Fonts matter.
This is an i (lower case letter)
This is a  1 (Arabic numeral)
This is an l (lower case letter)
This is an I (upper case letter)

STEP 0: Lab Prep

  1. Make sure you are viewing this page in Firefox, and do the lab in Firefox!
    If not, close your browser and reopen this page in Firefox.
    This page uses forms in which you will enter values, so Javascript must be enabled.
    Once the page is open in Firefox, do NOT refresh/reopen the page: you will lose information you have already entered.
  2. Create a directory named digCertLab on your Desktop. All files downloaded and created for this lab MUST be in this directory!
  3. Open two Administrator command-prompt windows.
    All commands for this lab MUST be entered and executed in these command-prompt windows.
    In the command-prompt windows, use the cd command to change directory to digCertLab directory you just created.
    In case you don't remember it will be something like:
    cd c:\users\mxxxx\desktop\digcertlab
 ↑ Worksheet Step 0. 

STEP 0.5: Instructor Demo

Sit tight and participate in this demo.

 ↑ Worksheet Step 0.5 

STEP 1: Certificates and Trust

In a new Firefox tab, open
This is Navy Federal Credit Union's page. Certainly we would like to be sure that this really is Navy Federal's page before entering a username and password! If a Bad Guy using a Man-In-The-Middle attack could successfully pose as the Navy Federal website, some very bad things could result.
  1. Click on the green lock icon in the left of the address bar.
    Firefox View Certificate - 01
  2. Click the Right Arrow and then the More Information button. You will see a pop-up box that tells you: to whom you are connected, who verified this identity, and that your communication is encrypted. It's the identity and the verification of that identity that we care about. That information comes to your browser as a certificate (more precisely, a certificate using the X.509 standard).
    Firefox View Certificate - 02

    The certificate certifies that the identity is associated with a particular public key.
    Why? So that when you send data to that has been encrypted with that public key, you know the actual entity "" is the only one who can decrypt the data.

    But what makes you trust the certificate?

    The idea is that there are Certificate Authorities, entities that vouch for the validity of certificates by signing them. When your browser was installed, it came with a list of Certificate Authorities that it (and thus you) already trust -- but you can add or remove authorities.

    You might be surprised at who you are currently trusting. Let's look!
  3. Certificate authority TURKTRUST not so trustworthy
    Certificates that your browser is set to "trust" are labeled with what exactly you trust them for: HTTPS sessions, digitally signing e-mail, digitally signing code, or issuing certificates, are some examples. Certificate authorities that your browser is set to trust to issue certificates are given essentially unlimited trust.

    In January 2013, it was discovered that the authority Certificate Authority TURKTRUST had accidentally issued a certificate to a customer that stated that the certificate was valid for issuing new certificates — it should only have been valid for HTTPS sessions. This certificate was then used to issue fraudulent certificates for Google domain names, which allowed the bad guys to carry out man-in-the-middle attacks. The blog has the story: Turkish Registrar Enabled Phishers to Spoof Google.

    Click on the hot dog menu (three horizontal bars) on the right side of the Firefox toolbar.
  4. Click the Options button to open the options in a tab.
    Firefox Options
  5. Click Advanced in the navigation menu on the left.
  6. Click the Certificates panel.
  7. Click the View Certificates button.
  8. Firefox Advanced Certificate
  9. Click the Authorities tab.
    Firefox Certificate Authorities

    In the display window you will see the list of Certificate Authorities that you are trusting.

  10. Scroll through the list, find a Certificate Authority that you are surprised you are (didn't expect to be) trusting.  ← Worksheet Step 1. Part 2. 
  11. Let's explore more details of the Navy Federal certificate. Reopen the Page Info dialog window.
    Firefox View Certificate - 02
  12. Click the View Certificate button.
    Firefox View Certificate - 03
  13. Explore the Certificate Viewer dialog window.
    Firefox View Certificate - 04
  14. Answer the following questions on the worksheet:  ↓ Worksheet Step 1. Part 3. 
    • Who issued the certificate (Common Name)?
    • When does the certificate expire?
    • What algorithms are used as fingerprints (used as Integrity checks)?

    The subject's Common Name is the real identity the certificate is about.

  15. You will now download an unknown certificate and look at it.

    Right click the following link, select Save Link As ..., navigate to your digCertLab directory, and save the certificate there: unknown certificate.

    Examine the certificate by entering the following command in your command window:

    openssl x509 -text -in ra37891_cert.pem
    • Whose identity is this certifying? (look for the subject's Common Name)
    • Who signed the certificate? (look for issuer's Common Name)
    • What's fishy about this?

     ↑ Worksheet Step 1. Part 4. 

STEP 2: How the Digital Certificate System Works

Under the hood, here's basically what happens:
Alice wants to connect via https to, which is Bob's server.
Alice trusts a Certificate Authority named Cedric.
All three of these - Alice, Bob, and Cedric - have public/private key pairs. Alice, of course, has Cedric's public key, and she trusts it is authentic, because she trusts that Certificate Authority.
  1. Bob submits to Cedric: proof of his identity, the domain name he wants a certificate for, and his public key.
  2. After verifying Bob's identity, Cedric uses Cedric's private key to encrypt the pair (domain name, public key) ... which in this case is (,Bob's-public-key). That encrypted "thing" is the actual certificate will use to prove its identity.
  3. When Alice browses to, sends Alice its certificate: (,Bob's-public-key) which has been encrypted with Cedric's private key.
  4. Alice decrypts the certificate with Cedric's public key (remember, Cedric is a certificate Authority she trusts). She now has (,Bob's-public-key). She knows Cedric must indeed have created this certificate, because his private key is required to make something decryptable by his public key.
  5. Because she trusts Cedric, Alice trusts that the public key in the certificate really belongs to She can then use it to send data and ensure confidentiality.
The actual scheme used by X.509 is a little more complicated that what we described, but conceptually the same.
 ↑ Worksheet Step 2. 

STEP 3: Certificates at the Academy

  1. Using Chrome, go to:
  2. Open the Web Developer Console by pressing: Ctrl-Shift-J
  3. Select the Security tab.
  4. Review the connection information and answer the questions on your worksheet.
 ↑ Worksheet Step 7. 

OPTIONAL STEP : Your Personal Certificates

Using Chrome, and without your CAC card, visit one or all of following sites: Did that work? What was the website looking for?

You need to use DoD issued personal certificates! To learn about your own digital certificates on your CAC card, perform the following steps.

  1. Insert your CAC card in the card reader slot on your laptop. Double click on the gray and blue ActiveClient Agent - Smart Card Inserted icon in the lower right portion of your screen. Click on My Certificates and then you should see your certificate. You probably only have one. When you are commissioned, you will probably have two more added to use with digitally signing and encrypting email. The one certificate you do have allows you to access protected DoD and Navy websites, like those above. Right click on the certificate and select View to see what information that certificate stores.
  2. Now that your CAC has been inserted to the card reader, your certificate has been loaded into the browser and is ready for use. To see this, Close Chrome, reopen, and try to visit any of the sites again (NOTE: The site can be finicky and slow). This time you should be prompted to select one of your digital certificates from your CAC card. Select one (EMAIL certificate is usually best) and you should be prompted next to enter your CAC PIN. If you know your PIN, type it, and you will get access to the sites. If you do not know your PIN, you cannot get to the site. The site requires two-factor authentication: something you have (your CAC card) and something you know (your CAC PIN)!
  3. To see your certificates in Chrome's certificate list, go to Chrome's Options --> Under the Hood. Scroll down to HTTPS/SSL and click on Manage the tab for Personal and you will see your CAC certificates there. The Intermediate Certificate Authorities tab should show a bunch of DOD certificates - those are also needed to get to DoD sites and are part of the chain of trust from DoD root certificates down to your DoD issued personal certificate!