-
Notifications
You must be signed in to change notification settings - Fork 0
0 SSL TLS && Certificates
lukes8 edited this page Feb 4, 2025
·
3 revisions
For the URL https://ewp.auth.gr/, the certificate hierarchy is:
-
Aristotle University of Thessaloniki → End-Entity (Leaf) Certificate
- This is the actual certificate used by
ewp.auth.grto encrypt traffic. - It is signed by HARICA Institutional TLS RSA 2.
- This is the actual certificate used by
-
HARICA Institutional TLS RSA 2 → Intermediate Certificate
- This acts as a bridge between the website's certificate and the root.
- It is signed by HARICA TLS RSA Root CA 2021.
-
HARICA TLS RSA Root CA 2021 → Root Certificate
- This is a trusted CA certificate, included in trusted truststores (like Java, browsers, OS).
- It is signed by Hellenic Academic and Research Institutions RootCA 2015.
-
Hellenic Academic and Research Institutions RootCA 2015 → Root Certificate
- This is the final trust anchor.
- This certificate is self-signed and included in many truststores.
🔗 How the chain works:
- The browser/server receives the "Aristotle University of Thessaloniki" certificate.
- It checks who signed it → HARICA Institutional TLS RSA 2.
- It then checks who signed HARICA Institutional TLS RSA 2 → HARICA TLS RSA Root CA 2021.
- Finally, it checks the Root CA, which is included in trusted truststores (e.g., OS, Java, browser).
🌱 The root certificate is the ultimate source of trust. Since it's pre-installed in truststores, all lower-level certificates in the chain are automatically trusted.
- Chrome: 🔍 Click the lock icon in the address bar → "Certificate" → "Certification Path".
- Firefox: 🔍 Click the lock icon → "Connection Secure" → "More Information" → "View Certificate".
Run this in Linux/macOS to see the certificate chain:
echo | openssl s_client -connect ewp.auth.gr:443 -showcerts| Feature | Keystore | Truststore |
|---|---|---|
| Purpose | Stores private keys & certificates | Stores only trusted certificates |
| Contains | Private keys, public keys, certificates | Only public certificates |
| Used by | Servers (e.g., SSL/TLS, mutual TLS) | Clients (to verify servers) |
| Default File |
.jks, .p12
|
$JAVA_HOME/lib/security/cacerts |
| Password Protected | Yes (to protect private keys) | Yes (to protect integrity) |
| Managed by | keytool |
keytool |
| Private Keys | ✅ Yes | ❌ No |
| Acts as | A storage for authentication | A manifest of trusted certificates |
- Stores private keys + certificates (used for authentication).
- Contains private keys, public keys, and certificates.
- Used by servers (e.g., HTTPS, SSL/TLS, mutual TLS).
- Default file format: Custom (
.jks,.p12). - Password protected (for integrity and private key security).
- Managed using
keytool. - Can contain both private keys and certificates.
- Stores only trusted certificates (used for verification).
- Contains only public certificates.
- Used by clients (to verify server certificates).
- Default file: Java's default truststore (
$JAVA_HOME/lib/security/cacerts). - Password protected (for integrity, but no private keys).
- Managed using
keytool. - Acts as a manifest of all trusted certificates.
- A truststore is essentially a list of all trusted public certificates.
- It helps verify the authenticity of external services (e.g., Google, Amazon, Let's Encrypt).
Every certificate includes:
-
Subject: Who the certificate is issued to (e.g.,
CN=google.com, O=Google LLC, C=US). -
Issuer: The Certificate Authority (CA) that issued it (e.g.,
CN=DigiCert, O=DigiCert Inc, C=US). - Public Key: The public key (RSA, ECC, etc.).
- Serial Number: Unique identifier of the certificate.
- Signature: Digital signature from the CA to prove authenticity.
- Validity Period: Start and expiry date of the certificate.
- Fingerprint: Unique hash (SHA-256) of the certificate.
Certificate:
Data:
Serial Number: 1234567890ABCD
Issuer: CN=GlobalSign Root CA, O=GlobalSign, C=BE
Subject: CN=google.com, O=Google LLC, C=US
Validity:
Not Before: Jan 1 00:00:00 2024 GMT
Not After : Jan 1 23:59:59 2026 GMT
Subject Public Key Info:
Public Key Algorithm: RSA (2048-bit)
Signature Algorithm: SHA256withRSA
Fingerprint: SHA-256: AB:CD:EF:12:34:...
test