Excellent, there are not many well-explained X.509 certificate videos online, this is super valuable, and thank you for putting this series together, looking forward to the next one.
While I understand the certificates now, I should have had this video on my playlist ~5 years ago. This is excellent. I'll use your channel to recommend to my team - your IPv6 videos rock, so does your OpenWRT tutorials. Keep it up! Thanks for the effort.
What a coincidence! I was, this morning, looking at possibilities of using Certificates for authentication on SSH connection. And you start a new serie on Certificates right at that time!!! I'm SOOO looking forward to see the rest of the serie! Thanks!
Thank you so much Marc. I think your explanation is the simplest and clearest one I've ever dealt with. I don't see the time when you will public next episodes.
You did a great job explaining this while showing the video the whole process so everybody can follow all the use cases and security concerns. Thank you so much!
YEEEEEEEEEEEEEEEESSSSSSSSSSS I just stumbled on this recently so now Im interested to learn it and behold, one of the greatest teaching channels on youtube drops a video on it perfect!
you are born to teach ! a great video and up to your usual, fantastically high standards... looking forward to the continuation of this series... many thanks Marc.
Marc my friend, this is an outstanding video! Wow, I wish I had seen this about 2 years ago. Now I totally understand certificates. Thank you so very much! You are an excellent teacher!
@@OneMarcFifty Hey Mark ! Thanks for your reply. I'm self learning certificates on a Mikrotik router and I try to figure out what key usage for which purpose. Can you give examples ?
Great video! I think maybe the audio cut out at 17:51 and comes back at 18:04? Or maybe it was my BT audio driver. I can't seem to confirm this afternoon. Loved the content either way!
I have a use case for self signed certificates. Old style FTP sends everything in clear text. If I configure my server with a certificate, it becomes a FTPS server like using a certificate turns HTTP into HTTPS. At times one only wants to avoid sending everything in an easily read form, on an internal network Self signed certs can be more a tool for privacy rather than the tight trust and security a bank or commercial business requires.
Great vid! I hope in the future you might want to explain how to use/setup SCEP and OCSP. I've been struggling to use openssl for signing certs for my WPA2 enterprise at home. It worked okay last year but this year my iOS phone does not want to trust the certificate while it does have the CA cert pushed and trusted via MDM.
Well explained, I am getting more and more understanding of certificates. One point I do not understand is about X509 is the naming standard or what kind it is.
Certificate is a general word and so can have many meanings and take many forms. For example, a high school diploma is a certificate. "X.509" is the specific standard (set by the International Telecommunication Union/ITU) for certificates of this type and format. So while a "Certificate" can take any shape and form, a "X.509" certificate will only take a specific shape and form that makes it compatible anywhere X.509 certificates are used/accepted. X.509 is the standard used for SSL/TLS so any valid SSL certificate will be a X.509 compliant certificate.
Hi Danilo, you mean remote accessing the Web interface (LuCI) from the internet, correct? You would need a reverse proxy running on the router and requesting client Certificates for that.
In the first part of the video where you download a certificate in chrome, you mention that you are downloading it in pkcs7 format. Is this format just the default in Chrome, or did you do something in Chrome to select the format?
@@OneMarcFifty Thx for the reply. Is there any specific reason for this? I'm really confused about the different certificate and key formats, so I'm trying to learn what the differences are and what they are used for.
@@duskern It's historic mainly - different applications over time have used different formats. See this article here for a comparison comodosslstore.com/resources/a-ssl-certificate-file-extension-explanation-pem-pkcs7-der-and-pkcs12/
Hi, thanks for the video. I was following your instruction using XCA tool but it doesn't show the treeview for some reason. There is a plain view/tree view button but it doesn't show the tree view either. Not sure what I am doing wrong.
Hello, Great video, you cover some topics that aren't covered very well in UA-cam. 2 questions I have: 1. What exactly is an X509 certificate? You never mention that explicitly. What are the other types of certificates? 2. In your "How Does LetsEncrypt Work" section, it's a little confusing how a CA verifies the host. How does a DNS lookup verify that the person who requests a certificate owns the domain? Can't I just go to the LetsEncrypt website and request a certificate for Google? How does a DNS lookup prove that the requester controls that IP?
(1) X.509 is ruled by RFC 5280. Alternate Certificates are e.g. PGP. In a nutshell an X.509 Cert is a public key plus some text around it (Issuer, purpose, Validity etc.) that is SIGNED with the private key of the CA. (2) There is no verification of the person, only the host. Let's say you request a cert for abcde.google.com from your host with IP x.x.x.x - Letsencrypt would then do a DNS Lookup for abcde.google.com - but as they won't get your IP in return (because you can't make an A entry in Google's DNS), they know that you are NOT in control of google.com.
@@OneMarcFifty So does that mean that the server that contains the website files (the host) must be the one to make the request for the certificate? In practice, I'd assume that someone would need to physically open a browser in the host, navigate to LetsEncrypt website and fill out their form? From what you've described I can't use my development computer to request a certificate for a server storing the website right?
That’s correct. The request needs to be made from the server that the DNS name points to. You could however copy that certificate to a server in your LAN wit the same name there.
8:49, Public key of R3 isn't stored on the onemarcfifty certificate to verify the signature on it. It's stored on it's own certificate which is a part of the certificate chain. The private key of R3 is used to generate the signature present on the onemarcfifty certificate during the CSR. This signature can be verified using the public key present on R3 certificate during verification. Isn't this correct?
I've always thought of a certificate as being a public key (with private key optionally included, if you have it) that has additional "properties", including proof of who issued the certificate, and what the certificate can be used for. The whole topic of what a certificate can be used for is confusing. I know about web services and code signing, but there seems to be a lot of other uses that I'm not so familiar with.
Hi Brian, you are right - a certificate is basically a public key with some text around. In order to use it, you need a private key. Just - another key pair comes into play - the CA that signed it. And if you trust that CA then you can trust the certificate.
@@OneMarcFifty So if you make a forgetry of this CERTIFICATE you should be im legal prosecution...but my wife ist Advisor, Barrister not my business 🤔
Big brother coming if we give all authority, to government with a blind trust. Trust is paramount. how many still have absolute trust in all that is government given their performance over the last 3 years, and still is ongoing to this day,
Hi, many thanks for your feedback. Please do however keep in mind that neither TLS certificates nor Certification Authorities have anything to do with the government - those are independent companies really.
@@OneMarcFifty all technology is created by DARPA n given to AWS GCP and Microsoft….GillBates moron couldn’t invent anything but the harvard dropout is a good story…
Excellent, there are not many well-explained X.509 certificate videos online, this is super valuable, and thank you for putting this series together, looking forward to the next one.
Thank you very much!
While I understand the certificates now, I should have had this video on my playlist ~5 years ago. This is excellent. I'll use your channel to recommend to my team - your IPv6 videos rock, so does your OpenWRT tutorials. Keep it up! Thanks for the effort.
Hi Robert, thank you very much!
What a coincidence! I was, this morning, looking at possibilities of using Certificates for authentication on SSH connection. And you start a new serie on Certificates right at that time!!! I'm SOOO looking forward to see the rest of the serie! Thanks!
Hi Alexandre - great minds think alike ;-)
Great content and presentation. Not only that, you just seem like a genuinely nice person. Subscribed.
Thank you sooo much Marc. This is easily one of the best explanations about certificates I’ve come across.
Besser als ich dachte
Man merkt, da hat man sicht richtig viel Mühe gegeben!
This is the best video so far about certificates. Thank you so much for the marvelous explanation. Nice job!
Nice! Marс, you have a talent to explain complex things in simple terms
Thank you very much Konstantin!
Thank you so much Marc. I think your explanation is the simplest and clearest one I've ever dealt with.
I don't see the time when you will public next episodes.
Hi Gabriele, it will be today - Monday at 5 PM Berlin time. the third episode will be next week, same time.
As a CS undergraduate, I found this video very interesting and easy to understand, appreciate your work man, you got a sub 👍
This is fantastic! Thank you for making the topic so easy to understand. Certificates are certainly something I struggle with a lot!
Hi Rodrigo - it was exactly the same for me until I bought a book on the topic ;-) All I do is share my learnings from it really ;-)
You did a great job explaining this while showing the video the whole process so everybody can follow all the use cases and security concerns. Thank you so much!
Glad it was helpful! Thank you so much!
Simply amazing! Looking forward to see an espisode on key management and distribution.
Amazing video, I am studying for my exam and this video helped me understand the process alot better!
I learned a lot from the info you provided. CA and CA. Best of the best. Thank you sir☺☺
Awesome, glad it could help ;-) Thank you !
YEEEEEEEEEEEEEEEESSSSSSSSSSS I just stumbled on this recently so now Im interested to learn it and behold, one of the greatest teaching channels on youtube drops a video on it perfect!
Awesome - many thanks ;-)
i've been looking for good explanation of that topic for a while. This is incredible good one. Thank you!
Glad you enjoyed it! Many thanks for the feedback!
Best video describing certificates that I have ever seen.
you are born to teach ! a great video and up to your usual, fantastically high standards... looking forward to the continuation of this series... many thanks Marc.
Hi Damien, thank you very much! the next episodes will come out next Monday(s) at 5 PM Berlin time ;-)
Really awesome explanation. I've watched many of these tutorials and this is the best.
Hi, thank you so much. I am glad that you liked it !
Marc my friend, this is an outstanding video! Wow, I wish I had seen this about 2 years ago. Now I totally understand certificates. Thank you so very much! You are an excellent teacher!
Great job again Marc ! I can't wait for the next episode on the keys management, I'm struggling with that for month.
Hi Thibault, what's your use case ? Do you want to manage keys for multiple people ? Have a look at OpenXPKI for example.
@@OneMarcFifty Hey Mark ! Thanks for your reply. I'm self learning certificates on a Mikrotik router and I try to figure out what key usage for which purpose. Can you give examples ?
Thank you for this , very helpful for my upcoming Cryptography exam!
Practical approach and clear as always. Thank you.
Thank you very much ;-)
Amazing class as usual Marc,
Thanks!!
Juan.
Hi Juan, many thanks!
Really great video. Loved the way he explained the entire process.
Excellent master class on certificates! Greetings from Guatemala
Great video Marc! Everything well explained and understandable and sometimes even funny :-) Thank you :-) Greetings from Prague, CZ ;-)
Excellent explanation! Thank you so much for the effort.
When is the next episode up? Tomorrow?
Excellent content as usual!
Thank you ;-) Next Monday !
Amazing video thanks for share all your knowledge, in this simple way, you makes look all so easy and simple...
My pleasure 😊 Glad you liked it!
Thank you so much, it's very clear now :)
You are a wonderful teacher
Hi Lakshamanan, thank you so much!
Thanks for the Cert series. Very helpfull!
His explanations are the best!
Really well done, thank you so much and kudos for your channel
Hi Luca, many thanks for the feedback!
Thanks. Now I understand TLS altogether.
Absolutely brilliant video, thank you
Awesome video, incredibly helpful, thankyou!
Excellent stuff Marc. Thanks!!!
Great video! I think maybe the audio cut out at 17:51 and comes back at 18:04? Or maybe it was my BT audio driver. I can't seem to confirm this afternoon. Loved the content either way!
I have a use case for self signed certificates. Old style FTP sends everything in clear text. If I configure my server with a certificate, it becomes a FTPS server like using a certificate turns HTTP into HTTPS. At times one only wants to avoid sending everything in an easily read form, on an internal network Self signed certs can be more a tool for privacy rather than the tight trust and security a bank or commercial business requires.
Hi Jeffrey, great use case - thanks for sharing ;-)
Finally i understand this, ehat incredible class!!
Dude well done. Put link to playlist or next video too please.
thx Mark... as always... high value information... 🙂;-)
Thank you very much ;-)
You saved me 200 USD. Thanks so much!
Great vid! I hope in the future you might want to explain how to use/setup SCEP and OCSP. I've been struggling to use openssl for signing certs for my WPA2 enterprise at home. It worked okay last year but this year my iOS phone does not want to trust the certificate while it does have the CA cert pushed and trusted via MDM.
Hi Joey, I might have a look into those - thanks for the hint ;-)
That bass is amazing
Thanks Conrad ;-)
great content! got a new suscriber! just commenting to contribute to the algortithm engagment thingy hehe
This was great - thanks!
Great content ! Thank you!
Well explained, I am getting more and more understanding of certificates. One point I do not understand is about X509 is the naming standard or what kind it is.
Certificate is a general word and so can have many meanings and take many forms. For example, a high school diploma is a certificate. "X.509" is the specific standard (set by the International Telecommunication Union/ITU) for certificates of this type and format. So while a "Certificate" can take any shape and form, a "X.509" certificate will only take a specific shape and form that makes it compatible anywhere X.509 certificates are used/accepted. X.509 is the standard used for SSL/TLS so any valid SSL certificate will be a X.509 compliant certificate.
Hi Marc! Excellent video as usual, thanks for the tidy knowledge!
Could you explain how to apply this solution to remote access OpenWrt?
Hi Danilo, you mean remote accessing the Web interface (LuCI) from the internet, correct? You would need a reverse proxy running on the router and requesting client Certificates for that.
Well done Marc… Danke schun…
Thanks this was really helpfull!
Hi Tim, glad it helped, many thanks!
Hi Tim, glad it helped, many thanks!
Hi Tim, glad it helped, many thanks!
Brilliant thank you.
Thanks Marc!
Awesome!!! thank you
well explained, thanks
I understood it clearly
that is amazing !
In the first part of the video where you download a certificate in chrome, you mention that you are downloading it in pkcs7 format. Is this format just the default in Chrome, or did you do something in Chrome to select the format?
Great video also. You just found yourself a new subscriber :-)
Hi, I just found it was easier to add to chrome in PKCS7 - you could use PEM full chain as well. Works easier with Firefox
Awesome, many thanks !!!
@@OneMarcFifty Thx for the reply. Is there any specific reason for this? I'm really confused about the different certificate and key formats, so I'm trying to learn what the differences are and what they are used for.
@@duskern It's historic mainly - different applications over time have used different formats. See this article here for a comparison comodosslstore.com/resources/a-ssl-certificate-file-extension-explanation-pem-pkcs7-der-and-pkcs12/
Hi, thanks for the video. I was following your instruction using XCA tool but it doesn't show the treeview for some reason. There is a plain view/tree view button but it doesn't show the tree view either. Not sure what I am doing wrong.
GREAT to say the least, watched so many videos but the concents u cleared, WoW. howcome this is all free ? any place I can donate ?
Please do video on Tailscale on OpenWRT
Hi, I usually do not make videos about 3rd party services. I will however make a video on WireGuard troubleshooting soon.
Hello,
Great video, you cover some topics that aren't covered very well in UA-cam. 2 questions I have:
1. What exactly is an X509 certificate? You never mention that explicitly. What are the other types of certificates?
2. In your "How Does LetsEncrypt Work" section, it's a little confusing how a CA verifies the host. How does a DNS lookup verify that the person who requests a certificate owns the domain? Can't I just go to the LetsEncrypt website and request a certificate for Google? How does a DNS lookup prove that the requester controls that IP?
(1) X.509 is ruled by RFC 5280. Alternate Certificates are e.g. PGP. In a nutshell an X.509 Cert is a public key plus some text around it (Issuer, purpose, Validity etc.) that is SIGNED with the private key of the CA. (2) There is no verification of the person, only the host. Let's say you request a cert for abcde.google.com from your host with IP x.x.x.x - Letsencrypt would then do a DNS Lookup for abcde.google.com - but as they won't get your IP in return (because you can't make an A entry in Google's DNS), they know that you are NOT in control of google.com.
@@OneMarcFifty So does that mean that the server that contains the website files (the host) must be the one to make the request for the certificate? In practice, I'd assume that someone would need to physically open a browser in the host, navigate to LetsEncrypt website and fill out their form? From what you've described I can't use my development computer to request a certificate for a server storing the website right?
That’s correct. The request needs to be made from the server that the DNS name points to. You could however copy that certificate to a server in your LAN wit the same name there.
8:49, Public key of R3 isn't stored on the onemarcfifty certificate to verify the signature on it. It's stored on it's own certificate which is a part of the certificate chain.
The private key of R3 is used to generate the signature present on the onemarcfifty certificate during the CSR. This signature can be verified using the public key present on R3 certificate during verification. Isn't this correct?
Csr has private and public key??? Does CA sign the certificate with servers private key? Or servers private and public key???
I've always thought of a certificate as being a public key (with private key optionally included, if you have it) that has additional "properties", including proof of who issued the certificate, and what the certificate can be used for. The whole topic of what a certificate can be used for is confusing. I know about web services and code signing, but there seems to be a lot of other uses that I'm not so familiar with.
Hi Brian, you are right - a certificate is basically a public key with some text around. In order to use it, you need a private key. Just - another key pair comes into play - the CA that signed it. And if you trust that CA then you can trust the certificate.
@@OneMarcFifty can you do a video on the certificate use property?
@@OneMarcFifty So if you make a forgetry of this CERTIFICATE you should be im legal prosecution...but my wife ist Advisor, Barrister not my business 🤔
I am sorry - I don’t really understand you. What is forgetry? What does Barrister mean?
@@OneMarcFifty i think he meant "forgery". Which isn't really possible. I didn't follow the rest either.
Except, you didn't choose PKCS#7, you chose PEM File.
I still don't get what a signature is 😅
Thompson Elizabeth Miller Patricia Davis George
Big brother coming if we give all authority, to government with a blind trust. Trust is paramount. how many still have absolute trust in all that is government given their performance over the last 3 years, and still is ongoing to this day,
Hi, many thanks for your feedback. Please do however keep in mind that neither TLS certificates nor Certification Authorities have anything to do with the government - those are independent companies really.
@@OneMarcFifty all technology is created by DARPA n given to AWS GCP and Microsoft….GillBates moron couldn’t invent anything but the harvard dropout is a good story…
I didnt understand a thing xD
Hold onto your hats, it's cash refund time
Too many adds
hi , can i contact you pls ?
No
@@rahulsingh-iq4gd No !!! 🤔
@@xyz3188 bhai sooja 😂