This is an i (lower case letter)
This is a 1 (Arabic numeral)
This is an l (lower case letter)
This is an I (upper case letter)
STEP 0: Lab Prep
↑ Worksheet Step 0.
sure you are viewing this page in Firefox, and do the lab
If not, close your browser and reopen this page in Firefox.
must be enabled.
Once the page is open in Firefox, do NOT refresh/reopen the page:
you will lose information you have already entered.
Create a directory named
digCertLab on your
All files downloaded and created for this lab MUST be in this directory!
Open two Administrator command-prompt windows.
All commands for this lab MUST be entered and executed in these command-prompt windows.
DO NOT CLOSE THESE WINDOWS!
In the command-prompt windows, use the
cd command to change directory to
digCertLab directory you just created.
In case you don't remember it will be something like:
STEP 0.5: Instructor Demo
Sit tight and participate in this demo.
↑ Worksheet Step 0.5
STEP 1: Certificates and Trust
In a new Firefox tab, open
This is Navy Federal Credit Union's page.
Certainly we would like to be sure that this really is Navy
Federal's page before entering a username and password!
If a Bad Guy using a Man-In-The-Middle attack could
successfully pose as the Navy Federal website,
some very bad things could result.
- Click on the green lock icon in the left of the address bar.
- Click the Right Arrow and then the More Information button. You will see a pop-up box that tells you:
to whom you are connected, who verified this identity, and
that your communication is encrypted. It's the identity
and the verification of that identity that we care about.
That information comes to your browser as
a certificate (more precisely, a certificate using the X.509 standard).
The certificate certifies that the identity
www.navyfederal.org is associated with a particular public key.
Why? So that when you send data to navyfederal.org that has been encrypted with that public key,
you know the actual entity "www.navyfederal.org" is the only one who can decrypt the data.
But what makes you trust the certificate?
The idea is that there are Certificate Authorities,
entities that vouch for the validity of certificates by signing
them. When your browser was installed, it came with a list of Certificate
Authorities that it (and thus you) already trust -- but you can add or remove
You might be surprised at who you are currently trusting. Let's look!
Certificate authority TURKTRUST not so trustworthy
Click on the hot dog menu (three horizontal bars) on the right side of the Firefox toolbar.
Certificates that your browser is set to "trust" are
labeled with what exactly you trust them for: HTTPS
sessions, digitally signing e-mail, digitally signing
code, or issuing certificates, are some examples.
Certificate authorities that your browser is set to trust to
are given essentially
In January 2013, it was discovered that the authority
Certificate Authority TURKTRUST had accidentally issued a
certificate to a customer that stated that the
certificate was valid for issuing new certificates
— it should only have been valid for HTTPS sessions.
This certificate was then used to issue fraudulent
certificates for Google domain names, which allowed the
bad guys to carry out man-in-the-middle attacks.
krebsonsecurity.com has the story:
Turkish Registrar Enabled Phishers to Spoof Google.
- Click the Options button to open the options in a tab.
- Click Advanced in the navigation menu on the left.
- Click the Certificates panel.
- Click the View Certificates button.
- Click the Authorities tab.
In the display window you will see the list of Certificate Authorities that you are trusting.
- Scroll through the list, find a Certificate Authority that you are surprised you are (didn't expect to be) trusting. ← Worksheet Step 1. Part 2.
- Let's explore more details of the Navy Federal certificate. Reopen the Page Info dialog window.
- Click the View Certificate button.
- Explore the Certificate Viewer dialog window.
- Answer the following questions on the worksheet: ↓ Worksheet Step 1. Part 3.
- Who issued the certificate (Common Name)?
- When does the certificate expire?
- What algorithms are used as fingerprints (used as Integrity checks)?
The subject's Common Name is the real identity the certificate is about.
- You will now download an unknown certificate and look at it.
Right click the following link, select
Save Link As ..., navigate to your digCertLab directory, and save the certificate there: unknown certificate.
Examine the certificate by entering the following command in your command window:
openssl x509 -text -in ra37891_cert.pem
- Whose identity is this certifying? (look for the subject's Common Name)
- Who signed the certificate? (look for issuer's Common Name)
- What's fishy about this?
↑ Worksheet Step 1. Part 4.
STEP 2: How the Digital Certificate System Works
Under the hood, here's basically what happens:
Alice wants to connect via https to bob.org, which is Bob's server.
Alice trusts a Certificate Authority named Cedric.
All three of these - Alice, Bob, and Cedric - have public/private key pairs.
Alice, of course, has Cedric's public key, and she trusts it is authentic, because she trusts
that Certificate Authority.
- Bob submits to Cedric: proof of his identity, the domain name he wants a certificate for,
and his public key.
- After verifying Bob's identity, Cedric uses Cedric's private key to encrypt the pair
(domain name, public key) ... which in this case is (bob.org,Bob's-public-key).
That encrypted "thing" is the actual certificate bob.org will use to prove its identity.
When Alice browses to
bob.org sends Alice its certificate:
(bob.org,Bob's-public-key) which has been encrypted with Cedric's private key.
Alice decrypts the certificate with Cedric's public key (remember,
Cedric is a certificate Authority she trusts). She now has
(bob.org,Bob's-public-key). She knows Cedric must indeed have created
this certificate, because his private key is required to make something
decryptable by his public key.
Because she trusts Cedric,
Alice trusts that the public key in the certificate
really belongs to bob.org. She can then use it to send
data and ensure confidentiality.
The actual scheme used by X.509 is a little more complicated
that what we described, but conceptually the same.
↑ Worksheet Step 2.
STEP 3: Certificates at the Academy
↑ Worksheet Step 7.
- Using Chrome, go to:
- Open the Web Developer Console by pressing:
- Select the Security tab.
- Review the connection information and answer the questions on your worksheet.
OPTIONAL STEP ∞: Your Personal Certificates
NOTE: THIS STEP CAN ONLY BE COMPLETED IF YOU KNOW YOUR CAC PIN. If you do not, then skip it.
Using Chrome, and without
your CAC card, visit one
or all of following
Did that work? What was the website looking for?
You need to use DoD issued personal certificates!
To learn about your own digital certificates on your CAC card, perform the
Insert your CAC card in the card reader slot on your laptop.
Double click on the gray and blue ActiveClient Agent - Smart Card Inserted
icon in the lower right portion of your screen.
Click on My Certificates and then you should see your certificate. You probably only have one. When you are commissioned, you will probably have two more added to use with digitally signing and encrypting email. The one certificate you do have allows you to access protected DoD and Navy websites, like those above.
Right click on the certificate and select View to see what information that certificate stores.
Now that your CAC has been inserted to the card reader, your certificate
has been loaded into the browser and is ready for use. To see this, Close
Chrome, reopen, and try to visit any of the sites again (NOTE: The
https://www.portal.navy.mil site can be finicky and slow). This time you
should be prompted to select one of your digital certificates from your CAC
card. Select one (EMAIL certificate is usually best) and you should be
prompted next to enter your CAC PIN. If you know your PIN, type it, and you
will get access to the sites. If you do not know your PIN, you cannot get to
the site. The site requires two-factor authentication: something you have
(your CAC card) and something you know (your CAC PIN)!
To see your certificates in Chrome's certificate list, go to Chrome's
Options --> Under the Hood. Scroll down to HTTPS/SSL and click on Manage
certificates...select the tab for Personal and you will see your CAC
certificates there. The Intermediate Certificate Authorities tab should show
a bunch of DOD certificates - those are also needed to get to DoD sites and
are part of the chain of trust from DoD root certificates down to your DoD
issued personal certificate!