Class1, Class 2 and Class 3 Certificate

In accordance to the guidelines of IT-Act and the X.509 Certificate Policy for India PKI published by Controller of Certifying Authorities, e-Mudhra issues 3 classes of Certificates, namely: Class 1, Class 2 and Class 3. Each class of digital signature certificate is associated with specific security features and corresponds to a specific level of trust.

Class 1 Certificate

Assurance Level: Class 1 certificates shall be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well-recognized consumer databases.
Applicability: This provides a basic level of assurance relevant to environments where there are risks and consequences of data compromise, but they are not considered to be of major significance.

Class 2 Certificate

Assurance Level: These certificates will be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well-recognized consumer databases.
Applicability: This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial.

Class 3 Certificate

Assurance Level: This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e-commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.
Applicability: This level is relevant to environments where threats to data are high or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk.

File Formats and Abbreviations (Digital Signature & Encryption)

.pem

The .pem file can include the server certificate, the intermediate certificate and the private key in a single file.

.crt

The server certificate

.cer

The intermediate certificate 

.key

The private key can be in a .key file.

.csr (Certificate Signing request)

A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

.p7b or .p7c

The PKCS#7 format is a Cryptographic Message Syntax Standard. The PKCS#7 certificate uses Base64 ASCII encoding with file extension .p7b or .p7c. Only certificates can be stored in this format, not private keys. The P7B certificates are contained between the “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements.

.der or .cer

The DER certificates are in binary form, contained in .der or .cer files. These certificates are mainly used in Java-based web servers.

.pfx or p12

The PKCS#12 certificates are in binary form, contained in .pfx or .p12 files.

The PKCS#12 can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. These certificates are mainly used on the Windows platform.

X.509 certificate encoding formats and extensions:

Base64 (ASCII)

PEM

  • .pem
  • .crt
  • .ca-bundle

PKCS#7

  • .p7b
  • .p7s

Binary

DER

  • .der
  • .cer

PKCS#12

  • .pfx
  • .p12

.csr (Certificate Signing request)

 A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

What does a CSR look like?

Most CSRs are created in the Base-64 encoded PEM format. This format includes the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–” lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

How do I generate a CSR and private key?

You need to generate a CSR and private key on the server that the certificate will be used on. You can find instructions in your server documentation or try the instructions from one of these certificate authorities:

Comodo CSR Generation Instructions
DigiCert CSR Generation Instructions
Entrust CSR Generation Instructions
GeoTrust CSR Generation Instructions
Thawte CSR Generation Instructions

Once you have your CSR generated, you can use our SSL Wizard to find the best SSL certificate that will meet your needs. If you are familiar with OpenSSL you can use the following command to generate a CSR and private key:

openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key

How do I decode a CSR?

You can easily decode your CSR to see what is in it by using our CSR Decoder. In order to decode a CSR on your own machine using OpenSSL, use the following command:

openssl req -in server.csr -noout -text

What is a CSR/Private Key’s bit length?

The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods. As of 2016, a key size of less than 2048 bits is considered weak and could potentially be broken in a few months or less with enough computing power. If a private key is broken, all the connections initiated with it would be exposed to whomever had the key. The Extended Validation guidelines that SSL certificate providers are required to follow, require that all EV certificates use a 2048-bit key size to ensure their security well into the future. Because of this, most providers encourage 2048-bit keys on all certificates whether they are EV or not.

.PEM File

SSL .pem files (concatenated certificate container files), are frequently required for certificate installations when multiple certificates are being imported as one file.

This article contains multiple sets of instructions that walk through various .pem file creation scenarios.

Creating a .pem with the Entire SSL Certificate Trust Chain

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt).
  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
    1. The Primary Certificate – your_domain_name.crt
    2. The Intermediate Certificate – DigiCertCA.crt
    3. The Root Certificate – TrustedRoot.crt
    Make sure to include the beginning and end tags on each certificate. The result should look like this:—–BEGIN CERTIFICATE—–
    (Your Primary SSL certificate: your_domain_name.crt)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (Your Intermediate certificate: DigiCertCA.crt)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (Your Root certificate: TrustedRoot.crt)
    —–END CERTIFICATE—–
    Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Creating a .pem with the Server and Intermediate Certificates

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt).
  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
    1. The Primary Certificate – your_domain_name.crt
    2. The Intermediate Certificate – DigiCertCA.crt
    Make sure to include the beginning and end tags on each certificate. The result should look like this:—–BEGIN CERTIFICATE—–
    (Your Primary SSL certificate: your_domain_name.crt)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (Your Intermediate certificate: DigiCertCA.crt)
    —–END CERTIFICATE—–
    Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Creating a .pem with the Private Key and Entire Trust Chain

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt).
  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
    1. The Private Key – your_domain_name.key
    2. The Primary Certificate – your_domain_name.crt
    3. The Intermediate Certificate – DigiCertCA.crt
    4. The Root Certificate – TrustedRoot.crt
    Make sure to include the beginning and end tags on each certificate. The result should look like this:—–BEGIN RSA PRIVATE KEY—–
    (Your Private Key: your_domain_name.key)
    —–END RSA PRIVATE KEY—–

    —–BEGIN CERTIFICATE—–
    (Your Primary SSL certificate: your_domain_name.crt)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (Your Intermediate certificate: DigiCertCA.crt)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (Your Root certificate: TrustedRoot.crt)
    —–END CERTIFICATE—–
    Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Reference :

https://www.ssls.com/knowledgebase/what-are-certificate-formats-and-what-is-the-difference-between-them/#:~:text=509%20digital%20certificate%20files%20that,pfx%20files.


https://en.wikipedia.org/wiki/X.509#Certificates
CSR :

https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html
PEM :

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

PGP (Pretty Good Privacy)

Why PGP?

  • Actually the question should be “why not public key encryption”
  • Suppose a text “abc” is encrypted with the receivers public key and during transit of this encrypted file, the file is read by a hacker. Now since the public key of the receiver is a public knowledge and hacker just have to predict the input from the sender and encrypt the predicted text with the public key of the receiver and compare. And if the text matches “vola” you have read the data sent by the sender.
  • Hence to avoid this type of attack PGP came into picture where the actual text sent by the sender is encrypted with a random key and the random key is encrypted by the public key of the receiver. This makes the data pretty hard to read even if it is read in transit.

You can perform PGP encryption on ubuntu using tool called Seahorse (Inbuild with ubuntu)

Reference :

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

What is a Digital Certificate ?

What does a SSL Certificate contain ?

An SSL certificate includes the details of the party to whom the certificate has been issued. It includes the following information:

  • Domain Name
  • Certificate Validity Period
  • Certificate Authority (CA) Details
  • Public Key
  • Public Key Algorithm
  • Certificate Signature Algorithm
  • SSL/TLS Version
  • Thumbprint
  • Thumbprint Algorithm

The aforementioned information is included no matter which type of SSL certificate has been installed on the website. However, some additional information is also provided in the advanced level SSL certificates. For instance, organization validation (OV) and extended validation (EV) SSL certificates include details of the organization such as:

  • Name of the organization
  • Website owner
  • Address
  • City
  • State
  • Country

Digital Certificate

Creating a self signed certificate using openSSL

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Extract public key from crt :

openssl x509 -pubkey -noout -in /home/tyson/Desktop/PGP/SelfSignedCertificate/temp.crt  > /home/tyson/Desktop/PGP/SelfSignedCertificate/pubkeytemp.pem

Reference :

https://stackoverflow.com/questions/17143606/how-to-save-public-key-from-a-certificate-in-pem-format

Ubuntu :

https://www.liquidweb.com/kb/how-to-create-a-self-signed-ssl-certificate-on-ubuntu/

Create a self signed certificate in Windows :

https://support.sophos.com/support/s/article/KB-000038223?language=en_US#:~:text=Create%20the%20SSL%20Certificate,-Click%20on%20the&text=Click%20on%20the%20name%20of,certificate%2C%20and%20then%20click%20OK.

Role Description of Associate Cloud Engineer

An associate Cloud Engineer

  • Deploys application
  • Monitors operations of multiple projects
  • Maintains Enterprise solution to ensure they meet target performance metrics
  • Experience working with public cloud and on-premises solutions
  • Able to use google cloud console and the command-line interface
  • Performs common platform based tasks
  • Maintains one or more deployed solutions
  • Leverages Google-managed or self-managed services on Google Cloud

Input Stream

  • Use to get data into a Java Program
  • It is a abstract class
  • It was 9 methods
    • public int available() { }
      • How many bytes available in the stream to read
    • public int close()
    • public abstract int read();
      • Read data from file in form of bytes – and promoted automatically to int
    • public int read(byte[]) { }
    • public int read(byte[], int offset, int length) { }
    • public boolean markSupported()
    • public void mark(int readlimit)
    • public void reset()
    • public long skip(long n) { }

What is a Stream and use of it

Stream :

Stream is a connection between Java Program and a File.

Stream is not a physical wired connection but a logical connection for transferring data.

Stream is a logical connection between java program and file either for reading or writing.

Basically there are two types of Streams :

  • Input Stream
  • Output Stream

These streams are from the java point of view i.e with respect to java. Hence we can say
– Input Stream w.r.t to java is give input to java program.
– Output Stream w.r.t to java is give output from java program.

Broadly there are 4 types of Streams in java :

  • Binary Streams – For binary data – From java 1.0
    • Input Stream (Abstract Class)
    • Output Stream (Abstract Class)
  • Characters Streams – For characters – From java 1.1
    • Reader (Abstract Class)
    • Writer (Abstract Class)
  • Input and Output Stream are abstract class
  • Since there are several sources to read data from and several destination to write data to hence we need several concrete classes which extends this abstract class and handle the logic.

List of Input Streams : (9 subclasses)

  1. FileInputStream (Read one byte Data from File as it is) (Important)
  2. ByteArrayInputStream (Read data inform of array)
  3. FilterInputStream
    1. DataInputStream (Read one byte Data from File in primitive datatype)(Important)
    2. BufferedInputStream (Reading Fast )
  4. ObjectInputStream (Reading as a complete Object)(Important)
  5. PipedInputStream (Passing a Stream to another)
  6. SequenceInputStream (Read Data from multiple file)
  7. StringBufferInputStream

List of Output Streams : (8 subclasses)

  1. FileOutputStream
  2. ByteArrayOutputStream
  3. FilterOutputStream
    1. DataOutputStream
    2. BufferedOutputStream
    3. PrintStream
  4. ObjectOutputStream
  5. PipedOutputStream

Java NIO

Java NIO (New IO) is an alternative IO API for Java (from Java 1.4), meaning alternative to the standard Java IO and Java Networking API’s. Java NIO offers a different way of working with IO than the standard IO API’s.

Java NIO: Channels and Buffers

In the standard IO API you work with byte streams and character streams. In NIO you work with channels and buffers. Data is always read from a channel into a buffer, or written from a buffer to a channel.

Java NIO: Non-blocking IO

Java NIO enables you to do non-blocking IO. For instance, a thread can ask a channel to read data into a buffer. While the channel reads data into the buffer, the thread can do something else. Once data is read into the buffer, the thread can then continue processing it. The same is true for writing data to channels.

Java NIO: Selectors

Java NIO contains the concept of “selectors”. A selector is an object that can monitor multiple channels for events (like: connection opened, data arrived etc.). Thus, a single thread can monitor multiple channels for data.