If it was 1990 we would most likely not speak about this at all and I would prepare to start my week, nice and easy. However as we are writing in 2016, in the times of the NSA and Snowden and co who made us realize even more that the internet is not just a nice place to watch YouTube videos and be safe while doing so, here is a small take on certificates on the top level of the subject.
What are those files ending in CRT, CSR and key?
It is important to understand that certificate files are the identifier of the resource you are visiting. If the certificate and the resource do not match, and it is mainly done via the URL you have typed into your web-browser and the name within the certificate are not the same, an error is generated warning you that the “thing” you are talking to is not what it claims to be.
Imagine that the webpage of your bank could be copied by anyone and only after you have given Mr. X your username and password you realize that this is not your bank after all. Bad things are going to happen, very fast.
Here’s an example when I visit my 3CX PBX interface. The FQDN company.3cx.eu returns me a certificate “Issued to:” which has the same name as the website I am currently visiting. There are other certificates which might just cover *.3cx.eu (called wild card certificates) which would cover every name just before the 3cx.eu part up to the next dot.
The second part in the shown certificate is the “Issued by” and here is the big difference from self signed certificates to public trusted issuers (like GoDaddy, VeriSign, GeoTrust…). In Self signed certificates I am judge, jury and executioner and no one stops me from claiming to be whoever I want to be (e.g. www.bank-of-stefan.com). But since “the issuer” of this certificate is not known to anyone except me, it will not be trusted by anyone causing those nice red browser warnings…
Self Signed vs Real Deal…
Now assuming I am bank-of-stefan.com and I am the owner of the domain of bank-of-stefan.com. How can I build trust in my clients (same as how IP phones trust your PBX or not…)? Well self signed is out of the window (as remote provisioning of and IP phone…)
I need to get a certificate from an Issuer which is known and trusted. Which has the burden of validating that I AM really the owner of bank-of-stefan.com and will forward this trust to you. So what do I need from this “Issuer”? A Certificate, but what steps do I need to take to get one?
Now we will look at private key and certificate signing request (CSR). And this is the most complicated part. Think about the certificate as your home address (the PBX FQDN is equal to your address). And the key is the method to open your home door. Without the key you can see my house but nothing more. In terms of computers this “key” has the ability to enter and decrypt traffic to and from the server. And the issuer guarantees that I have not provided you with a fake address where you should drop off your money..
My key, my precious key…
So to begin, we need to create such a key and this key must remain confidential. Now I need to get a certificate which is linked to this precious private key and this comes from an issuer outside of my control. If I gave them my key, they can gain control over my traffic. Bad idea.
My sort of key…
Here is where the CSR comes into the game. This CSR (certificate signing request) is built against my key and has only a temporary use. If you have never generated such keys or a CSR, don’t worry we have you covered, download this little tool which creates both for you: CSR Generator
Inside this CSR the FQDN I like to be trusted by my clients is included. Next step, I send the CSR to the issuer. Based on the FQDN inside of this CSR, and some validation made by the issuer service (most likely some money is changing hands), the issuer returns me a certificate and guarantees that the person who has this certificate and the matching key (which never left my PC) is the real owner of the domain…
And that’s it! Have a great week!
One small last thing, if you are just testing your new bank-of-stefan.com and like a super quick untrusted certificate for testing and all security aspects do not matter right away, head over to https://zerossl.com/free-ssl/#self, enter your FQDN and take your key and certificate. Save them in two files and start your install of 3CX… But please do not attempt to provision remote phones using STUN or SBC or even RPS usage…and please do not call support ;-)