I have no idea how SSL certificates work
Posted by NSFW_IT_Account@reddit | sysadmin | View on Reddit | 325 comments
I've worked in IT for a few years now and occassionally have to deal with certificate renewals whether it be for VPN, Exchange, or whatever. Every time it's a pain and I don't really know 'what' I'm doing but manage to fumble through it with the help of another tech or reddit.
Anyone else feel like this? Is there a guide I can read/watch and have the 'ah ha' moment so it's not a pain going forward.
TIA
itomeshi@reddit
If you want a handy cheat sheet, I make https://cryptocheatsheet.ninja
I got tired of people doing it wrong. :)
desmond_koh@reddit
They are fairly simple, actually.
1) Your computer/server generates a secret key. 2) Your computer/server generates a “signing request” that is mathematically linked to your secret key. 3) The signing request gets sent to a big boss “trusted” certificate issuing company (DigiCert, Verisign, Let’s Encrypt, etc.) 4) The big boss trusted certificate issuing company uses various techniques to verify that you own the domain identified in the signing request. 5) The big boss trusted certificate issuing company signs your certificate and sends the signed certificate back to you. 6) You install the signed certificate on the computer where you generated the signing request (because it and it alone has your secret key). 7) If you want to move the certificate to another server, you export it along with the secret key.
ljsidk@reddit
Step 4 is not really correct. The signing Cert Authority all it does is generate the certificate, it really doesn’t do any validation of ownership of the cert. may be confusing it with domain verification through DNS records, not part of cert renewal. Hope this helps
Xzenor@reddit
I think that's the validation of ownership he meant. This is only for domain validation certificates (DV). There's also Organization Validation (OV), where there's plenty more checking. They call the company and they want a word with a contact person, and there's Extended Validation. I think they personally visit you then to verify if you are who you say you are and are allowed to request that certificate. The latter is used by banks for example and yes it's eye-watering expensive for a few KB of data.. This stuff is all done by the Certificate Authority so they really do validate ownership.
ljsidk@reddit
Sounds like they also need a feces sample to validate your identity as its not easily reproducible to copy someone elses feces
Xzenor@reddit
And a blood sample, a sperm sample (if applicable), DNA swab, dib's in your firstborn.. you know, just the basics.
ljsidk@reddit
Thats it? Not bad at all
PerceptionQueasy3540@reddit
This is a good explanation. The only thing I would add for OP's benefit is the actual process itself. Simplified the private/secret key decrypts info that is encrypted by the client using the the public key from the certificate. Since the public and private key are mathematically linked the data is decrypted in a readable form. If the private key or public key did not "match" then when decryption is attempted the data would not be readable. This is what makes it secure, since the private key is extremely long and nearly impossible to brute force or guess, not before the certificate has to be renewed anyways. This is why its important that the private/secret key never be shared, with that an attacker could, for example, pose as the website while looking legitimate.
desmond_koh@reddit
This is where I get lost. I have no idea how that actually works. I just accept that it does without really understanding how they are “mathematically linked”.
But I’m OK to leave it in the realm of the cryptographers. I don’t need to understand everything :)
Affectionate-Pea-307@reddit
When you do a bunch of magic math on 2 very large prime numbers you are left with 2 keys, a public and a private. Anyone can use the public key to encrypt a message but you can only decrypt that message with the private key. The only way to break it using the public key is brute force to find the original 2 prime numbers. Which in theory should take many years until quantum computers are a thing.
Lekanswanson@reddit
Hashing
n3t_admin@reddit
well, let's say you have an equation. You know the end result, but you need to know how to get there.
x * y = 43976
Now you would need quite a bit of effort and time to solve this, but what if I tell you the value of y? It's 956. Now you know x in a matter of seconds - 46.
This is basically how the private and public key combo works in a very, very simplified way. It helps speed up solving the equation massively by giving a hint.
desmond_koh@reddit
Well, I like your example. But I am not sure it holds up. Because x * y = 43976 wouldn’t take that long to solve.
1 * 43976 = 43976 2 * 21988 = 43976 4 * 10994 = 43976
It just has many, many, many possible (and equally valid) answers. But you could solve for all of them pretty quickly.
My understanding is that with public/private key cryptography there is only one right answer but it’s really hard to find. That’s something I don’t understand.
CowardyLurker@reddit
because a very large prime number A multiplied by another very large prime number B guarantees that the product C can only have two divisors (ignoring C * 1)
ghjm@reddit
You're right, you can just try all possibilities, just as easily as you described. The defense against this is that the numbers are a thousand digits long, so the universe will end before you get close to the right answer. And you won't get lucky and find you can save some work because they're divisible by 2 or 3 or whatever, because the numbers are both chosen to be prime (or at least "probably prime").
Ssakaa@reddit
Well, that's sort of how cryptography works, still. If you don't know X (a key) or Y (the plaintext), and you want to know what Y was, knowing that X could've been any of these 300 options to get the encrypted value (43976), and with those, Y is one of these other 300 options, tells you nothing unless you sit and brute force those 300 options and you know roughly what Y should've looked like (i.e., it was readable text). If, though, I give you X, you can come up with the correct value of Y quickly. When you get into the realm of the complexity of modern cryptography, that 300 is on the order of a value like 3.4e+38 (128 bit) on the lower end.
The math for asymmetric is a bit weirder, though, since you need two different keys to work to encrypt and decrypt the data, with one of those being one directional. There's a pretty good bare minimal simplified example here:
https://crypto.stackexchange.com/a/74659
n3t_admin@reddit
You're right, since I took a very basic random number, just to make a point. In actual RSA encryption, there isn't really an x and y. And the numbers used are gargantuan. And they are prime numbers, that are far apart. And the computing goes to the "factor of" (represented by the ^). That's rather hard to compute, even with our modern hardware, when using 2048 bit upwards. And there is only one right answer, yes. Fully understanding it requires some math knowledge for sure, but you should get a basic idea of what is happening from many online sources. Even wikipedia explains it pretty well.
DonL314@reddit
Read "The code book" by Simon Singh.
It gives a historic overview and describes older encryption methods and how to break them. It also explains how RSA and key exchange works, and those principles are used today.
It is one of my favorite books.
desmond_koh@reddit
Which one?
https://www.amazon.ca/Code-Book-Science-Secrecy-Cryptography/dp/0385495323/ https://www.amazon.ca/Code-Book-Secrets-Behind-Codebreaking/dp/0385730624/
And thanks for the tip. I'll check it out.
DonL314@reddit
This one: https://www.amazon.ca/Code-Book-Science-Secrecy-Cryptography/dp/0385495323
It may be old but I dig it out and read it every few years.
desmond_koh@reddit
Cool. I will order it for my kindle.
bacon_in_beard@reddit
i like this explanation. i just would add a tip to download openssl and learn the syntax for generating a csr, etc and you can then use the full cert and chain to install anywhere. rather than using the myriad of methods that you wont remember. just use openssl all the time and it may be easier because of repetition. and then you can just import the cert into whatever needs it.
desmond_koh@reddit
Yes, but since OP mentioned Exchange, it would seem that he's most likely working in a Windows world. So, probably going to be easier for him to remember how to do it in Windows. It's really not that hard.
That being said, u/NSFW_IT_Account should be using Let's Encrypt with something like simple-acme under Windows nowadays.
bacon_in_beard@reddit
yes true. windows is also very easy to use for cert creation and is very helpful to know. it’s just less powerful and can’t do everything openssl can do. between knowing them both should be more than enough.
greenstarthree@reddit
20 years in, I know the steps, still don’t really have my head around what’s actually going on.
Redditer_0047@reddit
This is exactly how I feel about mesh networks and Eero.
benderunit9000@reddit
It's math. Something about prime numbers.
reni-chan@reddit
Just take two huge prime numbers and multiply them together. Then something happens and you basically end up with two large numbers that relate to one another. That's as far as my knowledge goes.
I remember learning about it at the university but I can't remember how exactly it worked. Our tutor even made do some examples on pen and paper with much smaller prime numbers. I wish I had my old notes though, I would like to try do it again but can't find anywhere online that would teach it like he did.
Affectionate-Pea-307@reddit
I may still have the textbook, Numbers, Groups and Codes.
badnamemaker@reddit
If you look up RSA encryption example I think that’s what you’re talking about
reni-chan@reddit
Ah yes that's the one. Thank you, gonna play with it tonight.
Leungal@reddit
Probably more relevant to study Diffie-Hellman Key exchange (just look up the paint bucket example, you probably went through it in college). RSA is only relevant for signing/authenticating an SSL certificate, Diffie-Hellman (specifically ECDHE) is what's relevant for modern TLS handshakes.
854490@reddit
Before or after studying RSA?
Trash-Alt-Account@reddit
during
benderunit9000@reddit
Same here. It made sense how the keys are made. Going to be a day when compute is able to break this encryption.
geusebio@reddit
Thats what they've been saying about quantum computers.. When it happens.. if it happens, everything will become an open book.
richf2001@reddit
I used prime numbers in an MMO to know what stat/event was happening. It was crazy efficient for the time.
Affectionate-Pea-307@reddit
I did a class on it in college. F-me if I can remember anything beyond it’s really hard to factor a really large number into 2 really large prime numbers. In my defense that was over 20 years ago.
GolemancerVekk@reddit
Large prime numbers and modulo math.
Look up The Code Book by Simon Singh, it's a very nice intro to cryptography through the ages from antiquity to the modern day.
bentbrewer@reddit
How To Make It, Break It, Hack It, Crack It
Mizerka@reddit
basically plot of cube
benderunit9000@reddit
underrated horror movie. so good
Mizerka@reddit
it hit that niche spot between horror flick and escape room drama.
if you enjoyed it, the platform (2019), felt heavily inspired.
kennyj2011@reddit
Every damn time I think I have become an expert in PKI, something comes up and shows me I’m an amateur
GroteGlon@reddit
IT, man. Every time you think you're an expert you find out you don't know anything.
854490@reddit
me encrypting a message to 10 recipients at the same time in GPG
SecTechPlus@reddit
Oh no, you forgot to encrypt it to yourself as well!
RBeck@reddit
It's black magic good sir. Put your message through this formula so you can send it by raven across the worlds, and not a man, witch or sorcerer can decipher it unless they have the corresponding magic key. And if they wish to reply, they simply do the process in reverse, and your magic key is the only way to read their message.
854490@reddit
It sure is a good thing I type fast so it looks like I know what I'm doing when I'm issuing
opensslcommands over the remote sessiontony77642@reddit
Its science... renew the cert and it works lol
icefisher225@reddit
Meanwhile I don’t know the steps but I know what’s actually going on…
greenstarthree@reddit
Collab?
mikeismug@reddit
Gosh whats to be confused about it’s only PKCS, PEM, BER, DER, x.509, PFX/PKCS12, JKS, keytool, openssl, trust chain, expiration dates, CN and SANs, wildcards, key usage and EKU, CT, CAA, ACME, EV/OVDV. HSM, escrow. What’s the worst that could happen?
And, you know, every app having arcane and poorly documented requirements.
beren12@reddit
Magic and chicken blood
ibeechu@reddit
X.509? I haven't even mastered A.0 through X.508 yet!
ImCaffeinated_Chris@reddit
This right here is how I feel after 3 decades. I hate certs. Simple idea turned into confusing jargon.
flammenschwein@reddit
Soon we'll get to replace them every 47 days!
NUTTA_BUSTAH@reddit
And none of the hyperscalers support custom ACME config so you could automate it with your partners, so soon we'll get to see what a broken internet looks like when half of the web is using expired certs, woo!
bentbrewer@reddit
Yes, this is just waiting to be broken. I just got a 5 year cert (very cheap) from comodo for a one-off thing another dept was doing and didn't have the heart to tell them it won't be valid that long and they will probably need to generate another csr before a year is up and regularly ever after.
m4tic@reddit
don't need a new csr, as long has you have the original private key from the original csr you can do anything with the renewed public certificate that you'll need to download every expiration time (~13 months). **that means treat the .key as a password and keep it safe. you only need to generate a new csr if the certificate needs to be revoked and re-keyed for reasons (e.g. you lost the original private key/password, or someone found the original private key/password <_<)
NUTTA_BUSTAH@reddit
If only the organizations most have to work with realized this, but they are in the same boat as OP and I don't blame them.
bentbrewer@reddit
Yup, one year for most, shorter for some.
iamlostinITToday@reddit
Can't wait for all the legacy shit that can't automate renewal to generate a shit ton of work
Cyhawk@reddit
Certs wouldn't be so bad if everyone on the planet didnt try to create their own standard.
chiminea@reddit
Where’s my cabundle dangit!
hceuterpe@reddit
You didn't even mention elliptic curve instead of RSA🤣
Trivia: RSA is built for both digital signing and key encipherment. But ECDSA can only sign: it can't do key encipherment.
0xmerp@reddit
There is El Gamal which is also based on elliptic curves like ECDSA and can use the same key pairs. The actual cryptographic operation is different though. But your elliptic curve key pair can be used for both signing and encryption.
Cheomesh@reddit
Diffie-Hellman key exchange 😄
BradChesney79@reddit
And you can adjust the Diffie-Hellman curve with a command line parameter!
Cheomesh@reddit
I vaguely remember what that means 🤩
szank@reddit
You forgot ocsp and crl.
CarnivalCassidy@reddit
I followed the tutorial on Let's Encrypt and by some miracle, our website has the coveted 🔒 icon. I'm not diving deeper into it than that.
Elismom1313@reddit
Dude thank you. Working at an MSP with all their shit set up and me asking questions (because this stuff expires coooonstantly) I was like “am I dumb? Is the system dumb? Why do we keep not catching that these are expiring till it’s too late?”
thegunnersdaughter@reddit
You forgot SNI.
postandin77@reddit
And CSR
namtab00@reddit
everyone does
Scanicula@reddit
What about the DRE? Everyone seems to forget..
DizzyAmphibian309@reddit
That's just the tip of the iceberg. Wanna rewrite a CSR from a vendor so you can add the DNS name of the load balancer before it's signed? Now you're getting into ASN, and that's messed up.
IT_audit_freak@reddit
Tf? 🤯 😂
ChampionshipComplex@reddit
What about Middle-out and the Weissman score
UseMoreHops@reddit
What about a CRL?
AttitudeSimilar9347@reddit
Nowadays it's mostly OCSP. Which is not to be confused with OSCP.
Xzenor@reddit
No it isn't. OCSP is being dismantled.. CRL is back on the map
Ludwig234@reddit
Not so much anymore. Let's encrypt for example has stopped using it altogether and now use exclusively CRLs: https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life
CRLs (and shorter lifetimes) is the new OCSP.
iamlostinITToday@reddit
That means cock in Portuguese, but in this context it's a list of "expired/revoked" certificates
test_in_prod_69@reddit
thats just the PKI Santa's list of bad boys.
crane476@reddit
Don't forget about AIA.
startana@reddit
That last sentence is really my single biggest frustration with ssl.
much_longer_username@reddit
Yeah, it's not the concept I'm unclear on, it's figuring out which of a thousand combinations this particular thing wants. It's gotten better over time, but it can still be a real pain, and when the last time you did it was a year ago, you're bound to have forgotten half of it.
rddearing@reddit
Document the process for each system you renew with the steps - especially if they differ between systems. Makes renewal a lot smoother 👍
guru2764@reddit
I spent like 6 hours trying to renew the certs a while ago after joining my company because each time my COTS app rejected it
I finally got it and documented everything
It was great until my company decided to change processes for generating certs and now it's broken again
Haxsud@reddit
I just learned recently about SANs as I used Windows CA to generate a cert from start to finish and when I uploaded it to my other server and rebooted, it didn’t work. I found out, from what I read, that Chromium based browsers and I believe Firefox will look at the Common Name like normal but if the same link isn’t in the SAN section upon cert creation, like example.com, it will still deem it as invalid and I got a an error for “net::ERR_CERT_COMMON_NAME_INVALID”. Remade the cert while putting in all my DNS entries and the same Common Name entry into the SAN field, uploaded the cert again and it worked. I was scratching my head as to why I was getting that error but now I know so I made documentation for the next engineer lol
shifty_new_user@reddit
Especially when you only have to do certs every now and then, like I just had to with the new VPN cert I had generated.
"Okay, I generated the certificate... and I got three text files? Certificate, Certificate_Chain and Private_Key. Says they're in PEM format? Hm. Let's rename 'certificate.txt' to 'certificate.pem'. But I need a .cer file. Let's ask Bing. Oh, I need to run this command in OpenSSL. Let's install and... oh, it's already installed? Apparently I've done this before. Cool, now I've got a .cer and it seems good when I open it. Let's send it to the firewall guys."
Mizerka@reddit
chacha real smooth, sometimes
pppjurac@reddit
Add certs revocation list too.
RedHal@reddit
(Lust for Life starts playing)
Choose cryptography, choose openssl, choose fucking big prime numbers, choose an algorithm, choose PEM, BER, expiration dates, ...
... But why would I want to do a thing like that? I chose not to choose cryptography. I chose somethin’ else. And the reasons? There are no reasons. Who needs reasons when you’ve got tailscale?
bacmod@reddit
So choose life!
TheDawiWhisperer@reddit
"everything should accept a PFX" is a hill I'm totally willing to die on
Ummgh23@reddit
Oh god I remember trying to upload a cert into AD Self Service Plus. None i tried worked.
In the end support told me to export it from a windows certificate store and that would let me import it… which is just weird, but it worked..
rosseloh@reddit
This is the part that gets me. I understand, at the basic level any administrator should, how encryption and PKI work.
But all the arcane types, who requires what, and why the HELL a service that requires one provides you a completely different type when you submit requests? God damn, I'll stick to subnetting and ACLs, thanks.
Civil_Fly7803@reddit
Everyone learns differently. Back when I was new(ish), about 3 years in, I was still lost with certs and was pretty much where you are now. No idea how anything worked and no idea how to troubleshoot when it didnt.
What really did it for me was looking at a PCAP during a TLS conversation. Like REALLY digging in. Looking at the cipher suites that each side has, seeing both endpoint decide on which suite to use.
Cant go too detailed because I'd be here all night typing, but try looking at a Wireshark capture during a TLS negotiation.
Resident-Spirit808@reddit
Wait until the windows user gives you a certificate to replace for them with carriage returns for line endings, and Azure Front door won’t work.
Huth-S0lo@reddit
I learned how ssl certain worked, when I implemented decryption on a firewall.
EsOvaAra@reddit
Set aside a good 45 to an hour and read a long article or something explaining it in detail. That got me from being just like you, barely able to get stuff done, to being the go-to "cert guy".
NSFW_IT_Account@reddit (OP)
Yes i am planning to do this. Being the 'cert guy' seems boring but valuable for sure. It seems like no one understands them.
EsOvaAra@reddit
Better than being the "updates guy"
vikinick@reddit
The first time you use an openssl command without having to look up the syntax you feel like a god.
maximus-prim3@reddit
So true. My current obession is openssl s_client for validating my endpoints are actually serving the certs i deployed. Definitely feels godlike.
Fritzcat97@reddit
Certificate renewal is not too hard, if you document how you did it the first time.
I used to have to do a lot of cert renewals, couple per month on all kinds of systems.
The basics are: The private key should never leave the system it was created on. The only part that expires is the public cert. You can reuse the csr and have a lot of the specific data stored in there. For example, there is a possibility to add extra subject alternative names during the signing proces, but why do that if you can make the csr have those details.
You can also use config files for openssl, which you can point to on the commandline when making keys, certs and signing requests. Makes the documentation easier and the commands easier to read etc.
A big part is also monitoring the expiration, especially when they auto renew.
tkrego@reddit
I went from a sysadmin job to an MSP and I’m the one that gets all the SSL tickets. Every day is like Groundhog Day. SSL certs are on my top 3 list of things I need to learn more about.
NSFW_IT_Account@reddit (OP)
I enjoy troubleshooting email deliverability issues and am probably one of the best at it in my org. Usually deal with SPF, DKIM, DMARC, etc.
USarpe@reddit
Most IT guys don't understand certicates
Fit_Indication_2529@reddit
You’re not alone every IT pro has at some point stared at a certificate renewal screen wondering if they’re about to take down VPN, Exchange, or their weekend plans. The good news? The chaos makes sense once you understand what’s really happening under the hood. Think of Public Key Infrastructure (PKI) like the internet’s version of the DMV just with more math and fewer lineups. Here’s the quick mental model that makes it all click:
They prove identity just like a driver’s license proves you’re you. A website or service uses a digital certificate to say, “Yes, I’m really the VPN server you meant to talk to, not a shady impersonator.”
It’s the trusted organization that issues and vouches for those digital IDs. Some are public (like DigiCert or Let’s Encrypt), and some are private your company might run its own CA for internal systems.
Certificates aren’t “set and forget.” They need to be requested, issued, renewed, and revoked properly. Expired certs can bring entire services down so automating renewals or at least tracking expirations is essential (Azure Key Vault, Venafi, or even PowerShell + cron jobs can help).
There’s usually a Root CA (your “master authority”), an Intermediate CA (the “issuer”), and then your leaf or end-entity certificate (the one actually used by your VPN, Exchange, etc.). Lose or misconfigure one layer, and your trust chain collapses.
After a couple of hands-on renewals where you pay attention to what’s being signed by what, you’ll start to see the logic it’s all about maintaining a trusted chain and keeping the keys safe.
If you want that true “lightbulb moment,” try this path: Visualize it: Watch a few videos on PKI hierarchy and trust chains. Seeing the flow helps. Practice locally: Spin up a mini PKI lab create your own root and intermediate CAs, issue a cert, then renew and revoke it. Automate renewals: Once you understand the flow, use scripts or ACME clients (like Certbot or PowerShell modules) to take the pain out of it. Once PKI clicks, certificate management stops feeling like voodoo and starts feeling like maintenance
jkreuzig@reddit
This is a great explanation of what it’s like in IT for even seasoned professionals. There are areas like SSL certificates that confound even the most experienced people. I spent a large part of my career managing web servers so finally understanding how SSL works made my life easier. You are correct in that lifecycle management is the real job.
I’d have to say the only thing that really managed to stump me was trying to understand shibboleth and how it is used in identity management. I could setup a server with it, but it was difficult to debug properly as I just really didn’t understand what was going on behind the scenes. Even our identity management people admitted to needing to really dive deep for a year or two to understand it at a level they felt they could support it.
Fit_Indication_2529@reddit
shibboleth, as it relates to authentication? Or how to setup Certificates correctly? What helped me with SAML or OAuth was working with SharePoint 2010. Well that is where I cut my teeth on it. Shibboleth (opensource Shibboleth IdP: The Identity Provider or Shibboleth SP: The Service Provider) handles identity federation via SAML. Certificates handle trust and encryption within that system. They’re related, but not the same thing, one’s a framework for who you are, the other’s a guarantee that nobody’s lying about it.
Key-Boat-7519@reddit
The trick with Shibboleth/SAML is to split TLS from SAML keys and lean on metadata-driven rollover. Use three certs: web TLS on Apache/Jetty, a signing key, and an optional encryption key. Publish IdP metadata signed with the current key, include the next key, set validUntil, and have SPs consume your metadata URL. Keep entityID stable. Turn on IdP logs and use SAML-tracer and samltest.id to catch NameID format, AudienceRestriction, and ACS URL mismatches. NTP is non-negotiable; even a minute drift breaks NotBefore/NotOnOrAfter. Don’t reuse TLS for signing; rotate signing every 1–2 years, TLS by ACME; store keys off-box or in an HSM if you can. I’ve paired Okta and Keycloak with Shibboleth; DreamFactory helped expose backend APIs the apps needed while SAML handled identity. Once you separate cert roles and automate metadata, it’s manageable.
briskik@reddit
What a great write up - thanks for taking the time to put it in layman's terms
Fit_Indication_2529@reddit
Thanks
Lazy_Sweet_824@reddit
I ran a CA for a major bank and managed more than 1 million certs.
If it helps, you are in the same situation as 99% of IT personnel. There is a desert of ignorance out there with respect to X.509 certs
Here’s my recommendation. Google “SSL Certs” and then select the link for Cloudflare (came up first in both chrome and edge)
It has a decent walkthrough you cans do in less than 40 minutes.
I’d say what you need to focus on is the practical use of certs. Understanding the math is beyond most of us. Suffice it to say that X.509 is the most popular asymmetric key system. It is most useful when certs are issued by a certificate authority which signs the certificate with its own private key that can be validated with its public key. However we don’t have to have a CA, if we don’t, we need to import the public key of the cert into our keyring to mark it “trusted”. You can imagine this collapses quickly at scale, which is why we use certificate authorities. We trust the certificate authority to issue certs to only valid, verified customers. Because we trust the CA, we trust all the certs signed by the CA.
Atrium-Complex@reddit
Spent about 4 years of 'does it work?, fuck, generate new, fuck, generate another, fuck, generate another, fuck. first one works anyways. Rinse & repeat 11 months later.
I finally took time and effort to learn how they work, attempted to explain it to my team, they left the room understanding even less about PKI than before they entered. There's so much just wrong information on it that people seem to accept as standard.
managenet@reddit
Mike does a nice job with certificate explanations here: https://smallstep.com/blog/everything-pki/
managenet@reddit
Whoops, I see that it was already posted! OK, endorsing it then! :) Read and you'll emerge saying 'I know Kung-Fu'
dumbasPL@reddit
I need to make a youtube channel explaining tech in a way that I would love explained. In TLS (SSL is dead), you gave to learn a lot to get the 'ah ha' moment for every single step. There are guides that explain the big picture, and then there are guides that explain each part in detail but I've yet to see something that explains both the high level and low level stuff of every step based on a real world example.
NSFW_IT_Account@reddit (OP)
I do love a good youtube video tutorial!
TheDawiWhisperer@reddit
no one does, ive been the certificate guy at work for years and im just winging it.
i have a "feeling" for how to make a certificate work but i have no idea how it actually works under the hood
dumbasPL@reddit
the tldr is public key cryptography, with extra steps, a lot of extra steps.
Zealousideal-Shine52@reddit
No worries bro! I’ve handled certs at every job for the last 15 years. No one else really understands or values them or their import. No respects the guy that has to renew and issue and install 300 certificates per year or even comprehends the complexity of some of the processes that vendors have bastardized cert renewals into on their own platforms. Never thought I’d say this about a Microsoft but, Windows IIS as quirky as it is, is very streamlined and easy compared to other options. I do prefer using tools like OpenSSL that allow me to script the processes especially when your working on one-off product with a bizarre cert renewal ritual.
That being said, I’m unemployed so anyone need a salty cert guy?
ZaitsXL@reddit
To be honest to renew certificates and keep them up to date it's not mandatory to know how encryption works
InvestmentLoose5714@reddit
TLS certificates aka ssl is a public/private key system that is file based.
You generate a private key, protect it by password and ask an authority to sign the corresponding public key.
The authorities are supposed to be trusted by everyone. They use their private key to sign your public key. And their public key is publicly available for everyone to verify that a certificate has been signed by that authority it actually has been.
This is then used for n protocol to verify in a communication that you are talking to the server that it prêtent to be.
Think of it like that: when you connect to TLS it’s like asking the if card or passport of someone before you talk to them. You trust the if card or the passport because you trust the authority that emitted them.
And then you use the id card number to encrypt your communication with that person and she use their private id password to decrypt it.
This way outside thread cannot read the communication or impersonate someone.
Character-Welder3929@reddit
Explain like I'm five, have a learning disability and generally despise IT staff
I am your CEO
Superspudmonkey@reddit
I shiver at the thought of updating the netscaller certificates. In which order do you want the intermediate certificates!
XL426@reddit
https://www.cloudflare.com/en-gb/learning/ssl/how-does-ssl-work/
Flash_Haos@reddit
Still no explanation of certificate chain and authority, while these terms are always around when you are reissuing cert using some stack overflow guide.
j0mbie@reddit
Me: "I have this certificate."
You: "OK. Why should I trust it?"
Me: "Because it's signed by this Certificate Authority."
You: "OK. Why should I trust that CA?"
Me: "Because that CA was signed by this other CA."
You: "Oh! I already trust that CA. Your cert is cool with me."
That's a cert chain. Most of those high-up "root" CAs are pre-programmed into you OS, so as long as the chain goes back to something you trust, you're good.
DrCrayola@reddit
Big if true
Elismom1313@reddit
Me trying to listen to Jason Dion and not fall asleep
quiet0n3@reddit
A CA chain is just a string of certs signed by the cert above that prove who signed the public key to authenticate it.
On your local device you will have a list of CA root certs you trust. These are mostly managed by the people that make your OS or browser, but you can install your own.
If the certificate in your trust store can be linked to the public key a website sends you. You trust that certificate is from who it says it is.
The actual singing process is complex maths I don't fully understand, but it's similar to encrypting already encrypted text so you need to decrypt it twice.
dunepilot11@reddit
The best certificate chain explanation I’ve ever read is at https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce
taukki@reddit
No explanaition of CRLs? Don't know about you but I've had to deal with CRL issues multiple times in past years
hemohes222@reddit
Adding another post that goes a bit deeper in explaining certificates. https://smallstep.com/blog/everything-pki/
TheNinjaWarrior@reddit
I love you.
epicConsultingThrow@reddit
Sir, this is a Wendy's.
Elismom1313@reddit
Thank you I love them too
SnowMorePain@reddit
No this is patrick!
epicConsultingThrow@reddit
Wendy's nuts....wait. Patrick deez....well shoot.
brisull@reddit
Peanut butter.
throw0101a@reddit
no its becky
pmandryk@reddit
"Welcome to Costco. I love you."
jacenat@reddit
I miss vine.
getsome75@reddit
Facts
Morkai@reddit
Wowee, I'm gonna need to sit down to read that one.
ScriptThat@reddit
deadbeef
lol
jakendrick3@reddit
That was an amazing read, thank you.
benow574@reddit
Great page.
Xenoous_RS@reddit
Thanks for the link, I too have very little knowledge on it, now I feel like I understand it lol.
SortaIT@reddit
this one might help to? https://www.sectigo.com/resource-library/install-ssl-certificate
GoodVibrations77@reddit
you think very highly of yourself
dude didn't care to learn for years, then , just because YOU gave him a link, he will finally take the time to learn it
yeah.... right
Oblio_Jones@reddit
Somebody's feeling snarky today.
nelsonbestcateu@reddit
Was this necessary?
FlailingHose@reddit
This is probably the best explanation I’ve read.
RedditDon3@reddit
Ah good old PKI
grrhss@reddit
That’s okay. Someone will sell you a PKI solution for $100,000 a year and take care of it for you. Until it breaks and locks you out of your stuff.
NooNotTheBees57@reddit
Nobody does. Move past it.
NSFW_IT_Account@reddit (OP)
I do, until a couple months later another one needs to be renewed.
GroteGlon@reddit
Document the steps of how to renew them. It's not that important to know how or what if it's just repetitive steps. It's nice to know thing ofcourse; but TLS is some sort of wizardry.
mainjc@reddit
No one does. It’s all just a test to see who will admit it…lol
calisamaa@reddit
use http
GuavaOne8646@reddit
Lol same, who fucking knows man ¯\(ツ)/¯
Xzenor@reddit
Certificates are hard if you only have to do shit with them on occasion. So write down your steps. Create a step by step guide for a renewal. You can't remember it if you only use it 3 times a year and you won't understand if you don't have to deal with it regularly..
So take some fucking notes so you don't have to ask the internet every time..
punklinux@reddit
You usually only have three pieces in operation:
The private key is the secret sauce YOU made, and the cert is what you can see to check it out, and the browser looks whether it's a trusted root CA or not. You may also have a "chain," CA-provided *.pem files that connect your cert to a trusted root CA. Some web services lump the cert and chain pem into one file, some don't.
Most people have a key that they make, then generate a CSR (Certificate Signing Request) from that key. The CSR is a file you generate with your private key with all your details like domain, IP, location, favorite color, and so on. Then you send to the CA to get your certificate signed. They sent you back the cert with an expiration. You put both on your web server. Easy peasy.
gomibushi@reddit
Then you shouldn't go looking at how authentication flows work...
WillVH52@reddit
Have a good idea how they work, used to manage them for a hundred websites.
SortaIT@reddit
https://www.sectigo.com/resource-library/install-ssl-certificate
wideace99@reddit
Don't worry, the IT&C industry is full of imposters since many years.
Just do, like others, pretend that you are too busy and outsource all the work.
Spiritual-Mechanic-4@reddit
The X.500 spec is actually quite readable. it kinda helps to go back and start from X.400.
The cryptographic stuff is borderline magical, but the basics about how identity is defined, and how certificates let you verify it, is approachable.
technicalskeptic@reddit
This is one of the areas where I learned it in detail once, and only keep track of the high level these days.
To be honest, I automated the whole process and use acme clients into the process and letnthe reverse proxies take care of everything.
clbw@reddit
Sorry for your pain man I’ve made so many damn cert in my life. I could do it in my sleep. What kind of certs are you making?
No_Winner2301@reddit
http://digicert.com/content/dam/digicert/pdfs/beginners-guide-to-tls-ssl-certificates-whitepaper-en-2019.pdf
Major_Significance59@reddit
Back when I was doing interviews for the senior sysadmin positions, one of my go to questions what to ask what some common causes for browsers to display SSL error messages. I learned from that that no one knows how SSL/TLS certificates work.
lspiehler@reddit
I was in the exact same place years ago. The best way to learn is to get your hands dirty. This is one of the main reasons I built https://PKIaaS.io It's free for up to 10 certificates and Patreon supported if you need more. You can create your own CA and sign certificates manually or automate using protocols like SCEP and ACME. I also created https://certificatetools.com as a sort of certificate "swiss army knife" that you can use to create CSRs, self-signed certificates, etc. If you have any questions, there are ways to reach me on both. Good luck!
Temporary-Truth2048@reddit
Ahhh... thank you for being bad at your job. As a hacker you ensure my job security.
HipIzDaShiz@reddit
No one bringing up Bob or Alice yet? Here is a pretty interesting read that gives a great explanation imo.
https://medium.com/@manish.prabhu/how-alice-begins-talking-to-bob-the-ssl-tls-handshake-56faa88e62e1
Cheomesh@reddit
Same, more or less. I get how they function and how pki and such works, but I never had an intelligent insight into key usage, never really remember the difference between types, etc.
ChiefBroady@reddit
Yepp. Anytime certificates come up I just blank out. I’m sure it’s not that complicated, my mind just goes into bleh-mode.
Fantasillion@reddit
So, there are already a lot of explanations from helpful redditors, so I'll just add a few links to stuff I find helpful:
Fantasillion@reddit
Dealing with ciphers, tls versions etc. on Windows is a little easier with stuff like IIS Crypto. Be aware that disabling essential settings here can easily break a machine to the point that it cannot be logged on to remotely. Make sure to test what you disable thoroughly. Also, different Windows versions have different cipher suites available, so what works for Windows 11 won't necessarily work for 10. Same for Windows Server.
You can use IIS Crypto GUI to create templates that you can then save to a file and then use IIS Crypto CLI together with the template you created to deploy the template to a system.
Qualys SSL Labs can be used to test your https sites. It checks many different things and grades it. It's a great tool to get transparency into certificate-related https security configurations and tells you where to look and what to look for.
I hope some of this helps! 😀
loupgarou21@reddit
When you try to get to a website over HTTPS (this isn't only https, but that's the example I'm going to use,) your computer goes "hey, dorkus, I want to send you some encrypted data, gimme your public key so I can encrypt the data I'm going to send to you"
The server then goes "OK, dingus, here's my public key 'blah blah blah blah', what's yours, because obviously I want to send you back encrypted data too?"
It's important to note that the public key is used as part of an asymmetric encryption pair, you use the public key to encrypt, and then the other side can use their private key to decrypt.
Your computer goes "Hey, thanks dorkus, here's my public key, and aisudf98ys9dfg798a7ysidg98yadsfyg98yf0ugas80dgydf (this is now encrypted with the server's public key and only the server can decrypt it)"
And now the server decrypts the string above with its private key, then replies with "8sd987fds986sdf986sd98yfvgkwjeh2i3u5ghkjasdfhg987y23urh9w8dytf987y32r (also encrypted data, encrypted using your computer's public key, so only your computer can decrypt it)"
And then your computer decrypts that nonsense with its private key so it can read the reply.
fin
NSFW_IT_Account@reddit (OP)
Thanks, that makes sense and I mostly understand that process but why does a cert expire and why does it need to be manually renewed? Mainly in the case of something like IIS or Exchange on prem.
lukeh990@reddit
What the above reply goes through is the TLS communication process. Certificates are external to that. Basically a certificate is issued by a company that your computer manufacturer trusts (think lets encrypt). The certificate includes your public key and the issuers public key. (There is actually a chain of public keys in the certificate that lead up to the trust anchor, which is the certificate that issues root CAs). The certificate is then exchanged along with the public key so the client can verify that it actually is the right public key for the domain it’s issued for. The reason they expire in the first place is because if certificates never expire, what happens if that private key is leaked? Anyone could pretend to be that server. Expiration just makes sure that at some point an attacker loses the ability to impersonate.
Certificates don’t actually have to be done manually in all cases. Depending on server software you can use the ACME protocol and one of the hundreds of open source clients to automate the creation and submission of signing requests and renewals. But for the examples you listed, I assume they’re just too old for ACME to be part of them. Someone might have made a client that works with them using some APIs. Idk.
NSFW_IT_Account@reddit (OP)
How can it be automated if it requires going into a CA like Godaddy for example and purchasing a new certificate every 3 years or so.
NUTTA_BUSTAH@reddit
https://datatracker.ietf.org/doc/html/rfc8555
Real world example: https://letsencrypt.org/how-it-works/
lukeh990@reddit
I don’t know the ins and outs. But I primarily use ACME on Linux servers that are serving traffic on the internet and use free 3 month term certificates from Let’s Encrypt or ZeroSSL. Let’s Encrypt pioneered the ACME protocol so they built it for their needs. I’ve seen some CAs like SmallStep allow you to do provisioning over things other than ACME. So in theory someone like GoDaddy might offer an API that allows you to used stored payment information. But at once every 3 years, the credit card probably expired so you might not want automation. I also have an internally deployed CA and all my hosts have that CA’s root certificate installed. So for HTTPS and SSH certificates on internal services I just generate them on a 24hr expiry and renew them with a daemon. Then symlink the generated certificate to wherever the software expects the certificate to be.
LeadershipSweet8883@reddit
Certificates expire to reduce the amount of time that weak or compromised certificates are allowed to exist. If a flaw in the algorithm is discovered, or regulations change, or technology evolves to make the cert easier to break, or the CA gets compromised there aren't effective ways to claw all of those flawed certificates back without causing massive problems.
> why does it need to be manually renewed?
It doesn't. Part of the reason why they are shortening the validity period is to force organizations to start implementing automated certificate renewals. The target validity period is 47 days in 2029. If you think you are starting to feel the pain at 398 days, it will get worse in 2026 at 200 days, then in 2027 at 100 days. That means you will eventually be doing monthly certificate renewals.
vikinick@reddit
There's some websites I've seen people make (just for the hell of it) that rotate certs daily.
loupgarou21@reddit
Ok, so let’s shift what I said above into identity management. Let’s ignore the whole public/private key bits for now.
So, let’s say I tell you my name is John Smith and I live at 123 Fake Street. Maybe you believe me, but let’s say you want to make sure that’s who I am, how will you do that? Ooh, maybe you ask to see my driver’s license. I show you my license, and now you believe I am who I say I am. But why do you believe the drivers license? Well, because you trust that the DMV has done their due diligence in verifying I am who I told them I am. This is why you’re going to a certificate authority, to get your ssl cert, everyone trust that they went through the work to verify your identity before issuing you an ssl cert. but, why does the ssl cert expire? For some of the same reasons your drivers license expires. What if John Smith lost his drivers license, or it was stolen, and someone else tried using it, and that person looked like the real John Smith. If the ID expires, it can only be illegitimately used for a short time. Maybe the government even has a metric saying it take 5 years to make a fake ID, so they have all IDs expire in 4 years, then bad guys wouldn’t be able to successfully forge a drivers license.
Why does the cert need to be manually renewed? Well, set aside automated options like acme, it’s the same reason you have to go to the DMV in person to renew your license, you provide some proof you’re still you on renewal and the DMV wants to review that information to ensure you’re you.
You can automate the ssl cert via something like acme because you’re using something hardish to forge, your DNS entries, to prove your identity.
NSFW_IT_Account@reddit (OP)
Thanks, great explanation. So certificates are really only needed when you host your own services to the public?
For example Microsoft 365 never requires a certificate renewal despite it using my domain name.
loupgarou21@reddit
You might need them in some circumstances where you have a third party hosting a service for you, like you’re hosting a website at godaddy, you might want to supply your own ssl certificate that you purchased elsewhere.
Email is a bit goofy because it’s not particularly secure, but you can tack on stuff like spf and dkim to increase security, but yeah, you’re not going to use your own ssl certificate with office 365, Microsoft is taking care of any needed certs for you where they’re needed, but they’re not pretending to be you in those instances.
Maybe a better counter example of where you might have a cert but you’re not buying it would be hosting an internal resource. You can run your own internal CA that you trust to sign certificates for your internal services. They still expire and need to be renewed, but that can largely be automated. An outside device won’t trust those certs because they don’t trust your CA, but you can have your internal devices trust the CA, and by extension trust the services using certs signed by your CA
QuarumNibblet@reddit
The private key is like a password and can eventually be cracked given enough time.
for RSA (as an example):
1024 bit is like a 4 character password.
2048 bit is like an 8 character password.
etc..
The certificate renewal ensures that the "password" is changed periodically, there is a lot more to this "renewal" thing, which deals with fixes to how things are supposed to work, but in reality don't very well (like revocation which is supposed to happen when your password is stolen).
Just be aware that the aim is currently to reduce this down to 47 days by 2029, with this starting at 200 days in 2026 and then 100 days in 2027, so anyone not using automation for certificates is going to have a bad time.
Zealousideal_Yard651@reddit
You're close, but your wrong.
TLS/SSL works by negotiating a symetric key for encryption. Asymetric encryption is really compute intensive, so TLS only uses the private public key pair as a ID and to securly negotiating a symmetric key for data encryption.
So it goes more like this:
WALL-G@reddit
I've spent the last year borderline exclusively with certs, ADCS and all the associated noise while learning PKI from scratch to deploying a new internal PKI throughout my company.
I've built many proof of concept environments and a production environment, everything works great.
I'm still not sure what is really going on.
vikinick@reddit
There's a few servers around the world that the general Internet has determined are trustworthy.
From these servers, we build other servers that are trustworthy. This chains down the line.
TLS/SSL works by basically a user going to a website. The website has a public certificate. The user's computer looks at that certificate, sees it matches the DNS you went to, and sees that the server that the website got that certificate is trusted as well.
The user's browser uses that certificate to encrypt a message. The website uses the private key it has related to that certificate to decrypt the message from the user. After a few steps, a two-way encrypted conversation is established where that certificate and key are no longer needed.
I can go more in depth if people want with CRLs, self-signed certs, etc. if you want.
americio@reddit
Certificates prove that you are in fact you and that what you say is in fact what you say.
BloomerzUK@reddit
Literally me yesterday :D
kasim0n@reddit
Lot's of good answers already, but here's one more approach to get a solid understanding of the fundamentals: Using only the openssl command line tool, create a root CA, an intermediate CA and a host certificate and play around with verifying the host certificate. There is nothing more satisfying than having "openssl verify" output "OK" after all the work ;-)
Personally, I would even use AI (chatgpt, claude, maybe even claude code) as a teaching tool to explain every step on the way and to verify i really got it: "I understand that a certificate is signed against by intermediary, which itself is signed by a root ca and the root ca is trusted by my browser/os. Am i correct in that?" "What does actually mean" and so on.
Old_Cheesecake_2229@reddit
If someone had handed me a flow chart early on, it would’ve saved a lot of hair. But what ultimately clicked for me was doing: set up a self signed CA, issue an intermediate, issue leaf certs, break it, fix it. Also always check logs (openssl, event viewer, etc.). I suspect Catos modules are doing something similar under the hood with their ZTNA policies.
povlhp@reddit
You are like 98% of webmasters / server ops I know until about 2-3 years ago.
Had to put Cloudflare in front as they had no clue.
centopus@reddit
Nope. Its easy.
Theres several companies that strong-armed themselves as trusted. Those are the Certificate Authorities. Think of them as of a government of imaginary certificate country. They issue identification papers - certificates to other parties, that print the identification papers to workers/people - the server certificates.
Remember about the CHAIN. If you trust anyone up the CHAIN, you trust everything downstream. Minus Revocation lists. There are 'blacklists' of certificates that got invalidated before their expiry.
Shittiest part about those on the top... they continuously shorten the validity time of downstream certificates to strong-arm more money out of everyone.
iknowtech@reddit
Certificates and renewals should all be automated at this point. That’s why they are mostly free now, and will be down to a max 47 day duration by 2029. If you want to learn something about certificates learn how to automate them, it’s the only relevant skill going forward.
port443@reddit
I just feel like I belong in this thread.
Funny-Comment-7296@reddit
I understand it. Sort of. But still can’t always entirely wrap my head around what’s going on, and how all the pieces fit together. I also do 10 million other things, so I don’t really have time to think about it. I have documentation. I follow it.
icebalm@reddit
SSL certificates are public key cryptography with a web of trust. Public key cryptography works on the principle of having a pair of encryption keys. Anything encrypted with one key of the pair can only be decrypted by the other and vice versa, so you designate one as private and hold on to it, and then designate the other as public and give it out to everyone. The certificate itself is the public key.
Certificates are signed with the private key of a third party trusted entity (certificate issuers) that everyone (browsers/operating systems) have decided to trust. Anyone who has decided to trust a particular entity will have their public key (certificate) so that they can decode and validate the signatures. This is how the web of trust forms. If you get a certificate issued by godaddy, then they sign your certificate (public key) with their private key, and anyone who has godaddy's public key can then decode that signature and tell that it's valid and where it came from. The signature also includes a checksum of the entire certificate so that if it is ever altered the checksum will not match and the person checking the signature can tell it has been altered and reject it.
Curious_Roy_Donk@reddit
I was in a similar boat forever, but when I studied for Security+ earlier this year, there were sections of Andrew Ramdayal’s Udemy course that did a good job explaining it. I’m still now expert, but I understand the concepts and in general “why” and “how.”
bbkane_@reddit
Ooh I ended up doing a lot of work with SSL and I made a list of articles and tools that I found really useful- maybe it'll help you too.
https://www.bbkane.com/blog/learn-ssl/
rabell3@reddit
There's some really good article suggestions in this thread, so read them up... but be prepared to really cry when you read this. Long story short, over the next few years, cert lifetimes are going down to 47 days; time to get a handle on things and automate.
std10k@reddit
Most people in IT don’t understand how certificates work. It doesn’t do them any favours but it is true.
In everyone’s defence the standards are quite confusing, encodings, containers, key types, and don’t get me started on OpenSSL.
At the end of the day, certificate is nothing more that structured text with digital signature.
Do figure it out. It is simple.
oakc510@reddit
All I know about SSL is its validity period keeps shrinking every few years. What is it now, 13 months? I hear talk about it going to 90 days?
Cyhawk@reddit
LetsEncrypt is 90 days with optional 6 day.
Its important to prevent potential attacks to keep your certs rotating often, with enough traffic you can decrypt SSL via normal methods.
Also its 2025, it should be entirely automatic or you should be EOLing devices that can't do automatic certs as hard as you can.
RogueEagle2@reddit
tbh I'm similar. When it comes time for cert renewal, I always have to go through every wrong step before I remember the right way to do it.
Some certs I just create and export the .csr to the agent, other times I'm renewing in place, other times I have to export the .csr, generate new cert, then compile the 4 parts of new cert into a single text file.
It all works out in the end but its always a state of unease for me.
Local-Assignment5744@reddit
I always check the site with a SSL checker (like Qualys) because half the time I screw something up like missing an intermediate cert, especially as I'm usually updating the certs late at night since these systems are in production.
FearlessSalamander31@reddit
I used to be the same way, but I sat down one day and really researched into how TLS certs work. Now, I'm the cert guy for my org. I've built out the PKI, public and private, for my org with and recently configured ACME.
NSFW_IT_Account@reddit (OP)
So ACME does the process of purchasing a new certificate from the CA, and then replacing it with the expiring one on your servers? (I know little about how this all works so feel free to ELI5)
Geminii27@reddit
I can read about certs all day, but it comes down to "I have a server running operating system ABC, webserver DEF, and email server GHI; how do I get from there to the webserver and email server smoothly using certificates?"
Generate a cert, OK. Now what? Presumably the assorted server programs need to be able to see it and need to be told how to incorporate it in some fashion...
bk2947@reddit
It is one of those tasks that I don’t do often enough to learn thoroughly.
bolo1357@reddit
RemindMe! 12 hours
dencorum@reddit
ygUIUGtpIHBhdWzSBwkJHgGjtWo3m0M
This video series will get you to a good understanding in about 40 minutes, and there’s much much more content afterwards. It’s very well explained.
NSFW_IT_Account@reddit (OP)
You got a link? the think you posted doesn't look like one.
dencorum@reddit
I just fixed the link
ehcanada@reddit
Steve Gibson explained the packet level details of an SSL handshake and how certificates with back in 2009 on the Security Now podcast episode 195. Give it a listen.
https://twit.tv/shows/security-now/episodes/195
Key-Eye1654@reddit
If it's windows I use Digicert certificate utility. This will allow you to generate a car. (Certificate signing request). You can get an SSL cert from any provider but we use Digicert. You create a request for a new domain Ssl cert, paste in the CSR and fill out form. Get cert, download the file and import back into Digicert util.
AppointmentDry9660@reddit
sudo certbot renew --dry-run
Oolon42@reddit
What I want to know is why do there have to be so many file formats? Just have 1 or 2, a cert+key and just a cert. Make everyone agree to use them. Standardize!
Lower_Fan@reddit
Doing it for an ev code signing cert made it click for me.
1.you make a csr. the csr has the specs of the cert you want. Stuff like public key, purpose, requester information.
You give the csr to a CA either a globally trusted one or your own.
The CA signs the certificate
You install this cert on your server
Now your server will send this signed cert to clients
The key lies in the chain of trust. Because your certificate was signed by a globally trusted certificate (and the CA confirmed who you are) everyone else can trust your cert.
NSFW_IT_Account@reddit (OP)
So why does the cert expire and need to be repurchased from the CA (Godaddy for example) and then need to be re-installed on the server?
kuahara@reddit
Because trust doesn't last forever. Bad actors are acting and your org is changing. An annual organization validation serves a good purpose.
Also, what about all those certs on old servers that orgs may or may not have disposed of properly. What about names they abandoned? There's a lot of what-abouts that are easily covered by the CA saying, "Look, I vouch for Tom now, but Tom might not be the same guy in two years so how about you follow up with me again a year from now".
FYI, that year is getting chopped down to 200 days or so next year. And then 2 years further down the road I believe it's dropping to 45 days. So we're all on notice to get certificate lifecycle automation in place now.
ubermonkey@reddit
I think almost EVERYONE feels like this.
NSFW_IT_Account@reddit (OP)
definitely everyone I work with lol
kuahara@reddit
I feel extremely comfortable with certificates. If you have a specific question, I'd be happy to walk you through it in a way that I think would be simple to understand and easy to remember.
CyberneticFennec@reddit
I used to manage the corporate CA, believe me, nobody in IT seems to know how they work
Malbushim@reddit
This is very relatable. Took me a long time to feel like I understood digital signatures, too. I've also revisited the topic of Kerberos like 10 times and I still can't really tell you how it works. I'm just retarded or something, idk
Virtual_Low83@reddit
Kitty want fish. Kitty doesn't trust fish Vendor Kitty's identity. Vendor Kitty shows his adoption papers, stamped with Root Kitty's paw. Kitty has a paw book of paw prints that all kitties have mutually agreed can be trusted. Root Kitty had verified Vendor Kitty's identity. Now Kitty knows Vendor Kitty is actually Vendor Kitty. Kitty buy fish.
IronVarmint@reddit
Brilliant.
RhapsodyCaprice@reddit
It doesn't help that Microsoft has given ADCS very little love in the last twenty years. As others have indicated, it's best to learn theory first before trying to understand implementations. It's all about the public private key pairs as a way to prove that something is what it claims to be.
IronVarmint@reddit
Flat out embarrassing.
xXSupaChocolateXx@reddit
I understand how it works, the implementation trips me up every time
NSFW_IT_Account@reddit (OP)
I somewhat understand how it works, better now that i've read some comments here. Implementation always trips me up.
Steve----O@reddit
It’s Blockchain’s dad. You understand Blockchain. Right? JK
f0gax@reddit
When a website and a user really love each other…
jahayhurst@reddit
Simple version, others have probably gone at it as well tho:
First, know public / private key cryptography. You have a public key and a private key that are interlinked. Anything can be encrypted with the public key then only decrypted with the private key. Anything can be signed with the private key then verified with the public key.
Second, an SSL / TLS certificate is a private key half, and a public key half tied to the same. You make the key and keep it secret. You make a CSR - certificate signing request - that's your public key and some other stuff. You send that to your SSL issuer, your SSL issuer signs it with their key, and give you back an SSL / TLS certificate that is your public key, some other data (like the domain name, your name, etc), and their signature, and possibly their intermediate certs. You then put that into Apache or w/e with those intermediate certs and you're good.
Intermediate certificates are somethign an issuer mostly just has. They have a root certificate - an SSL certificate signed by itself containing their public key. That root certificate, along with a bunch of others, is just in everyone's computer. Then they issue their intermediate certificates - so they dono't have to break out their big bad one - and issue SSLs with that. Then the person running a website gets to load all of the issuer's intermediate certificates and their certificate into Apache, and then the client has to download all of those.
SNI is just putting the domain name before the SSL handlshake. When you're sending an http request, you're really just connecting to an IP, no domain name. When we did HTTP 1.0 and TLS, you open the connection and start the SSL handshake right away, then send the http headers inside the tunnel - and the domain you're looking for was eventually a http header. You still want to put most of those headers inside the tls handshake - and nobody can really muck with data inside the tls handshake - but you can put the domain that you're looking for outside of the TLS handshake. By doing so, the webserver can then decide which SSL certificate to use to start the handshake, instead of just using the one for that IP address.
lol_umadbro@reddit
This is, by far, the best explanation about certs I've ever heard. It was a lightbulb moment for me.
xproofx@reddit
I can't take any credit for this because I'm pretty sure I read it here on Reddit somewhere a long time ago but the way I've heard it explained it like this:
You have something you want to send to somebody else so you put it in a box and put your own lock on it and send it to the other person that way no one can get it in the middle and unlock it. Just pretend this is a very secure lock that not even the lock picking lawyer can get into it.
The person on the other end finally receives it and they can't unlock your lock but what they can do is put their own lock on it, again a very secure lock. They do this and send it back to you.
When it comes back to you unlock your lock while their locked remains. You then send it back to them where they can finally unlock it because only their lock remains.
Don't know if that is helpful at all but I just thought it was a pretty good analogy.
highdiver_2000@reddit
I once worked with an application PM, she has been there a few years. I have to explain to her how public dns works.
Usual-Chef1734@reddit
Me either. They annoy me to no end because they are a hassle but give a low level of the usual reward of complex things.
valdearg@reddit
After working in support which required customers to provide their own SSL certificates, I'm convinced that many sysadmins do not understand them. I'd provide very easy instructions on how to generate what we'd need and it was 60/40 whether we'd get the correct certs, I'm impressed by the sheer number of variations in certificate formats!
I wrote a 17 page document which covered everything for the internal guys to deal with.
Then I automated it all with acme clients to stop the issues and make life easier.
epackorigan@reddit
Let’s encrypt + acme is all one needs to know. Sounds like a pain if you’ve never done it before, but before long you just set it up everywhere…
Awkward-Candle-4977@reddit
You create Private key using openssl etc.
You create Public key as mathematical pair of the private key using openssl etc.
You wrap the pubic key, your website name etc. into Certificate request using openssl etc.
You send the certificate request to a trusted CA company, such as digicert etc.
Those companies became Trusted CA because their public CA certificates, which also contains the CA Public key, exist in ssl client's OS trusted ca list.
You pay the CA to package your public key, website name etc. into Public certificate.
CA encrypts some part s of the certificate using ca private key, which is mathematical pair of their ca public key.
You install the Public certificate and Private key in web server.
Web server shares your Public certificate to ssl clients during ssl conection setup.
Ssl client uses public key of the public certificate to encrypt and decrypt data.
Web server uses private key to encrypt and decrypt data.
It works because both keys are mathematical pair.
1996Primera@reddit
as someone w/ 20+ yrs, man certs where a PITA back in the day, but that is bc exchange & some other MS products didnt work very well w/ wild cards & needed all the SAN entries. Luckily all those days are long gone, so now its typically what type of cert format do you need, & whats it for, poof I order from Digi & im done
Background-Slip8205@reddit
The only purpose for SSL certs is to be a pain in the ass at every single conceivable step of the way.
bobsbitchtitz@reddit
SSL is a motherfucker, I've studied and even written my own code to generate SSL certs and I still don't understand it.
AfternoonMedium@reddit
https://idea-instructions.com/public-key/
wasabiiii@reddit
No. Because I do know how they work.
applecorc@reddit
There's dozens of us.
Centimane@reddit
I'll use an analogy to try to explain certificates.
Certificates are much like a driver's license. They're meant to be proof that you are you. Part of that though is that the driver's license has to be from a reputable source. If you were buying liquor and provided a hand-written driver's license (like a self signed certificate) they obviously wouldn't accept it.
When someone accepts your driver's license its because it came from an intermediary they trust (the DMV), which is issuing licenses on behalf of an entity that they trust (the government).
Same idea with certificates. A certificate is trusted if it came from an intermediate that's trusted issuing certificates on behalf of a root cert authority they trust.
pm_me_domme_pics@reddit
You're in good company, noone on my team understands how they work. Half of them couldn't make a CSR if asked, of those galf wouldn't know how to add a san to it. And I'm not even picky about the tools they use
AlteredCap@reddit
Newb question, but is the same concept I can apply on a server hosting a service, and when anyone tries to reach that service via web, they get that warning message? Is this how I would go about getting rid of that warning from Google or whatever browser?
hceuterpe@reddit
I guess we're not ready for me to bring up TPM key attestation?
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation
hceuterpe@reddit
Btw, technically it's X.509 certificates. SSL hasn't been a thing for decades now, and even if calling them TLS certificates, they aren't limited to just TLS...
Tilt23Degrees@reddit
It’s not something you should honestly be thinking about on a daily basis honestly.
There’s plenty of shit I can’t remember how it works unless I have to deep dive it again.
We do way too much crap to remember it all, it’s impossible.
NSFW_IT_Account@reddit (OP)
It seems like every time I have to do something thats not repititve, I have to deep dive and figure it out again. Probably the nature of the job.
ABolaNostra@reddit
It's normal to not be an expert in everything.
Tilt23Degrees@reddit
You can’t be an SME in everything, otherwise there would be no such things as an SME.
Our jobs require us to do so much nonsense every week, it’s impossible to know everything.
PM_ME_UR_HAYSTACKS@reddit
Certs may as well be witchcraft to me.
UninvestedCuriosity@reddit
The real difficulty with SSL that there are 40 ways to do it and each system wants it done in one way or another.
Thankfully for most of us with self renewing certificates, and new rules coming in, you likely won't have to know how it works hardly.
La-Ta7zaN@reddit
Start off by learning a Cesar cypher. Then try to do your own encryption. I know it’s a big nono to never ever write your own encryption and you shouldn’t for production purposes.
But you can still learn a ton.
But basically it boils down to “how can we have a secret handshake that no one else knows. Even if they see us vibing”.
zetlali@reddit
I wouldn’t feel too bad. Symantec had to sell their CA business because they didn’t know how they worked either.
DancePartyTurtle@reddit
Hey man, do yourself a favor. Eliminate gaps like this in your knowledge by asking chat gpt about it. It’s free. This is the number one power use of chat gpt. You can read the links in the other comments and watch the videos and learn about it, but it will take longer and when you have a question you can’t just get an instant answer like with an LLM. They are great at stuff like this and can help you learn these things about 50x faster than traditional searching and asking people here. This is my superpower now.
Here, I’ll start the conversation for ya:
Me: I’m asking this question for a reddit user so he can see how good you are for things like this: I've worked in IT for a few years now and occassionally have to deal with certificate renewals whether it be for VPN, Exchange, or whatever. Every time it's a pain and I don't really know 'what' I'm doing but manage to fumble through it with the help of another tech or reddit.
GPT: Perfect — here’s how I’d explain this to someone who’s been “faking it till they make it” with certificates so far, but wants to actually understand what’s happening.
⸻
🧩 The Core Idea
A certificate is just a digitally signed proof that a public key belongs to a specific entity (a server, user, domain, or organization). When you “renew” one, you’re really just creating a new certificate that: • Has a new validity period, • Uses the same or a new private key, • And is signed again by a trusted Certificate Authority (CA).
The key to mastering this is to know who owns the private key, what trust chain you’re part of, and where the cert is actually being used (IIS, VPN server, Exchange, etc.).
⸻
🧠 The Mental Model
You can think of every certificate renewal as having three major steps:
Stage What Happens Who’s Involved 1. Request (CSR) You generate a Certificate Signing Request, which includes your public key and identifying info (CN, SANs, org name, etc.). The system that owns the private key — e.g. Exchange server, VPN appliance, IIS host 2. Issuance A Certificate Authority signs your CSR, producing the new certificate. The CA (internal or external) 3. Installation / Binding You replace the old cert with the new one wherever it’s used (VPN, IIS, SMTP, etc.). You
That’s it. Every renewal you’ve done was just a messy version of that flow.
⸻
🔍 Understanding Key Scenarios
Here’s what’s actually happening behind the scenes for some common ones:
🖥 IIS / Web Server (HTTPS) • The private key lives in the Windows Certificate Store (certlm.msc → Personal → Certificates). • The certificate is bound in IIS Manager → Site → Bindings → “https”. • Renewal means: import the new cert into the store → edit binding → select new cert.
📨 Exchange • Exchange stores certs in the same Windows store. • You usually use Exchange Management Shell:
New-ExchangeCertificate -GenerateRequest -SubjectName "CN=mail.domain.com" -DomainName mail.domain.com, autodiscover.domain.com
Then import the signed cert and assign services (IIS, SMTP, etc.).
🔐 VPN (e.g. Fortinet, Cisco, Palo Alto) • The cert and private key are usually stored in the appliance itself or imported as a .pfx. • You export/import via the VPN management UI or CLI. • Renewal is often just replacing the .pfx and rebooting the service.
⸻
🧾 How to Tell What You’re Looking At
When in doubt, inspect the cert:
openssl x509 -in cert.pem -noout -text
Or in Windows: • Double-click → “Details” tab • Look for: • Subject CN / SANs → what it’s for • Issuer → who signed it • Thumbprint → unique ID you’ll match in PowerShell or IIS • Enhanced Key Usage (EKU) → what it can do (e.g., “Server Authentication”)
⸻
⚙️ Renewal Workflow Template
Here’s a generalized workflow that works everywhere: 1. Locate where the cert is installed and what service uses it. 2. Export the old cert (with private key if needed) — backup. 3. Generate a new CSR (using the same key or a new one). 4. Submit CSR to CA (internal CA or vendor like DigiCert, GoDaddy, etc.). 5. Receive the signed cert (usually .cer or .crt). 6. Import it where the old cert was. 7. Re-bind / Reassign services. 8. Test connections (browser padlock, openssl s_client, VPN connect test, etc.). 9. Clean up expired certs after you’re sure it works.
⸻
🧭 The “Aha” Moment
The reason it’s always been confusing is because every product (Exchange, VPNs, IIS) hides the same simple process behind its own GUI. Once you stop thinking “VPN cert renewal” or “Exchange cert renewal,” and just think:
“Generate CSR → Get new cert → Install → Bind → Test”
it stops feeling like dark magic.
⸻
🧰 Bonus: Must-Know Tools
Purpose Tool Inspect any cert openssl x509 -in cert.pem -noout -text Test TLS remotely openssl s_client -connect host:443 -showcerts Windows cert store certlm.msc PowerShell cert listing Get-ChildItem Cert:\LocalMachine\My Exchange cert mgmt Get-ExchangeCertificate, Enable-ExchangeCertificate
⸻
If you want, I can show what the renewal process actually looks like on Windows (CSR → CA → bind in IIS/Exchange) with a visual diagram and PowerShell snippets — that’s often the “click” moment for people who’ve been winging it.
DancePartyTurtle@reddit
Haha, downvoted for suggesting a tool that can literally 50x your rate of learning. Good job.
wreckeur@reddit
SSL certs are my absolute kryptonite.
dablya@reddit
It’s like six values that have a mathematical relationship to each other… and you don’t even have to understand the math.
mangeek@reddit
The very basic concept of certs and key-based auth are:
You generate a piece of computer math where one side is 'secret' and one is 'public'. As long as you keep that private 'key' private, you can do cool stuff like 'only allow people holding the private key access a server that only knows the public key'.
For certs, the 'private key' is held on the server, the 'cert' is the public side, but the magic is that the cert is ISSUED by a third party that client machines trust via a 'certificate store' that ships on the operating system (Root CA Store). So your Windows machine might trust 100 or so 'certificate authorities' that are trusted places to get certificates. When you go to a website, your machine checks that the cert presented by the server is valid according to the third party, and the server can only decode the traffic coming in on that connection because it has the 'private' part of the equation handy.
The Certificate Authority can REVOKE a certificate, and so can the valid owner of the certificate.
Basic procedures are:
Server abc.xyz is valid according to CertAuthCompany on these dates. And CertAuthCompany is valid to your operating system based on whatever is shipped/updated in its 'root certificate store'.
This system also allows cool stuff, like companies being able to build their own Certificate Authorities that are only recognized by managed machines that have the corporate Certificate Authority installed in the Certificate Store.
chuckaholic@reddit
I went to school and the teacher was really good at explaining things so I could understand. He went through the entire process of how SSL certs work. He explained every handshake, hashing algorithm, and TCP connection, down to the packet contents.
From what I understand, they are some kind of magic.
thewildblue77@reddit
I hate certs. Never get them even if they're explained to me like Im 5. I've got 4 to do this week
enigmaunbound@reddit
I want to know you are who you claim to be. But how do I or anyone know this? You create a secret with two parts. Think of a piece of paper you tear in half. It matches up perfectly. One you keep your self. That's the private key. One you distribute. That is the public key. Cool now you claimed to be who you say in a more complicated way. You fill out your name and address and other details.
So you go to the local Dept of Motor Vehicles. They look at several forms of identity. They subject you to bureaucratic indignities. And they take your money. They stamp your public key with their private key. And now they attest that the information you provided has been validated. Anyone using their public key can line it up and prove they stamped your ID.
But do you really trust them? They had their identity stamped by the private key of the US Government. And the US Governments public key attests to that. Proving to someone suspicious you are you requires you to provide the DMV and US public keys in a key chain. If all the signatures match.
If they are still valid and have not expired there is an expectation that you are who you say you are.
TheCaptain53@reddit
Knowing how TLS certs work and are used (SSL is old) is important as a sysadmin and allows you to apply it to lots of circumstances.
Before diving into certificates, or PKI, it's worthwhile talking about hashing first. In computer science, hashing can broadly be done 1-way or 2-way. A really common 1-way hash is SHA256. The algorithm takes an infinite input and predictably turns it into a finite output. The word "predictably" is doing some heavy lifting here, so I'll explain - it doesn't matter what computer I enter it into, if I try to hash the string 'hello' with the SHA256 algorithm, it will be identical. Because there are so many possible outputs with SHA256, it doesn't matter that more than 1 input can generate the same output, no one has even accidentally found distinct inputs that produce the same output. The point of hashes like these is to sanitise the input. Say you have an account with a website and your password is stored in a SQL DB, well if someone hacks the DB, they have your password. If the password were hashed with SHA256 (they wouldn't actually use SHA256, this is just an example), then any breach wouldn't have access to your password. Then whenever you try to log in, you send the hashed version of your password, the values match, you're in.
1-way hashing is also destructive - because an infinite number of inputs produces a finite number of outputs, some information is lost along the way, so it's literally impossible to reverse engineer the algorithm and figure out the input, the only way to do it is by brute forcing the inputs until the output matches.
So how is PKI and 2-way hashing different? Where 1-way hashing is destructive, 2-way hashing isn't, it's possible it figure out what the message is. What's important about PKI isn't that it can be reversed, it's that you cannot use the same key you used to encrypt the message to decrypt the same message, it has to be a different key. So my TLS cert has two keys associated with it - a public key, which everyone with visibility of my application can see, and a private key used for decrypting incoming messages, which is kept secure.
A few other quirks about PKI:
-Certificates expire - they do not last forever.
-The way a client knows if a certificate has expired is if the expiry date has lapsed, or if the certificate has been published on a CRL, or certificate revocation list. These should be accessible by the client accessing the certificate.
-We trust certain certificates because we trust certain signing authorities implicitly, which in turn verify and trust that whoever owns Google.com (or whichever website) actually owns the domain you're attempting to access.
So how could this be used as a sysadmin? A really common way is by using a private CA (certificate authority). Let's say you're a Windows shop and manage 200 laptops. It seems like a pain for you to use a PSK for your wireless (not to mention secure), so you want to explore other methods. One method of authentication is EAP-TLS. This uses certificates on both the server and client - the client verifies the server is who it says it is, and vice versa for the server to the client. Using certs from a public provider could get really pricey, but if root CA trust is built-in and implicit, how do we solve this? A private CA. Rather than using a public CA, I set all of my managed laptops to trust this private CA I run (you manage them, after all), which allows the trusts to work correctly.
TimelyConsideration4@reddit
It’s funny timing as we just had a cert snaffu, certfu, today. Certs take some practice to get used to and we cert masters are usually born out of necessity. SCCM was my trial by fire for ssl. Id recommend googling pki which will be your internal cert services and then id also recommend looking into web tls certs, “roots” “intermediates” “leaf” and “private key”. Also check out OpenSSL documentation. Very useful for manipulating certs like combing pem/cer and keys into pfx. Which are different formats for certs, the latter being combined key and public cert.
frankztn@reddit
Honestly I just think its magic.
GroovyMoosy@reddit
Asymetric encryption. That certificate is basically a public key.
stuckinPA@reddit
Oh yeah I always throw up my hands and email a bunch of people. I say something like "if you make me do this I WILL break something. Someone who knows what they're doing should do this."
shadeland@reddit
I did this article about 14 years ago on SSL, using Star Trek to help explain aspects: https://datacenteroverlords.com/2011/09/25/ssl-who-do-you-trust/
Regulus0@reddit
It helps to know exactly how in-depth you are looking to get and for what purposes your certificates are used for. You can look at this from a very top-level and get a basic understanding or dive super deep into the encryption and mathematics of what is going on deep down. I manage the PKI environment at my enterprise and deal with other IT staff who are also all lost on the subject.
At a basic level, most cases I come across are these two use-cases
1) Encryption
There is a Server and a Client in most configurations. The server has a certificate that it binds to a web page, service, or otherwise in order to secure communication between itself and the client using the service.
The server's certificate has 2 parts. A private key and a public key. The private key is never handed to anyone and remains on the server. It is used for decrypting data from the client and encrypting data to the client. The public key is handed out to any clients communicating to the service/web page when the client first communicates to it. Through mathematical magic, the public key is matched with the private key and allows for a one-way encryption/decryption for data encrypted with the matching private key. This prevents anyone from just reading data going between the two parties.
2) Identification and Trust
The other main topic I come across is the idea of "Trust." Trust is leveraged for verifying the server (or client) you are connecting to is who they say they are and isn't some rogue system that hijacked your domain or a server.
You can think of a certificate as a form of government issued ID, like a driver's license. Take for instance, if someone shows you their driver's license, you would trust that that person is who they say they are or that their age is what they are telling you it is. Why does showing you a piece of plastic with some info on it prove anything? It is because the driver's license was validated by a party you trust did their diligence to identify that person and then handed them that ID card for proof. This is the same idea that certificates use for "trust."
You have a Certification Authority(CA) that issues certificates (the DMV or Government office that issues the ID). A certificate from this CA containing the public key is typically deployed via GPO or Active directory to your client computer's "Trusted Root Certificate Authorities" store. This store is where the computer checks for places it trusts to hand out and validate the various certificates it comes across. So when your client connects to a server, and sees a certificate signed by "My -Company-CA", it knows that it can trust that the server is who they say they are, and thus know they are communicating with the correct place and not some rogue actor.
Hope this helps some.
SirLoremIpsum@reddit
Given the vendor of one of our critical e-commerce site had us down for 4 hours just before a big sales deadline cause they didn't renew a cert... I feel half the world feels like this.
Exotic_Call_7427@reddit
You are a craftsman. You make carved wooden toys.
I am a non-profit that wants to take your product to later distribute to kids or something. In order to get government subsidy or funding, I must prove you are a legitimate craftsman.
Option 1: you take a planer and shave off a thin piece of wood that you use for your toys, and write down your name, your address, and what this piece of paper-thin wood is for. Congrats, you have a self-signed certificate. I know it's you uniquely because of the wood and your handwriting.
Option 2: you, as a master craftsman, ask a colleague of yours that both of us know to shave off the piece of wood, write down your name and also leave his signature. Congrats, we have a basic SSL certificate. I trust you because I trust him because I know him, you trust him because you know him.
Option 3: you submit a formal request to the Guild of Wooden Toy Carvers to issue a unique certificate. They give your mutually-known colleague a long shaving from a very special wood that has the guild's name and motto on it on special ink, and your colleague embeds that shaving into your shaving with his handwriting. Tadaa, you have a certificate chain - your certificate, signed by trusted intermediate, signed by a root authority that everyone knows because they are the authority.
Supermathie@reddit
Ever renewed an electronic passport?
It's like that, they use the same kind of PKI system and are signed in the same way with a chain of trust.
HTH, HAND.
HetElfdeGebod@reddit
Slightly off topic, but this story reminds me of a sound engineer at the music venue I worked at in the 90s. During sound check, mic in hand, he’s doing the old “two, two, warn, sssue, sssue, warn, ssssssue”, looks at me and says, “hey, HetElfdeGebod, check this out. I talk into this, and my voice comes out of there. Amazing!”
amcco1@reddit
Instead of spending time making this post, you could have spent the time googling how SSL works.
cellcore667@reddit
Just want to explain it in an analogy:
PKI = global passport system
RootCA = government authority
IntermediateCA = government office
Certificate = passport
Borders = Load Balancers / Proxies
Border Control = TLS handshake
CRL/OCSP = list of stolen passports
The main difference is that a certificate has a private key which is not shared or should not be known by anyone.
We don’t have to calculate a secret language to able to walk into a country.
Hope that helps.
VexingRaven@reddit
What exactly are you hoping to get? The technical details behind the math involved in public key cryptography? How the infrastructure behind PKI works? How SSL/TLS specifically functions?
For sysadmins it's pretty simple... The certificate, or one of the certificates that issued it, needs to be trusted. It needs to not be expired. And whatever software you have needs to actually be using it (don't be that guy who renewed the cert but forgot to actually set the binding in IIS!). That's literally it. You don't have to understand the math for how it works or anything like that. Just understand how the chain of trust works and you're good.
NSFW_IT_Account@reddit (OP)
Mainly the process of renewing, and applying a new certificate. It seems to be different for everything but last time I had to do it for on prem exchange it was a mess, and then there was also an IIS server I had to apply it too as well. This involved buying a new certificate, then applying it to the server, etc.
Recently, a VPN certificate expired on a firewall that came into my management and I was getting alerts that certificate was expiring. Luckily I think that was just a click to renew within the firewall's certificate setting. I just don't understand why I need to physically click 'renew'. Why isn't this set to auto renew? Did the click actually renew it? It seems like it did, but I have no idea.
Frothyleet@reddit
There are fundamentals of how PKI and certificates work, and they'll be applicable to every situation. In practice, though, every application can potentially handle certificate installation, renewal, re-keying, naming, activation, private key management, and all the other functional bits completely differently and with varying levels of UI crappiness.
So even if you were one of the people who developed TLS itself, if you had never messed with IIS or Windows Server and you were plopped down in front of it, you might be on the struggle bus for a while.
VexingRaven@reddit
Unfortunately none of these are really easily answered questions because it's not so much a "how do SSL certificates work" question as a "how does all this random software handle SSL certificates". All you can do is follow the documentation from the developer.
gormlessthebarbarian@reddit
and I never will.
floatingby493@reddit
Maybe document what you do so you can use that in the future
Plastic_Helicopter79@reddit
Step zero, which is not widely known or understood:
Your operating system shipped with a large number of signing certificates already installed, from huge industry player certificate authorities like VeriSign.
Public signing works because the OS provider put those in there for you as part of their product, to verify that public keys are valid and trustworthy.
Security certificates eventually expire. As an OS ages, updates may occasionally push new certificates that supersede the old ones, but use the authority of the old expiring cert to approve the new one.
,
Normally you never need to think about this. But if you use an operating system past the end of its supported security updates, eventually the included certificates expire, and you're going to have endless problems trying to use it on the Internet because nothing is "trusted" anymore.
Windows XP has reached this point where all the certificate authority trusts have expired. It is a huge pain to fix this, just to keep an obsolete OS still working on the Internet.
patthew@reddit
“Idk and at this point I’m afraid to ask”
El_Grande_XL@reddit
I ask the machine spirit for many number.
Then i send it to the PKI Wizards and they conjure a ssl certificate and then add it to the machine.
peacefinder@reddit
The first key concept: public key cryptography. Public key cryptography can be used to create a Certificate, which asserts a fact such as “this server belongs to foo.com”. You don’t need to know how this works, necessarily, but you need to understand that it does work and is extremely reliable when done right. There are some great non-mathy demonstrations out there using color mixing as a metaphor. Here is one https://crypto.mste.illinois.edu
The second key concept: cryptographic signing. Public key cryptography can be used to “sign” digital items. Certificates are such an item that might be signed. You don’t need to know how this works, necessarily, but you need to understand that it does work and is extremely reliable when done right. Wikipedia is pretty useful on this https://en.wikipedia.org/wiki/Digital_signature
The third key concept: transitive chains of trust. You don’t know Bob but you have a digital item signed by Bob. Bob’s signature is itself signed by Alice, indicating that Alice trusts Bob to sign only things he should be signing. If you trust Alice to sign only things she should be signing, then you can trust Bob’s signature as much as you trust Alice. This kind of trust can be chained; if Bob trusts Charlie and you trust Alice, then you can trust Charlie because Alice trusts Bob.
The fourth key concept: certificate authorities. There exist many entities out there like Alice above, that are trusted by almost everyone by default. (This is both a cryptographic trust and a business trust; we’re all trusting them to be secure.) They are called “root” certificate authorities, and their business is to sign other entities’ certificates asserting that the root authority knows enough about them to trust them.
Putting all this together, you have the Public Key Infrastructure, in which we trust certificates which have a chain of trust going back to a root authority like Alice.
When you point your web browser to foo.com, it presents a certificate claiming to legitimately represent Foo, Inc. Your browser checks to see if the certificate is trusted by a root authority, and finds that the certificate is signed by Bob. Because you know Alice trusts Bob and you trust Alice, you can trust the server claiming to show you Foo, Inc’s website.
Make sense?
notospez@reddit
Here's the guide: You need to automate this. Less than four years from now those yearly renewals will be monthly - webbrowsers will stop accepting certificates with a validity longer than 47 days by 2029.
As for understanding: certificates are layers of trust.
It's really that simple. On a technical level there's four things you'll deal with:
caffeine-junkie@reddit
You're not alone. I have encountered more sysadmins that don't know how they work than those that do. This is from companies that are mostly on the larger side; teams ranging from a dozen to a hundred or two. Even myself it took a while till I got the hang of it. For myself though, it was more the actual doing it repeatedly while having the guide on the other screen that helped a lot. At least with the certificate creation part.
whythehellnote@reddit
Every time I see a diffie-hellman example, my brain shortcuts it to "magic"
zerotol4@reddit
So what is the story with certifcates anyway?
There are multiple parts to this, the first part is used to make sure that the server on the other end is who it says it is and the second part is to make sure the information you are sending can only be read by that server and only that server.
What are certificates?
When you want to securely send information you use something called a public key, this key is put into a mathematical algorithm to encrypt something but cannot be used to decrypt it, for that you need a private key which never leaves the server.
How do we know we can trust the server we are sending private information to.
When you look at a certifcate you will notice some useful information like what domain this certificate is for, who is this certificate for and who it was signed by. Typically this signature is from an intermediate certificate authority who itself is signed by a root authority who is globally trusted by being added to a list on everyones device. If the root certificate authority's private certificate was to ever be exposed it would invalidate every certificate underneath it so having an intermediate sign it limits this from happening.
Ok, I'm sold, how do I get a certificate.
First of all you would generate a CSR or a certificate signing request with the required information like what domain its for which also comes with a private key which you keep safe on the server that you want to use it on. You then send the CSR to a certificate authority which will verify your domain and use the information in the CSR which has a copy of your private key and signs it with its own key. You then take this signed certificate and add it to your server which distributes this certificate to clients and uses the private key to decrypt the information it recieves from them.
Ok, wait, if the private key never leaves the server how does the server then send its encrypted response back to the client for it to decrypt.
When you first want to establish secure communication to a server, a handshake is performed which involves the client generating its own private key and then using the servers public key to encrypt this and send it to the server, once both client and server have this key they use this one for communication between eachother.
thereisonlyoneme@reddit
None of us know. It's black magic.
therouterguy@reddit
We had a policy we only renewed certificates n datacenter A on monday and wednesday and in datacenter B on tuesday and thursday. Thats is how well we understood it. At least it could only break one DC.
Anyway I learned most about certs when thinks horribly broke when lets encrypt moved to a different intermediate. That intermediate was signed by a root which wasn’t trusted in our outdated python library.
Reetpeteet@reddit
If you have an hour to kill, here's a video recording of an intro class I teach about TLS certificates... It goes through all the basics and more.
https://www.youtube.com/watch?v=p1ViwiXA-Kk
gabacus_39@reddit
I've been a sysadmin for a long time and certificates are sort of big black hole in my mind. Lol. I've never had a role in my career that had me mage certs and CAs so that's probably why.
MinimumViablePerson0@reddit
It’s simply easiest to open a ticket with whatever appliance/ software vendor….and their support will give you commands to run that you never would have strung together on your own after 2hrs of research and multiple failed attempts.
Doctorphate@reddit
If it makes you feel better, I’ve been doing IT of some kind for over 20 years. Security for the last almost 10.
I was probably 10 years in before I started to actually get it. As far as how the calculations are made? Yeah not a clue. It’s math. That’s about the extent.
Scared_Bell3366@reddit
Client certs is the next level of SSL hell. It also forces you to understand them better since you have to parse out information from them to authorize people or other systems.
crysisnotaverted@reddit
The public key is a magic number you can give everybody. People can use the public key magic number to encrypt data and send it to you.
You have the matching private key, a secret magic number that is the only thing that can decrypt things encrypted using the public key.
This means that someone can use the public to encrypt things that only you with the private key can decrypt.
gingernut78@reddit
Welcome to most of the IT world. It’s dark magic.
swissthoemu@reddit
Check let’s encrypt. For IIS servers it renews the certificate automatically, for free and files a ticket if it should fail.
rootsquasher@reddit
If you all could shadow or apprentice with me I could show you the ways of the dark side (JKS, PEM, PKCS #12).
shemp33@reddit
Key exchange can be simplified as your private key + other side's public key = an encrypted message that can be decrypted by the receiver's private key + the sender's public key.
A certificate stands alongside that handshake process and confirms that the public key you're using a part of the encrypted conversation came from a trusted source, and that the public key you're trusting from that other side is legit.
Marelle01@reddit
What have you already studied?
Do you want to know how to generate a certificate? How they are validated?
Or the protocol, when they are used? TLS protocol is described on Wikipedia.
There's a lot in documentation from providers too -- Sectigo or Namecheap.
If you might be more specific...
Keyboard_Warrior98@reddit
Welcome to the club
AppIdentityGuy@reddit
If you can find it online read the MS ADCS Resource Kit. X-Wing a bit dry but it does explain. It a cloud world a basic level of understanding of SSL/TLS and cert theory is vert important.
Concepts like
Signing VS sealing Cert revocation and expiry Asymetric encryption and PKI
Sowhataboutthisthing@reddit
None of us do. I setup a script to do it all for me and then I never think about it again.