Certificates from Scratch - X.509 Certificates explained

Рет қаралды 83,262

Күн бұрын

What are X.509 Certificates? What is a "Certification Authority" or CA? How can we create our own CA? How can we sign our own Server certificates? How does LetsEncrypt work? How do private and public keys work? What is a certificate Chain or a Chain of Trust? The answers are in this video.
The XCA Tool can be obtained here: hohnstaedt.de/xca/
More Info on my Cheat Sheet Repo here: github.com/onemarcfifty/cheat...
0:00 about certificates
2:42 Certificate Chains / CA
7:15 private keys
9:14 how do private/public keys work?
12:38 how does Letsencrypt work ?
14:18 We create our own CA and certificates
16:42 When and how to use a self signed CA
KZbin: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/onemarcfifty
Patreon: / onemarcfifty
Blog: www.onemarcfifty.com

Пікірлер: 112

@depnik5583 3 ай бұрын

Thank you sooo much Marc. This is easily one of the best explanations about certificates I’ve come across.

@13F_Airborne 7 ай бұрын

Great content and presentation. Not only that, you just seem like a genuinely nice person. Subscribed.

@aal2002 11 ай бұрын

Marc my friend, this is an outstanding video! Wow, I wish I had seen this about 2 years ago. Now I totally understand certificates. Thank you so very much! You are an excellent teacher!

@l4te4oot91 Жыл бұрын

Always love when I see a new video drop, these are gold

@OneMarcFifty Жыл бұрын

Awesome - thanks a lot ;-)

@BS-my2ky 5 ай бұрын

Simply amazing! Looking forward to see an espisode on key management and distribution.

@jairunet Жыл бұрын

Excellent, there are not many well-explained X.509 certificate videos online, this is super valuable, and thank you for putting this series together, looking forward to the next one.

@OneMarcFifty Жыл бұрын

Thank you very much!

@leonardoquatrocchi7629 Жыл бұрын

You did a great job explaining this while showing the video the whole process so everybody can follow all the use cases and security concerns. Thank you so much!

@OneMarcFifty Жыл бұрын

Glad it was helpful! Thank you so much!

@matrix9164 Жыл бұрын

Nice! Marс, you have a talent to explain complex things in simple terms

@OneMarcFifty Жыл бұрын

Thank you very much Konstantin!

@ayushsarda9035 5 ай бұрын

Really great video. Loved the way he explained the entire process.

@daniellukesmith 15 күн бұрын

His explanations are the best!

@arghyl Жыл бұрын

This is fantastic! Thank you for making the topic so easy to understand. Certificates are certainly something I struggle with a lot!

@OneMarcFifty Жыл бұрын

Hi Rodrigo - it was exactly the same for me until I bought a book on the topic ;-) All I do is share my learnings from it really ;-)

@IanMatthews666 16 күн бұрын

Excellent stuff Marc. Thanks!!!

@daysiewaysie Жыл бұрын

you are born to teach ! a great video and up to your usual, fantastically high standards... looking forward to the continuation of this series... many thanks Marc.

@OneMarcFifty Жыл бұрын

Hi Damien, thank you very much! the next episodes will come out next Monday(s) at 5 PM Berlin time ;-)

@Barchy22 Ай бұрын

Best video describing certificates that I have ever seen.

@rklauco Жыл бұрын

While I understand the certificates now, I should have had this video on my playlist ~5 years ago. This is excellent. I'll use your channel to recommend to my team - your IPv6 videos rock, so does your OpenWRT tutorials. Keep it up! Thanks for the effort.

@OneMarcFifty Жыл бұрын

Hi Robert, thank you very much!

@tissandre Жыл бұрын

What a coincidence! I was, this morning, looking at possibilities of using Certificates for authentication on SSH connection. And you start a new serie on Certificates right at that time!!! I'm SOOO looking forward to see the rest of the serie! Thanks!

@OneMarcFifty Жыл бұрын

Hi Alexandre - great minds think alike ;-)

@memoli801 Ай бұрын

Besser als ich dachte Man merkt, da hat man sicht richtig viel Mühe gegeben!

@konradmolinski2772 Жыл бұрын

i've been looking for good explanation of that topic for a while. This is incredible good one. Thank you!

@OneMarcFifty Жыл бұрын

Glad you enjoyed it! Many thanks for the feedback!

@plousho1947 2 ай бұрын

Amazing video, I am studying for my exam and this video helped me understand the process alot better!

@marcorojas3179 4 ай бұрын

Excellent explanation! Thank you so much for the effort.

@itsawonderfullife4802 Жыл бұрын

Practical approach and clear as always. Thank you.

@OneMarcFifty Жыл бұрын

Thank you very much ;-)

@pberto Жыл бұрын

Thank you so much Marc. I think your explanation is the simplest and clearest one I've ever dealt with. I don't see the time when you will public next episodes.

@OneMarcFifty Жыл бұрын

Hi Gabriele, it will be today - Monday at 5 PM Berlin time. the third episode will be next week, same time.

@melvincross5386 8 ай бұрын

well explained, thanks

@kefteves 10 ай бұрын

Awesome video, incredibly helpful, thankyou!

@NigelSharp Жыл бұрын

Really awesome explanation. I've watched many of these tutorials and this is the best.

@OneMarcFifty 11 ай бұрын

Hi, thank you so much. I am glad that you liked it !

@juanrebella2589 Жыл бұрын

Amazing class as usual Marc, Thanks!! Juan.

@OneMarcFifty Жыл бұрын

Hi Juan, many thanks!

@thibaultguillen8423 Жыл бұрын

Great job again Marc ! I can't wait for the next episode on the keys management, I'm struggling with that for month.

@OneMarcFifty Жыл бұрын

Hi Thibault, what's your use case ? Do you want to manage keys for multiple people ? Have a look at OpenXPKI for example.

@thibaultguillen8423 Жыл бұрын

@@OneMarcFifty Hey Mark ! Thanks for your reply. I'm self learning certificates on a Mikrotik router and I try to figure out what key usage for which purpose. Can you give examples ?

@rafaelchaves6920 5 ай бұрын

Finally i understand this, ehat incredible class!!

@aleksandrkubar6255 11 ай бұрын

Thanks Marc!

@svddwd 2 ай бұрын

Great content ! Thank you!

@Alexander-ns9yv Ай бұрын

Thanks. Now I understand TLS altogether.

@s_eka_p Жыл бұрын

I learned a lot from the info you provided. CA and CA. Best of the best. Thank you sir☺☺

@OneMarcFifty Жыл бұрын

Awesome, glad it could help ;-) Thank you !

@lakshmanankanthi7158 Жыл бұрын

Thank you so much, it's very clear now :) You are a wonderful teacher

@OneMarcFifty Жыл бұрын

Hi Lakshamanan, thank you so much!

@Sabrinakay2008 7 ай бұрын

You saved me 200 USD. Thanks so much!

@LucaBarbetti-qh2jh Жыл бұрын

Really well done, thank you so much and kudos for your channel

@OneMarcFifty Жыл бұрын

Hi Luca, many thanks for the feedback!

@007hansen 2 ай бұрын

Dude well done. Put link to playlist or next video too please.

@ahmadmuhammad7423 11 ай бұрын

that is amazing !

@ArifMuradl 4 ай бұрын

Awesome!!! thank you

@MISANTHROPEBLOOD Жыл бұрын

Amazing video thanks for share all your knowledge, in this simple way, you makes look all so easy and simple...

@OneMarcFifty Жыл бұрын

My pleasure 😊 Glad you liked it!

@IBITZEE Жыл бұрын

thx Mark... as always... high value information... 🙂;-)

@OneMarcFifty Жыл бұрын

Thank you very much ;-)

@nathanielswanson8093 Күн бұрын

Great video! I think maybe the audio cut out at 17:51 and comes back at 18:04? Or maybe it was my BT audio driver. I can't seem to confirm this afternoon. Loved the content either way!

@Fdux 5 ай бұрын

Well done Marc… Danke schun…

@phill13able Жыл бұрын

That bass is amazing

@OneMarcFifty Жыл бұрын

Thanks Conrad ;-)

@timvanrooijen3324 Жыл бұрын

Thanks this was really helpfull!

@OneMarcFifty Жыл бұрын

Hi Tim, glad it helped, many thanks!

@OneMarcFifty Жыл бұрын

Hi Tim, glad it helped, many thanks!

@OneMarcFifty Жыл бұрын

Hi Tim, glad it helped, many thanks!

@raunomakela9226 Жыл бұрын

When is the next episode up? Tomorrow? Excellent content as usual!

@OneMarcFifty Жыл бұрын

Thank you ;-) Next Monday !

@skyfoxnz 7 ай бұрын

Hi, thanks for the video. I was following your instruction using XCA tool but it doesn't show the treeview for some reason. There is a plain view/tree view button but it doesn't show the tree view either. Not sure what I am doing wrong.

@joeydebra763 Жыл бұрын

Great vid! I hope in the future you might want to explain how to use/setup SCEP and OCSP. I've been struggling to use openssl for signing certs for my WPA2 enterprise at home. It worked okay last year but this year my iOS phone does not want to trust the certificate while it does have the CA cert pushed and trusted via MDM.

@OneMarcFifty Жыл бұрын

Hi Joey, I might have a look into those - thanks for the hint ;-)

@yosharma5210 8 ай бұрын

Csr has private and public key??? Does CA sign the certificate with servers private key? Or servers private and public key???

@danilocorrea5964 Жыл бұрын

Hi Marc! Excellent video as usual, thanks for the tidy knowledge! Could you explain how to apply this solution to remote access OpenWrt?

@OneMarcFifty Жыл бұрын

Hi Danilo, you mean remote accessing the Web interface (LuCI) from the internet, correct? You would need a reverse proxy running on the router and requesting client Certificates for that.

@qamaranwar-ye8tp 9 ай бұрын

GREAT to say the least, watched so many videos but the concents u cleared, WoW. howcome this is all free ? any place I can donate ?

@jeffreyplum5259 Жыл бұрын

I have a use case for self signed certificates. Old style FTP sends everything in clear text. If I configure my server with a certificate, it becomes a FTPS server like using a certificate turns HTTP into HTTPS. At times one only wants to avoid sending everything in an easily read form, on an internal network Self signed certs can be more a tool for privacy rather than the tight trust and security a bank or commercial business requires.

@OneMarcFifty Жыл бұрын

Hi Jeffrey, great use case - thanks for sharing ;-)

@achyuthvishwamithra 9 ай бұрын

8:49, Public key of R3 isn't stored on the onemarcfifty certificate to verify the signature on it. It's stored on it's own certificate which is a part of the certificate chain. The private key of R3 is used to generate the signature present on the onemarcfifty certificate during the CSR. This signature can be verified using the public key present on R3 certificate during verification. Isn't this correct?

@trungdang1817 10 ай бұрын

Well explained, I am getting more and more understanding of certificates. One point I do not understand is about X509 is the naming standard or what kind it is.

@killer2600 2 ай бұрын

Certificate is a general word and so can have many meanings and take many forms. For example, a high school diploma is a certificate. "X.509" is the specific standard (set by the International Telecommunication Union/ITU) for certificates of this type and format. So while a "Certificate" can take any shape and form, a "X.509" certificate will only take a specific shape and form that makes it compatible anywhere X.509 certificates are used/accepted. X.509 is the standard used for SSL/TLS so any valid SSL certificate will be a X.509 compliant certificate.

@StaRipper Жыл бұрын

Please do video on Tailscale on OpenWRT

@OneMarcFifty Жыл бұрын

Hi, I usually do not make videos about 3rd party services. I will however make a video on WireGuard troubleshooting soon.

@onetruth9869 Жыл бұрын

Big brother coming if we give all authority, to government with a blind trust. Trust is paramount. how many still have absolute trust in all that is government given their performance over the last 3 years, and still is ongoing to this day,

@OneMarcFifty Жыл бұрын

Hi, many thanks for your feedback. Please do however keep in mind that neither TLS certificates nor Certification Authorities have anything to do with the government - those are independent companies really.

@Fdux 5 ай бұрын

@@OneMarcFifty all technology is created by DARPA n given to AWS GCP and Microsoft….GillBates moron couldn’t invent anything but the harvard dropout is a good story…

@rohanofelvenpower5566 Жыл бұрын

YEEEEEEEEEEEEEEEESSSSSSSSSSS I just stumbled on this recently so now Im interested to learn it and behold, one of the greatest teaching channels on youtube drops a video on it perfect!

@OneMarcFifty Жыл бұрын

Awesome - many thanks ;-)

@duskern Жыл бұрын

In the first part of the video where you download a certificate in chrome, you mention that you are downloading it in pkcs7 format. Is this format just the default in Chrome, or did you do something in Chrome to select the format?

@duskern Жыл бұрын

Great video also. You just found yourself a new subscriber :-)

@OneMarcFifty Жыл бұрын

Hi, I just found it was easier to add to chrome in PKCS7 - you could use PEM full chain as well. Works easier with Firefox

@OneMarcFifty Жыл бұрын

Awesome, many thanks !!!

@duskern Жыл бұрын

@@OneMarcFifty Thx for the reply. Is there any specific reason for this? I'm really confused about the different certificate and key formats, so I'm trying to learn what the differences are and what they are used for.

@OneMarcFifty Жыл бұрын

@@duskern It's historic mainly - different applications over time have used different formats. See this article here for a comparison comodosslstore.com/resources/a-ssl-certificate-file-extension-explanation-pem-pkcs7-der-and-pkcs12/

@geoman6079 Жыл бұрын

Hello, Great video, you cover some topics that aren't covered very well in KZbin. 2 questions I have: 1. What exactly is an X509 certificate? You never mention that explicitly. What are the other types of certificates? 2. In your "How Does LetsEncrypt Work" section, it's a little confusing how a CA verifies the host. How does a DNS lookup verify that the person who requests a certificate owns the domain? Can't I just go to the LetsEncrypt website and request a certificate for Google? How does a DNS lookup prove that the requester controls that IP?

@OneMarcFifty Жыл бұрын

(1) X.509 is ruled by RFC 5280. Alternate Certificates are e.g. PGP. In a nutshell an X.509 Cert is a public key plus some text around it (Issuer, purpose, Validity etc.) that is SIGNED with the private key of the CA. (2) There is no verification of the person, only the host. Let's say you request a cert for abcde.google.com from your host with IP x.x.x.x - Letsencrypt would then do a DNS Lookup for abcde.google.com - but as they won't get your IP in return (because you can't make an A entry in Google's DNS), they know that you are NOT in control of google.com.

@geoman6079 Жыл бұрын

@@OneMarcFifty So does that mean that the server that contains the website files (the host) must be the one to make the request for the certificate? In practice, I'd assume that someone would need to physically open a browser in the host, navigate to LetsEncrypt website and fill out their form? From what you've described I can't use my development computer to request a certificate for a server storing the website right?

@OneMarcFifty Жыл бұрын

That’s correct. The request needs to be made from the server that the DNS name points to. You could however copy that certificate to a server in your LAN wit the same name there.

@briancoverstone4042 Жыл бұрын

I've always thought of a certificate as being a public key (with private key optionally included, if you have it) that has additional "properties", including proof of who issued the certificate, and what the certificate can be used for. The whole topic of what a certificate can be used for is confusing. I know about web services and code signing, but there seems to be a lot of other uses that I'm not so familiar with.

@OneMarcFifty Жыл бұрын

Hi Brian, you are right - a certificate is basically a public key with some text around. In order to use it, you need a private key. Just - another key pair comes into play - the CA that signed it. And if you trust that CA then you can trust the certificate.

@briancoverstone4042 Жыл бұрын

@@OneMarcFifty can you do a video on the certificate use property?

@barreiros5077 Жыл бұрын

@@OneMarcFifty So if you make a forgetry of this CERTIFICATE you should be im legal prosecution...but my wife ist Advisor, Barrister not my business 🤔

@OneMarcFifty Жыл бұрын

I am sorry - I don’t really understand you. What is forgetry? What does Barrister mean?

@briancoverstone4042 Жыл бұрын

@@OneMarcFifty i think he meant "forgery". Which isn't really possible. I didn't follow the rest either.