1
00:00:00,000 --> 00:00:10,680
In this lesson, I want to explain certificate services.

2
00:00:10,680 --> 00:00:16,799
So PKI is a keyword that stands for the public key infrastructure, and it is about the infrastructure

3
00:00:16,799 --> 00:00:22,680
that provides public private keys that can be used to secure services.

4
00:00:22,680 --> 00:00:28,080
Now in this case, the private key is what is supposed to be private, and it is used

5
00:00:28,080 --> 00:00:33,880
by a server to prove its identity, and the public key is handed out to clients for secure

6
00:00:33,880 --> 00:00:34,880
communication.

7
00:00:34,880 --> 00:00:40,160
The client uses the public key, and that allows you to send encrypted traffic, which next

8
00:00:40,160 --> 00:00:44,520
can be decrypted to the private key on the server.

9
00:00:44,520 --> 00:00:49,520
To guarantee the authenticity of a public private key pair, the keys need to be signed,

10
00:00:49,520 --> 00:00:56,119
and the signing is happening by an external certificate authority, or the CA.

11
00:00:56,119 --> 00:01:00,680
You can also use self-signed certificates, and self-signed certificates are keys that

12
00:01:00,680 --> 00:01:06,519
are not signed by a commonly known certificate authority, but by an internal CA that is not

13
00:01:06,519 --> 00:01:08,680
commonly trusted.

14
00:01:08,680 --> 00:01:10,919
Now that sounds as if it doesn't make sense.

15
00:01:10,919 --> 00:01:16,480
It does, because if you are working with certificates on your own site, why would you pay an external

16
00:01:16,480 --> 00:01:21,160
certificate authority for the reliability of your certificates?

17
00:01:21,160 --> 00:01:26,320
But for your own clients only, you can take care of this reliability internally.

18
00:01:26,320 --> 00:01:29,120
So self-signed certificates are quite common.

19
00:01:29,120 --> 00:01:34,559
But be aware that if ever your browser encounters a self-signed certificate, it will issue a

20
00:01:34,559 --> 00:01:35,559
warning.

21
00:01:35,559 --> 00:01:39,320
It's very likely that you have already seen warnings like this while browsing the internet

22
00:01:39,320 --> 00:01:43,480
to unreliable web servers.

23
00:01:43,480 --> 00:01:45,279
So how do we use certificates?

24
00:01:45,599 --> 00:01:52,160
Well, a message digest is a fixed-size numerical representation of the contents of a message.

25
00:01:52,160 --> 00:01:56,720
And this message digest is calculated by a hash function.

26
00:01:56,720 --> 00:02:02,120
And in secure communication, the sender typically generates a message digest, which is encrypted

27
00:02:02,120 --> 00:02:06,559
with the private key of an asymmetric key pair.

28
00:02:06,559 --> 00:02:11,800
Asymmetric key pair, that means that the sender and receiver are not using the same key.

29
00:02:11,800 --> 00:02:16,000
So the sender generates the message with the private key.

30
00:02:16,000 --> 00:02:18,880
And the result is a digital signature.

31
00:02:18,880 --> 00:02:24,399
And next, the signature is decrypted by the receiver to verify the identity of the sender.

32
00:02:24,399 --> 00:02:28,160
And next, an encrypted channel has been established.

33
00:02:28,160 --> 00:02:30,440
Let me show you how this works.

34
00:02:30,440 --> 00:02:35,160
So let me give you an overview of how TLS certificates are used.

35
00:02:35,160 --> 00:02:38,360
Let's say we have a client.

36
00:02:38,360 --> 00:02:41,080
And we have a web server.

37
00:02:41,080 --> 00:02:44,039
And I'm going for a simplified overview here.

38
00:02:44,039 --> 00:02:49,440
Now, when you are going to send your sensitive data to the web server, you want to make sure

39
00:02:49,440 --> 00:02:53,440
that the transport is secured.

40
00:02:53,440 --> 00:02:54,759
So how does that work?

41
00:02:54,759 --> 00:02:58,320
Well, the web server has a private key.

42
00:02:58,320 --> 00:03:03,440
And when you initialize traffic with the web server, you are going to make sure that you

43
00:03:03,440 --> 00:03:07,279
get the web server public key.

44
00:03:07,279 --> 00:03:11,039
The public key is mathematically related to the private key.

45
00:03:11,039 --> 00:03:12,960
So they belong together.

46
00:03:12,960 --> 00:03:17,360
But the first question is, how are you going to be sure that this public key is legit?

47
00:03:17,360 --> 00:03:21,600
Well, that is because of the certificate authority, the CA.

48
00:03:21,600 --> 00:03:28,000
And the certificate authority has signed this public key in the PKI certificate.

49
00:03:28,000 --> 00:03:32,759
And in case you want to know how the certificate authority has done that, well, that is easy,

50
00:03:32,759 --> 00:03:34,880
with their own public-private key.

51
00:03:34,880 --> 00:03:41,320
So the public key has been signed with, let's call it CAPR, the certificate authority private

52
00:03:41,320 --> 00:03:42,320
key.

53
00:03:42,320 --> 00:03:47,440
And because certificate authorities are supposed to be well-known, when you receive this signed

54
00:03:47,440 --> 00:03:52,039
public key, because of the fact that the certificate authority is known, you can check that it

55
00:03:52,039 --> 00:03:53,559
is legit.

56
00:03:53,559 --> 00:03:57,800
Because browsers and such have the certificate authority public key on board.

57
00:03:57,800 --> 00:04:00,160
And they can verify that it's OK.

58
00:04:00,160 --> 00:04:01,559
So you can trust it.

59
00:04:02,119 --> 00:04:08,880
Now, once you know that you can trust your web server, you can establish a secure channel.

60
00:04:08,880 --> 00:04:13,600
And in the secure channel, you are going to encrypt the data with the web server public

61
00:04:13,600 --> 00:04:14,759
key.

62
00:04:14,759 --> 00:04:17,760
And then the data arrives at the web server.

63
00:04:17,760 --> 00:04:22,519
And only with the web server private key, the data can be decrypted.

64
00:04:22,519 --> 00:04:26,519
And that is what's happening between common HTTPS traffic, for instance.