Nothing to hand in. This set of questions is intended to help guide your
reading as you learn about PKI and certificates.
Suppose throughout these questions that Carleton College wishes to obtain an X.509 certificate
from a suitable certificate authority (CA)
for its doman carleton.edu and any relevant subdomains, such as www.carleton.edu,
apps.carleton.edu, etc.
Try to provide answers that are both concise and complete. Some questions can be
answered completely in just a sentence or two (e.g. "what is the principal job of a
certificate?"), while others require answers with a fair amount of detail
(e.g. "what steps does a CA take to create a certificate?"). Use your judgment
about how to make your answers long enough, but no longer than necessary.
General questions
- What is the principal job of a certificate?
- What benefits does Carleton receive from having a certificate?
- What benefits do users of the carleton.edu website receive from Carleton's
having a certificate?
Creating a certificate
- What information does Carleton have to provide to its CA before the CA
can create the certificate?
- Once the CA has the necessary information, what steps does it take to create
the certificate?
Using the certificate
- From where does the browser used by a visitor to carleton.edu
obtain the certificate? (Or in other words, where is the carleton.edu
certificate stored?)
- What information does the visitor's browser require to check the validity
of Carleton's certificate?
- Do Chrome, Safari, Firefox, Edge, etc. have that information, and if so,
how did they get it?
- What steps does the browser take to check the validity of the certificate?
Simple openssl operations with a certificate
- Get a copy of carleton.edu's certificate, and save it as a file named "carleton.edu.cer".
- What file format does carleton.edu.cer use?
-
- What openssl operation can you use to verify that the certificate is valid? (This is analogous
to the "What steps..." question in the previous section, but you're doing it on the command
line instead of letting your browser do it.)
- What openssl operation can you use to see a human-readable representation of the contents of
carleton.edu.cer?
If we wanted to go even further, we could use openssl to create our own certificate
authority, create our own certificates, convince our local machine's browser to
accept our CA as trustable, etc. We could also obtain a certificate for our own domains
using the free (i.e. no payment required)
Let's Encrypt CA.