What is the certificate?

slart · October 13, 2016, 6:20pm

What is the “certificate” and where can I find it?
What do the keys of a certificate play for a role?
Is the certificate renewed when (only) new keys (.pem) are generated?

schoen · October 13, 2016, 8:15pm

Hi @slart,

Are you wondering about the nature and role of the certificate for computer security, or where particular software like Certbot has saved the certificate on your computer? Like “why do we use digital certificates and for what purpose”, or like "which file on my computer contains my certificate after I obtain it with certbot certonly"?

It is possible to renew a certificate (obtain a new one) using the same keys as the old certificate. Currently the Certbot client in particular never attempts to do this, and always generates a new key upon renewal. This behavior could change in the future.

slart · October 13, 2016, 9:35pm

nearly this:

If the keys are renewed, is the certificate renewed, or only the keys?
The difference between certificate and keys is not quite clear. The certificate is renewed when (only) the keys are renewed? Or is even more renewed, except the keys?

TCM · October 13, 2016, 10:31pm

A certificate is a proof by someone else that a certain public key belongs to a certain identifier (hostname). A certificate has a limited validity period, which means you must renew it.

You can renew a certificate without changing the key that is being certified. You must renew a certificate if the key changes, obviously.

tialaramex · October 14, 2016, 12:01am

The certbot software often used for Let’s Encrypt keeps each renewed certificate in a separate file, but it updates a link so that the same filename leads to the latest file with the latest certificate in a family and thus software relying on the certificate can just re-load the same filename to get the new certificate.

Certificates are public documents, you can look inside one to see what’s included, e.g. here’s one for the GIMP (image editing software) web site. https://crt.sh/?id=36617375

You can see the document states the public key (the corresponding private key should be known only to the person who legitimately obtained the certificate), it has a validity period, a list of “alternative” names for the subject, which are other DNS names controlled by GIMP. And right at the end it has a signature, which is mathematical proof that this document, the certificate, was genuinely signed by the Issuer, Let’s Encrypt Authority X3.

A renewed certificate would have at least a newer validity period and a new signature. Most often it would also have a new public key (because changing the keys every so often is good for security, like changing your passwords) but this is not required.

slart · October 14, 2016, 7:25am

You mean the symlinks in /letsencrypt/live/ ?[quote="tialaramex, post:5, topic:21084"]
web site. crt.sh | 36617375
[/quote]
Thats great. I have found 16 certs for (only) one of my domains.

Certificates(14)
Not Before    Not After    Subject Name
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
12.10.16    10.01.17    CN=example.com
19.07.16    17.10.16    CN=example.com
19.07.16    17.10.16    CN=example.com
16.06.16    14.09.16    CN=example.com

Certificates (2)
Not Before     Not After     Subject Name
2016-10-13     2017-01-11     CN=www.example.com
2016-10-13     2017-01-11     CN=www.example.com

Questions:
Are these really 16 different certificates?
Or are the old/new listed, if one was only renewed (with old/new expiration date)?
So a new certificate is issued for every "certonly", "certonly --expand" and "renew"?

Sorry, this is all new to me. I have Let's certificates now for about half a year in use. So far I have no renew (with renew script) without problems succeeded. And also no changing the domains for a certificate without problems. Unfortunately, the domains (alternative, but also common) have changed frequently.

tialaramex · October 14, 2016, 9:06am

Yes, the symlinks are what I meant.

I can’t be sure exactly what the certificates you saw on crt.sh signify without seeing the real DNS name, which I understand you might not want to share.

Renewed certificates are really different certificates, although we speak of “renewing” the certificate, actually a new one is produced with different dates in it. If you have a photo driving license or a passport you may be used to this idea - a “renewed” driving license is just a brand new license but with a later expiry date on it than your old one.

slart · October 14, 2016, 2:05pm

OK.
A renewed cert is also not the current “paper” with new stamp/seal, it’s a new “paper” with new stamp/seal.

Where can i find this “paper”? It’s a file?

tialaramex · October 14, 2016, 5:26pm

Yes, the exact name/ location of the file on your system may vary of course. If you have used the “certbot” software then it will be in a file named cert.pem and the exact path will vary depending on the first DNS name you asked for in the certificate and some other considerations.

/etc/letsencrypt/live/example.com/cert.pem is where I’d expect to find the current certificate for a server named example.com

The same certificate would also be included in the file fullchain.pem, which basically consists of the contents of cert.pem and chain.pem, concatenated together for convenience. Most software will use the fullchain.pem file, some requires separate cert.pem and chain.pem files to function. So certbot provides all three.

slart · October 14, 2016, 6:34pm

Aha. Logical. cert.pem = certificate.
The current certificate can be found using symlink /letsencrypt/live/example.com/cert.pem. → /letsencrypt/archive/example.com/cert(x).pem. OK.

When I open the cert.pem in SFTP, I only see this:

----- BEGIN CERTIFICATE -----
SY / tOa / 7oMHBMA0GCSqGSIb3DQEBCwUA
…
ZlDtoSSZHTkS6CFDM // dqa3RCE7bYEf5
----- END CERTIFICATE -----

The WebHoster requires importing the generated certificate to activate.

add-certificate -k ~/.config/letsencrypt/live/example.com/privkey.pem -c ~/.config/letsencrypt/live/example.com/cert.pem

The certificate will validated (also other, not Lets, certificates) with this “import”.

Questions:

1.) Who creates the file full_cert(x).pem?

2.) How can I see the encrypted content / information of the certificate? (Without crt.sh)

3.1.) Is there a bash-command for the SSH shell to display the encrypted certs?
3.2.) Is there a bash-command for the SSH shell to display the serial number of a certs?

serverco · October 14, 2016, 7:30pm

Fullchain.pem is simply all certificates, including server certificate in one file. The server certificate is the first one in this file, followed by any intermediates. certbot creates this from the other files.

You can use the bash command
openssl x509 -in cert.pem -noout -text

as before
openssl x509 -in cert.pem -noout -text
where cert.pem is your certificate file

openssl x509 -in andy-beckett.com.crt -noout -text | grep -A1 "Serial Number"

system · November 13, 2016, 7:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.