Certificate Authorities Explained

Introduction

We all know that security and safety on the internet is important but may not necessarily know what is happening behind the scenes to allow us to browse around the internet or connect to a remote resource securely. Typically, the everyday user browsing on the internet knows to look for two things when accessing a website:

While the everyday user may know to look for these two visual cues they likely do not know what is going on behind the scenes to allow the browser to use these. Gravitational offers simple and secure privileged access management for company-wide infrastructures through a certificate authority approach with Teleport.

As a company building a certificate authority solution, we wanted to provide some background as to what a certificate authority is and what role it plays in securing communication between a user and a resource.

If any of what you just read is unfamiliar, then you are in the right place to learn - let’s dive in and explore this topic together!

What is a Certificate Authority?

A certificate authority is a trusted 3rd party entity that accomplishes three major tasks:

What this boils down to is “we, the certificate authority, vouch for the owner of the certificate and ensure that they are who they say they are because we have validated the information they claim”.

How Does a Certificate Authority Work?

At a high level, a certificate authority confirms that the information the certificate requester has provided is true and then issues a certificate for the requester to use. In general, the process for getting a certificate authority to issue a signed certificate goes like this:

How Let’s Encrypt does CSR verification

  1. The requester makes a private key and public key pair and submits an “application” called a certificate signing request (CSR) to a trusted certificate authority. The CSR has all the information about the requester that will be shown on the resulting certificate if approved.

  2. The certificate authority verifies whether the information on the CSR is true. If so, the certificate authority issues and signs a certificate using its (the certificate authority’s) private key then gives it to the requester to use.

    • Let’s Encrypt issues a set of challenges to the requester to prove that the domain being requested is controller by the requester.
      • Provisions a DNS record under example.com, or
      • Provisions an HTTP resource under a well-known URI on http://example.com/
    • In addition to challenge completion, Let’s Encrypt provides a nonce (an arbitrary number) that the requestor must sign with its private key pair to prove control of the key pair.
    • Once the challenges and nonce signing is confirmed to be complete the requester is authorized to request, renew and revoke certificates for example.com.
  3. The requester can use the signed certificate for the appropriate security protocol:

    • HTTPS for web access
    • SSH for remote server access

What Kind of Certificates Can a Certificate Authority Provide?

Certificate authorities can issue and sign SSL certificates and client certificates. There are three types of SSL certificates with varying levels of validation requirements:

SSL certificates are used on servers and are the most common certificate that an everyday user would come in contact with. Nearly every modern browser checks that a server certificate is issued by a trusted certificate authority. If the browser detects that the server certificate is self-signed or not signed by an approved, trusted certificate authority then visitors will receive a warning that the server certificate cannot be trusted.

This can negatively impact the traffic of a website as users will be less likely to continue using or trusting it. A website’s search engine optimization ranking will also be negatively affected if the server has a certificate not signed by a trusted certificate authority as Google flags those as a certificate error. To avoid unintentionally harming your product - utilize a trusted certificate authority for all your SSL certificate signing needs.

When connecting via SSH to a server that is configured to accept client certificates (instead of the default key authentication), a client will only be authorized during the SSH handshake if the server trusts the certificate authority that signed the unexpired client certificate being presented. This is an efficient solution to authorization because the server already has the public keys of the certificate authorities it trusts and requires no extra effort. If you would like to dive deeper into how the SSH handshake works, check out this post by my fellow Gravitron Russell Jones!

Conclusion

A certificate authority plays the key role of establishing trust and facilitating secure communication between a user and a resource by verifying that the organization or client in question is who they say they are. If you would like to learn more about how Teleport makes implementing a certificate authority solution simple and secure, you can check out our documentation and try out the open source version!

Important Terminology:

SSH or Secure Shell protocol is a network protocol that secures communication between a client and a remote server.

HTTPS or Hypertext Transfer Protocol Secure is a security protocol used to provide privacy, integrity and identification when sending data between a web browser and a website.

SSL or Secure Sockets Layer is the encryption-based Internet security protocol used prior to 1999.

Transport layer security or TLS is the successor to SSL and the currently adopted security protocol that facilitates privacy and data security for communications over the internet. SSL and TLS are used interchangeably.

An SSL certificate or Secure Sockets Layer Certificate is a file hosted on a website’s server that contains information about the organization that the certificate was issued to, the certificate authority that issued it, the CA’s signature and the public key. This file is the basis of what ensures that the browser can recognize the website’s server as trustworthy.

Self-signed SSL certificate is an identity file that is signed by the same organization whose identity it is certifying.

A root certificate is a public key certificate that identifies which certificate authority signed the SSL certificate presented by the server.

The TLS handshake is a process of communication between the user’s browser and the website’s server which involves exchanging and verifying information to provide communications security over networks.

A public key infrastructure (PKI) is an encryption system involving cryptographic keys being used to facilitate authentication and encryption-key exchange securely.

A public key is a cryptographic key that can be provided to and used by anyone to encrypt messages intended for a particular recipient who provided the public key and holds the matching private key.

A private key is a cryptographic key that allows recipients to decode messages that have been encrypted using their public key. This key is meant to be kept secret and only used by the owner.

ssh certificate teleport

Want to stay informed?

Subscribe to our weekly newsletter for the latest articles, industry changes, and products updates.

Connect with Us

Teleport 4.1 - IPv6, ProxyJump and Packages By Ben Arent Securing Gladly’s Cloud-Native Systems with Teleport By Jon Silvers How SAML 2.0 Authentication Works By Russell Jones

Start Using Teleport Today

Teleport gives you security best-practices out of the box for the privileged access management of your cloud-native infrastructure.

Demo Teleport Download Teleport