Certificate Authorities

3.4. Certificate Authorities#

A Certificate Authority (CA) is a trusted third-party organisation that verifies the identity of entities (such as websites or individuals) and issues digital certificates to them.

Responsibilities of a CA

  1. Verifying an entity’s identify. The CA must check that an entity can prove their identity to prevent fraud.

  2. Generating and signing certificates. The CA uses their private key to sign each certificate.

  3. Revoking certificates. If a certificate is compromised, the CA publishes it to a public revocation list.

3.4.1. Certificate Authority Hierarchy#

CAs are organised in a hierarchical structure, with Root CAs at the top and Intermediate CAs below them. This separation increases security by limiting exposure of highly sensitive Root CA private keys.

Root Certificate Authorities (Root CAs)#

Root CAs are the top of the hierarchy. Generally root CAs do not sign certificates verifying the identity of individual entities.

Instead root CAs sign intermediate CA certificates.

Examples of Root CAs:

  • DigiCert Root CA

  • GlobalSign Root CA

  • Let’s Encrypt Root CA

Intermediate Certificate Authorities (Intermediate CAs)#

Intermediate CAs act as a middleman between Root CAs and end users. They issue the majority of certificates for individual entities.

Intermediate CAs have their own certificates, which have been issued and signed by root CAs.

How Intermediate CAs Issue Certificates

  1. The applicant submits their public key and identity details to the intermediate CA

  2. The intermediate CA creates and signs a certificate containing:

  • The applicant identifiers

  • The contents of the intermediate CA’s certificate

How Intermediate Certificates are Verified

A certificate issued by intermediate certificate can be verified by checking that:

  1. The intermediate certificate is valid

  2. The root certificate contained inside the intermediate certificate is valid

Most operating systems come pre-installed with a list of Root CAs and their public keys.

Code Challenge: Act as a CA

To verify the identities of spies within MI6, you’ve been asked by M to act as the Certificate Authority.

Write a script that generates signed certificates for other agents.

Requirements

  • The script must accept a public key and an identifier string (e.g. a name)

  • The script must generate a certificate in the format shown in the example below

  • The expiration date is one year from the date of signing

  • Signing

    • Use the private key found in private_key.txt to sign the certificate

    • Hash and sign the lines “public key”, “identity”, “issuer” and “expiration date”

    • Hash using SHA-256

Example

Enter public key: 04A3B5C8D9E1F213A4B6C7D8E9F0123456789ABCDEF0123456789ABCDEF0123
Enter your identifier: Alice

-----BEGIN DIGITAL CERTIFICATE-----
Public Key: 04A3B5C8D9E1F213A4B6C7D8E9F0123456789ABCDEF0123456789ABCDEF0123
Identity: Alice
Issuer: MI6 CA
Expiration Date: 2026-03-07
Signature: XLzkSqsofo0sMYu7Lq9dafz7ErvPiCGD2XdJ1FgAxwThCHZJzTqTTLJ/i3PqYpsZmPXrY7b00k2sge3vnt812jiZz8+QlfDMzAfyxmD9CvWaytLcpv2DhWUzDYb0c4WWF8dwlyRXayvpQ48i7TpfbnQViUmCokfaVorymRw2kPI=
------END DIGITAL CERTIFICATE------

Hints and Tips

  1. Generate a hash and signature using the same approach in “Sign a message”

  2. You can generate the date, one year from now using

import datetime
from dateutil.relativedelta import relativedelta

expiration_date = datetime.datetime.now() + relativedelta(years=1)

expiration_str = expiration_date.strftime("%Y-%m-%d")

print(expiration_str)

Download the scaffold and write your code in exercise.py.

SCAFFOLD_act_as_a_ca.zip

Solution

Solution is locked

Code Challenge: Verify Certificates

M has assigned you a new mission where you are working with colleagues in the CIA. You will be communicating with these colleagues using their public key.

Complete the script to verify certificates issued by the CIA certificate authority.

M, has given you the public key of the CIA CA which is:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5SQnq8m36zibnOowkkUj+3bHPFF9S5b/Xv8iQFaVls2T6EXBNDv3G4AI6DVJWyaGbm1JolgLZAxr1iAmsyjM4liNnf2Eq51CGvq+MDMDNKFdsQUQl0frZGtYgT7/AaE1e28a7GE8EA3xCSuiRicH1wttwWpD6Pr5ZK1BrTlwJPwIDAQAB

Requirements

  • The script must print either “CERTIFICATE VALID” or “CERTIFICATE NOT VALID” at the end.

  • A valid certificate must:

    • not be expired

    • have a matching hash

  • The certificate contents have been hashed with SHA-256 to generate the signature

  • The contents are the entire lines for “public key”, “identity”, “issuer” and “expiration date”.

Example

Enter a certificate (copy and paste):
-----BEGIN DIGITAL CERTIFICATE-----
Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDv8B+rEXc4qszL/10X6pgECZqQERS/T0NYe/0zj1pTEBwCb17b5PR2MXZw3JS3aBSmQuHPUIitLEX0bqB1SveB3uTiPmKra7gF1pbFUZuE45VuHOvT8DfNt6qY7gHeKlFpq95U1vOR/JTgbfyol+PLyVp2YxvdwzbOt8/ex2ZXtwIDAQAB
Identity: Jason Bourne
Issuer: CIA
Expiration Date: 2035-10-14
Signature: dNDK/pBHFw4zJ6gg0gPgoEJxooMqkV8FA8adJRei1XGK75eIwVPvc2i9g7qFfPpls+58LEstvMl2W+ZNHve0gzzN+XXnUui1kpdk9zyMHTm7HRe5mPDKYVEo4AKx+1/Nebp41TGvDLGoAkPVyYDpmucih5FrmubdCllo2TvFNC0=
------END DIGITAL CERTIFICATE------

CERTIFICATE VALID

Hints and Tips

You can parse a string into a datetime object using

import datetime
expiration_date_str = "2025-01-01"
expiration_date = datetime.datetime.strptime(expiration_date_str, "%Y-%m-%d")
print(expiration_date)

You can compare datetime objects

import datetime

past_date = datetime.datetime(2024, 9, 17)
now = datetime.datetime.now()
print(past_date < now)

Download the scaffold and write your code in exercise.py.

SCAFFOLD_verify_certificates.zip

Solution

Solution is locked