Abstract
- Also known as Digital Certificate
- Contains Public Key that the client can use to perform Symmetric Key Exchange
- Sent with Digital Signature(created by Certificate Authority (CA)) which is used to verify the digital certificate on the Client side
- The component that powers TLS (Transport Layer Security)
Show certificate information
openssl x509 -in <YOUR_CERTIFICATE_FILE_NAME> -text -noout
Self-signed Certificate
-
A self-created X.509 Certificate that isn’t signed by anyone else
-
Without a trusted Digital Signature on the X.509 Certificate, it is prone to Man-in-the-middle Attack. Because Client has no way to check if the X.509 Certificate is modified in the process of receiving the X.509 Certificate from the Server
Use Terraform to create a self-signed cert with a self-signed CA
Refer to Certificate Authority (CA) to setup the self-signed CA first!
Not scalable
We need to ensure each client trusts the self-signed root CA cert, in order to trust the certs signed by the self-signed root CA Cert. This isn’t a scalable solution when the number of clients grow!
A way to go round this is to use LetsEncrypt Certificates for the LAN - YouTube. Or if our clients are onboarded to a service like Microsoft Intune, we can push down the self-signed root CA automatically, as part of the client’s onboarding workflow.
Certificate Authority (CA)
- The entity that is trusted by the Client. CA signs the X.509 Certificate of Server with its Private Key, the signature is known as Digital Signature
- Server will always to send the digital signature with its X.509 Certificate to client, so client can valid the digital signature with the public key of the Certificate Authority(CA) it trusts. The validation will fail if the X.509 Certificate is manipulated by hackers
Use Terraform to create a self-signed root CA Cert
Show certificate info for a certificate signing request
openssl req -text -noout -in <YOUR_CERTIFICATE_SIGNING_REQUEST_FILE_NAME>
Trust Self-signed CA
MacOS
- Drag and drop the CA cert into Keychain Access under System Keychain
- Set the trust setting of the cert to Always Trust
IPhone
- Upload the CA cert to Files
- Open the CA cert to install the CA cert
- Verify the CA cert under VPN & Device Management
- Enable full trust for the CA cert under Certificate Trust Settings
Android
- Double click to install and trust the CA Cert