Suppose throughout these questions that Carleton College wishes to obtain an X.509 certificate
from a suitable certificate authority (CA)
for its doman carleton.edu and any relevant subdomains, such as www.carleton.edu, apps.carleton.edu, etc.
Try to provide answers that are both concise and complete. Some questions can be answered completely in just a sentence or
two (e.g. "what is the principle job of a certificate?"), while others require answers with a fair amount of detail
(e.g. "what steps does a CA take to create a certificate?"). Use your judgment about how to make your
answers long enough, but no longer than necessary.
General questions
- What is the principle job of a certificate?
- What benefits does Carleton receive from having a certificate?
- What benefits do users of the carleton.edu website receive from Carleton's having a certificate?
Creating a certificate
- What information does Carleton have to provide to its CA before the CA can create the certificate?
- Once the CA has the necessary information, what steps does it take to create the certificate?
Using the certificate
- From where does the browser used by a visitor to carleton.edu obtain the certificate? (Or in other
words, where is the carleton.edu certificate stored?)
- What information does the visitor's browser require to check the validity of Carleton's certificate?
- Do Chrome, Safari, Firefox, Edge, etc. have that information, and if so, how did they get it?
- What steps does the browser take to check the validity of the certificate?
Simple openssl operations with a certificate
- Get a copy of carleton.edu's certificate, and save it as a file named "carleton.edu.cer".
- What file format does carleton.edu.cer use?
-
- What openssl operation can you use to verify that the certificate is valid? (This is analogous
to the "What steps..." question in the previous section, but you're doing it on the command
line instead of letting your browser do it.)
- What openssl operation can you use to see a human-readable representation of the contents of
carleton.edu.cer?
If we wanted to go even further, we could use openssl to create our own certificate authority,
create our own certificates, convince our local machine's browser to accept our CA as trustable, etc.
We could also obtain a certificate for our own domains using the free (i.e. no payment required)
Let's Encrypt CA.