On this page

Certificates and PKI

The security foundation of TLS: X.509 certificate chains, ACME automated issuance, OCSP/CRL revocation checks, and Certificate Transparency public auditing. PKI is not perfect (any CA can issue certificates for any domain); CT and key pinning are patches to this trust model.

Overview

The trust foundation of TLS is X.509 certificates and PKI (Public Key Infrastructure). Browsers and operating systems have approximately 150 Root CA certificates pre-installed—these CAs can issue certificates for any domain, creating a single point of failure for the entire HTTPS trust system. Let's Encrypt (2016) automated certificate issuance and made it completely free via the ACME protocol, boosting HTTPS deployment rates from 40% to over 90%. Certificate Transparency (2013) mandates that all certificates be recorded in public logs, making malicious issuance detectable. OCSP Stapling enables revocation checks while protecting privacy.

X.509 Certificates

Certificate:
  tbsCertificate (to-be-signed):
    Version: v3 (2)
    Serial Number: Random (CA anti-replay)
    Signature Algorithm: sha256WithRSAEncryption or ecdsa-with-SHA256
    Issuer: C=US, O=Let's Encrypt, CN=R3  ← Who signed it
    Validity:
      Not Before: 2024-01-01T00:00:00Z
      Not After:  2024-03-31T23:59:59Z (max 90 days for LE)
    Subject: CN=grafana.liz6.com  ← Who the certificate belongs to
    Subject Public Key Info:
      Algorithm: id-ecPublicKey (or rsaEncryption)
      Public Key: (256-bit EC point or 2048-bit RSA modulus)
    Extensions:
      SAN (Subject Alternative Name): grafana.liz6.com, *.liz6.com ← Critical!
      Basic Constraints: CA=FALSE ← Not a CA (cannot issue sub-certificates)
      Key Usage: Digital Signature, Key Encipherment
      Extended Key Usage: TLS Web Server Authentication
      CRL Distribution Points: http://r3.i.lencr.org/
      Authority Information Access:
        OCSP: http://r3.o.lencr.org/
        CA Issuers: http://r3.i.lencr.org/
      Certificate Policies
      CT Precertificate SCTs (Signed Certificate Timestamps)
  Signature Algorithm
  Signature Value

Importance of SAN

Browsers have completely ignored the CN (Common Name). All domain validation is based on the SAN. If the certificate does not include the accessed domain → browser error: ERR_CERT_COMMON_NAME_INVALID:

SAN: DNS:grafana.liz6.com, DNS:*.liz6.com
→ Matches grafana.liz6.com ✓, chat.liz6.com ✓, grafana.liz6.com:8443 ✗ (SAN does not include port)
→ Wildcard: *.liz6.com matches single-level subdomains (chat.liz6.com) but not multi-level ones (sub.chat.liz6.com)

Chain of Trust

Root CA (ISRG Root X1):
  Subject = Issuer = Self (self-signed)
  Basic Constraints: CA=TRUE
  → Pre-installed in OS/Browser trust store /etc/ssl/certs/

Intermediate CA (R3):
  Subject: R3, Issuer: ISRG Root X1 → Issued by Root
  Basic Constraints: CA=TRUE, pathLenConstraint=0 (cannot issue further CAs)

Leaf (grafana.liz6.com):
  Subject: grafana.liz6.com, Issuer: R3 → Issued by Intermediate
  Basic Constraints: CA=FALSE

Verification: Bottom-up: leaf → R3 → Root → trust anchor (in trust store)

ACME

Clients (certbot/acme.sh) automatically obtain certificates via the ACME v2 protocol:

1. Create account: POST /acme/new-acct → account URL
2. Submit order: POST /acme/new-order { identifiers: [grafana, *.liz6.com] }
   → order object + authorizations + challenges
3. Complete challenges:
   HTTP-01: http://domain/.well-known/acme-challenge/<token>
            → CA verifies GET returns key authorization = token + "." + thumbprint
   DNS-01:  Place TXT _acme-challenge.domain = key authorization
            → CA verifies DNS (can issue wildcards!)
   TLS-ALPN-01: Return key authorization in ALPN
4. Wait for validation → CA verifies challenge
5. Finalize: POST CSR → CA issues certificate
6. Download: certificate chain (PEM, ~3-5KB)

OCSP and Revocation

OCSP (Online Certificate Status Protocol):
  Client: Asks CA "What is the status of this serial number certificate?"
  CA: "good" / "revoked" / "unknown"
  Issue: CA knows which website you are visiting → Privacy + Latency (additional TLS connection)

OCSP Stapling (RFC 6066, TLS Certificate Status Request extension):
  Server: Periodically fetches OCSP response (signed) from CA → Caches it locally
  TLS Handshake: Includes OCSP response in CertificateStatus message
  Client: Verifies OCSP response signature → No need to request OCSP separately
  → Privacy + Latency optimization

CRL (Certificate Revocation List):
  Periodically published list of revoked certificates (all revoked certs within the entire CA scope)
  Drawbacks: Large (can be MBs), delayed updates (typically 24h)
  OCSP is more real-time (but stapling is needed for privacy)

Certificate Transparency

Problem: Malicious CA (or compromised CA) issues unauthorized certificates → Man-in-the-middle attacks

CT (RFC 6962):
  All certificates are submitted to public CT logs:
    → SCT (Signed Certificate Timestamp): "Receipt" from the log to the certificate
    → Browser verification: Certificate must contain at least 2 SCTs (from different log operators)
  → Monitor: Anyone can monitor CT logs → Detect unauthorized issuance

  Your certificates: crt.sh/?domain=liz6.com → View all certificate history for liz6.com

References

  • RFC: 5280, 8555, 6960, 6962, 7633 (CT for code signing)
  • Tools: openssl x509 -text -in cert.pem, crt.sh, certbot certificates

Keywords: X.509, SAN, chain of trust, ACME, Let's Encrypt, DNS-01, OCSP stapling, CRL, SCT, CT logs