Digital Certificates with example

Digital Certificate with example:

In this post, we will try covering topic Digital Certificates with an example certificate.

1. Example of Digital Certificate
2. Certificate Terminology
3. Digital Certificate definition
4. Class of Certificates
5. Certificate Extension
6. Certificate Fields
7. Good to know facts about Certificate.

Example of Digital Certificate

Before we know anything about certificates, its good know where and how certificates are used. In this post, i will try covering what are certificates, why are certificates used for.

Asymmetric key encryption, Public key infrastructure (PKI)  are the places where certificates are used.

Imagine party A and party B wants to exchange a secret code like password between them and currently they don't have any prior communication between them.

To Solve this problem, party A will have private key and public key  with him. party B also has its own private and public key with in.

public will be shared with all, private keys are never shared to any one.

Now if Party A wants to send secret code to party B.

Party A will use party B public key and encrypt the data and send it across to party B.

Only Party B knows its private key, so only party B will be able to decrypt the secret code .

Lengthy example but this a one of  basic use case of PKI.

Second example, more practical one
One more example is HTTPS communication in a browser. it uses PKI.
balakishore gaddam

 Certificate Terminology

  CA : Certificate Authority
  DN: Distinguished Name
  PKI: Pulbic Key infrastructure

What is Digital Certificate:
 A certificate is based on the X.509 standard and which holds information about an individual or an organization or a company to which a certificate is issued. .
It holds a public key.

It also holds the information about certificate authority  that issued the certificate.

Encoding used for a certificateASN.1 ( Abstract Syntax Notation One).
Each Field in the certificate are tagged with a number.

Sample Certificate:
bala kishore

 A certificate contains
digital certificate

Certificate can be used for encryption of emails, signing a library file etc.

Types of Certificate:
Definition of class  might vary from vendor to vendor.
Class 0
          Type of certificate used for demo or test purpose.

Class 1
           Issued to individuals.
           Contains name (alias name) and email address of the individual
           Usage : Digitally sign email, Encrypt email
            It does not facilitate strong authentication of the identity

Class 2
          Certificates are issued as Managed Digital Certificates
Class 3
        Class 3 certificate are issued to individuals and servers. It provides important assurance of identity of individuals  It is used for Digital signature , encryption of messages.

As per Verisign

class 1: Individuals
class 2 : organizations

Class 3 : servers and software signing
Class 4 : Business transaction
Class 5 : Government security etc.

This classification may vary from authority to authority.

Digital Certificate Extension:

Extensions are used to associate additional information with the user or public key etc.
Each extension has
  •  Extension ID
  •  Critical flag
  •  Extension value.

Critical Extension

If a critical extension is not understood the certificate should be refused.
Critical flag value is  true.
Yellow mark is seen on the critical extension

Basic Constraint critical extension specifies if the certificate can be used to sign other certificate.

Non Critical Extension

If a critical extension is not understood the certificate may not be refused. This extension is ignored.

Critical flag is false in the certificate

Subject Alternate Names is non critical extension contain alternative name like email or such.

Digital certificate and its each field in details

Version : its version number of the certificate.

             Version: v3, is a X.509 Version 3 Certificate refer for more details

Serial number: Its a unique number that identifies a certificate.

A Signature is cryptographic signature of the content of the is made up of issuer private key and it can be verified with issuer public key.

Signature Algorithm: Algorithm used to create certificate.
Signature Hash Algorithm

       Certificate Authority who issued the certificate.

Valid From: Date and Time the certificate is issued from.

Valid To: Date and Time the certificate is valid to use.

Public Key: The public key is present in a certificate and it has a corresponding private key which is not present in cer.

Public Key Parameters:
                               parameters are used over many key exchanges


             A subject contains distinguished name. it contains common name, optionally contain other details like organization unit, country etc. Subject is entity to whom certificate is issued.

CRL Distribution list:
contains the URL list of website that contains  Certificate Revocation list. When a certificate is revoked, the information is sent to the CA and the CA authenticates the request and advertises the revoked certificate in the Certificate Revocation List. URL would contain that list.

Certificate Policies
         Certificate Policies  is a set of rules that defines how the CA will issue the certificates.

Certificate Practice Statements
           It is a document written in  text that describes how the CA plans to manage the certificates that it issues.

Thumbprint algorithm
         The algorithm used to create the unique value of the certificate.
          Example : sha1

        The unique value that identifies the certificate. This can be checked with the issuer of the certificate.

Authority Key Identifier
       The authority key identifier extension provides a means of  identifying the public key corresponding to the private key used to  sign a certificate
Subject Key Identifier
       Subject key identifiers SHOULD be derived from the public key or a method that generates unique values.

Authority Info Access (AIA)
   AIA extension allows SSL/TLS clients to go get the missing intermediate certificates, not presented by the server.  This extension, that adds in the final certificate a CA Issuer containing a URL, allows the browser to find the missing certificate and to check the chain again.

Good to know facts:

  • Self Signed certificate are self generated certificate with issuer and subject been same.
  • Well known certificate authorities:
In India :
Generally : VeriSign, Entrust, Thwate, GeoTrust
In Internet explorer you can find the list of trusted authorities in
 Tools->Internet Options -> Content->Certificates -> Trusted Root Certificate Authorities.
internet explorer

unix find usefull command

Following post is an attempt to list most used and interesting use of unix find command.

you might find all of tutorials about this command but I tired to list down the once I used in my day to day life.

General syntax:
find /path [expression]

find files under a directory ignoring case

find /usr -iname sample.txt

To find a directory in  "sample" folder.

find / -type d -name sample

find all files ending with .txt and print first 3 results

find . -name "*.txt" | head -n 3

find all files ending with ".java" or ".cpp"

find . -name "*.java" -o -name "*.cpp"

find all files with specific format extension which are modified in last 1 days.

to find all files modified in last 1 day with cpp extension.

find  . -name  "*.cpp" -mtime -1

Replace all occurrence of a string all occurrence in all files
find ./ -type f -exec sed -i 's/3094/3081/' {} \;

Find all files on the specific directory   not modified in 1 years (365days)

find /dummy -mount -mtime 365| head -n 5

Find path of file where a particular string  is found ,  in current directory

find . -name \* -exec grep "VISIBILITY_HIDDE" '{}' \; -print

Find path of strings in .cpp files

find / -name \*.cpp -exec grep "debug" '{}' \; -print

Run strings on every file on the system that ends with ".pwd" (case insensitive)

find / -iname "*.pwd" | xargs strings $1 | sort

Limit depth of directory traversal

 find .  -maxdepth 2 -name "*.txt"

it limits the depth of the command.


find / -print | xargs ls -ld

Xargs executes its arguments as commands, and reads standard input to specify arguments to that command

Delete the first file ending in ".swp" or "~" that have not been modified in 24 days starting in this directory.

find . -mount -mtime +24 \( -name "*.swp" -o -name "*~" \) | head -n 1 | xargs rm $1

List all empty direcories:
find /tmp -type d -empty 
find all empty directories and remove them in a specific directory.
find /tmp -type d -empty -exec rmdir  {} \;

Rarely used but interesting commands:

To find list of files that got changed with last 1 day. 
find / -mtime -1


Firefox and its tricks

This post is for all Firefox lovers, some interesting command and tricks which would make browser usage more intellectual.

Firefox tricks.
By default Firefox opens a blank page on every new tab. But if you want to change it and have your own website link to be opened.
 Follow the following steps.
In the Firefox address bar: enter below value
·         about:config
·         accept the warning
·         navigate to browser.newtab.url
·         double click on “browser.newtab.url”, a pop up will open.
·         Provide your website details.
firefox config

Next step would to find the list of commands available in firefox.
Try following command in address bar.
Click on the links to find the operations.

Command Line options

launch firefox website from command line
open run, then type firefox<websiteurl>
example: firefox
it opens as a tab.

opening multiple web sites in Firefox simultaneously.
go to run

When opening multiple URLs, it opens  sites in a new window

keyword.enabled value needs to be true
keyword.URL must have a website name

Any valid URL may be specified. The keyword will be appended to the URL and then the user will be redirected to the new URL. The default value is: 
Google Quick search

Google's "I'm Feeling Lucky"

Other commands with description.
Firefox Version:
Try command “about:mozilla” in address bar.
Try following command in firefox address bar. Follow ing athe results
Shows information about Firefox.
shows blank page
shows home page.
shows addons
lists contributors.
hows the arguments and options used to compile the Firefox build in use.
shows memory usage

Private browsing in firebox.( similar to incognito mode in chrome)

control + shift  + P
opens the browser in private session.
This is extremely useful while testing cookie related applications. 
On a machine which is used by multiple people, you do not want to leave any of the data or trace of site you visited. This option is ideal for those

avoid warning while closing a tab or group of tabs

in address bar, type
navigate to
browser.tabs.warnOnClose set to false
browser.tabs.warnOnCloseOtherTabs set to false

Download firefox direct link:

Message Digest- calucation using openssl

openssl command line utility is used to calculate message digest of the value.

calculate message digest writes to hexademical output to a console(stdout)
openssl dgst -sha1 file.txt

Example output:
SHA1(file.txt)= 1f8ac10f23c5b5bc1167bda84b833e5c057a77d2

calculates message digest and writes data to text file in hexademical format
openssl sha1 -out digest.txt file.txt
Example output in digest.txt file
SHA1(file.txt)= 1f8ac10f23c5b5bc1167bda84b833e5c057a77d2

calculate hash value using a DSA private key.
openssl dgst -dssl -sign cacert.pem -out signedoutput.txt   inputfile.txt

verification of signature of a file.
openssl dgst -dss1 -prverify cacert.pem -signature dsasign.bin file.txt