
, .crt
DER (Distinguished Encoding Rules), binary without text headers and footers
File extensions: .der
, .cer
PKCS (Public-Key Cryptography Standards)
File extensions: .p7b
(PKCS#7/CMS), .pfx
, .p12
(PKCS#12 binary), .csr
(PKCS#10 base64), .req
(PKCS#10)
# view cert
openssl x509 -in cert.pem -text -noout
# match public and private key
openssl x509 -in cert.pem -noout -modulus
openssl rsa -in privkey.pem -noout -modulus
# regenerate public key
openssl rsa -in privkey.pem -pubout
Ciphers
Using Shangmi algorithms
Structure Analysis and Generation of X.509 Digital Certificate Based on National Secret - IOPscience
An example of a X.509 certificate using SM2 / SM3 · GitHub
cert generation
🔐 HTTPS certificate generation explained! Now setup HTTPS for local development environment (without sudo) | Blog
How to create a .pfx/.p12 certificate file using OpenSSL – SSL Information and FAQ
HOWTO: Generate a CSR for OpenSSL – (see tools.ssl.com) – SSL Information and FAQ
ssl - How to create a self-signed certificate with openssl? - Stack Overflow
OpenSSL CSR Tool - Create Your CSR Faster | DigiCert.com
How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 16.04 | DigitalOcean
Manage sensitive data with Docker secrets | Docker Documentation
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog also on own CA
# private key and cert (CSR in the pipeline)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt
openssl genrsa -out privatekey.pem 2048 # key only
openssl req -new -key privatekey.pem -out CSR.csr # CSR only
# private key and CSR
openssl req -nodes -new -newkey rsa:2048 -keyout privatekey.key -out CSR.csr
# then sign SSH certificate (.crt) with csr
openssl x509 -req -days 365 -in CSR.csr -signkey privatekey.key -out selfsigned.crt
openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048 # private key only
openssl rsa -pubout -in privatekey.pem -out publickey.pem
openssl genrsa -out rsa_1024_priv.pem 1024
openssl rsa -pubout -in rsa_1024_priv.pem -out rsa_1024_pub.pem
query cert
How to examine the metadata of an SSL (HTTPS/TLS) cert
SSL Certificate Tools
# X.509
openssl x509 -text -noout -in certificate.pem
openssl x509 -text -noout -in certificate.cert
# DER
openssl req -text -noout -in certificate.csr
# PKCS#12 (.pfx or .p12)
openssl pkcs12 -info -in key.p12
# read RSA key
openssl rsa -in private.key -text -noout
openssl rsa -RSAPublicKey_in -in public.key -text -noout
OpenSSL Cookbook 3rd Edition - 2.5 Extracting Remote Certificates
conversion
SSL Converter - Convert SSL Certificates to different formats
Converting OpenSSH public keys - Odd Bits
# DER (.crt .cer .der) -> PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
# PEM -> DER
openssl x509 -outform der -in certificate.pem -out certificate.der
# PKCS#12 -> PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
# You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
# PEM -> PKCS#12
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt