Never understood TLS certs, but today I will make SSL and TLS certs simple for entire Community !!

Lets start the journey to learn TLS basics:

• TLS protocol has 3 parts : CA Certificate, Server Certificate, Private Key
• Server Certificate = X.509 cert + Public key (signed by CA)
• Certificates rely on asymmetric encryption, which have two encryption keys (a public key and a private key).
• A Certificate owner shows Certificate to another party as proof of identity.
• This Certificate consists of its owner’s public key.
• Other party does data Encryption with Public key. This data can be decrypted by Owner by only using the matching Private key, which is held by the Owner of the Certificate.
• Public Certificate Authorities (Entrust, Verisign, Digicert) create & manage Certificates
• Every CA will provide these features: a) A public / private key pair, b) A self-signed certificate for that Key pair, c) Software tool that can sign Certificate signing requests (.csr) with that Key pair.
• CA also implement policies around how they manage data & how much background checking they do before actually signing a .csr.
• So we have 3 files= *.pem format
• TLS has 2 keys : Private Key & Public Key
• In Cryptography, X.509 is a standard that defines the format of Public key certificates.
• X.509 format is used in TLS/SSL protocols (HTTPS)
• In SSL/TLS, client will want to see intended server name in the Certificate.
• HTTPS, the “intended server name” is the one which appears in the URL
• When Client <->Server “talk SSL”, they agree on Crypto algorithms to use, implying use of Server’s public key, as it appears in the Server certificate.
• An X.509 certificate contains Public key & an identity (a Hostname, or Org or Individual) & is either signed by Certificate Authority or Self-signed.
• Server never shares the Private key with other parties
• Server shares Public key with others
• PEM “Privacy Enhanced Mail”
• PEM files are Base64 encoded
• PEM files include Server certs & Private keys, & have a .pem, .crt,.cer, or .key file extension.
• Certificates in PEM files are wrapped in “ — — -BEGIN CERTIFICATE — — -” and “ — — -END CERTIFICATE — — -” statements.
• If you have a Certificate chain (A -> B -> C), where C is signed by B, and B is signed by A. Then Certificate A is the Trusted Root.
• A Certificate Revocation list is “a list of Digital certs that have been revoked by Issuing CA before their Scheduled expiration date & should no longer be trusted.
• In Cryptographic systems with hierarchical structure, a “Trust Anchor” is an authoritative entity for which trust is assumed not derived.
• In X.509 architecture, a root certificate would be Trust anchor from which the whole chain of Trust is derived.
• Chrome and Firefox browsers, provide its own list of Trust anchors.
• All OS: built-in list of self-signed Root certs, act as Trust anchors for App.

^^How TLS communication works and maintains security:

• TLS Server authentication allows a Client app to confirm the identity of Server app. The Client verifies that Server’s (certificate and public key) are valid & have been signed by trusted (CA) that is known to Client app.
• TLS Client authentication allows a Server app to confirm the identity of Client App. The Server verifies that Client’s (certificate and public key) are valid & have been signed by trusted (CA) that is known to Server app.
• An encrypted TLS connection requires all messages sent between Client & Server application to be encrypted. The sending app is responsible for encrypting data & the receiving app is responsible for decrypting the data.
• TLS provides message integrity, which provides a means to determine if the data has been tampered with since it was sent by Partner application.