SSL/TLS Lecture Series – Episode 19

Published by admin on

This episode is full of demos only, using openssl. Sorry I tried to keep it under 30 min by removing several topics from my agenda, but still ended up with 1+ hour.

– observe certificate chain and depth
– observe cross certified root CA (see diff in depth when compared to self-signed root CA)
– multiple certificate path to reach root CA
– how to build a trusted CA bundle using “go” routine from Mozilla trusted root store
– purpose of -CAfile, -CApath
– default directory where openssl will look for trusted root certs/store
– how to find this directory
– what is “unable to get local issuer certificate” means?
– purpose of Subject Key Identifier
– observe self-signed certificate (subject=issuer)
– Distinguished Name in subject/issuer field
– purpose of CN vs SAN (Subject Alternative Name)
– wildcard cert
– view certificate using openssl and observe all the diff X.509v3 fields in it one by one; what it means?
– how to connect using a particular TLS version?
– how to connect using a particular cipher suite?
– how to show all certs in the chain?
– same server can support multiple types of cert to handle diff authentication algorithm (e.g. one for RSA, one for DSA, one for ECDSA, one for EdDSA)
– cert type and CA signature algorithm can be different (e.g. cert containing ECDSA public key signed by CA using RSA)

Series Index:


1 Comment

Ibrahim Si · June 12, 2018 at 5:51 pm


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: