A study on SSL certificates

Background

Recently, I have a chance to deploy a real signed SSL certificate on company’s Gitlab server. By following this link from Gitlab, browser shows a lovely lock icon easily.

However, there is a trouble when configuring container registry with such certificate. Gitlab runners throw an error about unable to get issuer certificate. Just like this and that.

Eventually, I find out this is a problem from intermediate certificates and fix it with some struggles. Below are the glossaries I have crawled.

Glossaries

SSL certificates

aka X.509 certificate

Encoding

• DER
  • a binary encoded certificate
• PEM
  • BASE 64 ASCII encoded certificate
  • Contains line ----BEGIN----

Usually, you would say I have a DER encoded certificate instead of DER certificate.

Extension

• CRT
  • Can be encoded with DER, PEM
  • Common on Linux
• CER
  • Similar to CRT
  • Common on Window
• KEY
  • Public key or private key

Actions

• View
  • get human readable string
    • PEM
      • openssl x509 -in cert.xxx -text -noout
    • DER
      • openssl x509 -in certificate.der -inform der -text -noout
• Transform
  • DER 2 PEM
    • openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
  • PEM 2 DER
    • openssl x509 -in cert.crt -outform der -out cert.der
• Combinations
  • Concatenate multiple certificates in one file
  • EG: Combine intermediate certificates with your certificate

CSR

• Certificate Signing Request
• A step before becoming a CER / CRT (Or signed by CA)
• Contains information like Common Name, Organization Name etc
• Decode
  • openssl req -in server.csr -noout -text

Intermediate certificate

• Certificate(s) between your site and root certificate
  • Construct chain of trust
• A proxy protecting the root certificate
  • A good explain from stackexchange
• Certificate ordering follow RFC4346
  • 1st Server certificate
  • Any intermediate follow each other one by one

TLS

A successor protocol or an enhancer version of SSL which support DV, OV, EV, BV etc.

References

• https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
• https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/250/17/
• https://support.comodo.com/index.php?/Knowledgebase/Article/View/1091/37/certificate-installation--nginx
• https://www.symantec.com/page.jsp?id=ssl-information-center
• https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html
• https://security.stackexchange.com/questions/128779/why-is-it-more-secure-to-use-intermediate-ca-certificates
• https://hk.godaddy.com/en/help/what-is-an-intermediate-certificate-868
• https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem

​