In the times of the NSA and Snowden and company, who made us realize even more that the internet is not just a nice place to watch YouTube videos and be safe while doing so, here is what you need to know about an SSL Certificate, CRT and CSR on the top level of the subject.
What are those files ending in CRT, CSR and key?
It is important to understand that certificate files are the identifier of the resource you are visiting. If the certificate and the resource do not match, and it is mainly done via the URL you have typed into your web-browser and the name within the certificate are not the same, an error is generated warning you that the “thing” you are talking to is not what it claims to be.
Imagine that the webpage of your bank could be copied by anyone and only after you have given Mr. X your username and password you realize that this is not your bank after all. Bad things are going to happen, very fast.
Here’s an example when I visit my PBX interface. The FQDN company.3cx.eu returns me a certificate “Issued to:” which has the same name as the website I am currently visiting. There are other certificates which might just cover *.3cx.eu (called wild card certificates) which would cover every name just before the 3cx.eu part up to the next dot.
The second part in the shown certificate is the “Issued by” and here is the big difference from self signed certificates to public trusted issuers (like GoDaddy, VeriSign, GeoTrust…). In Self signed certificates I am judge, jury and executioner and no one stops me from claiming to be whoever I want to be. But since “the issuer” of this certificate is not known to anyone except me, it will not be trusted by anyone causing those nice red browser warnings…
Self Signed vs Real Deal…
Now assuming I am bank-of-stefan.com and I am the owner of the domain of bank-of-stefan.com. How can I build trust in my clients (same as how IP phones trust your PBX or not…)? Well self signed is out of the window (as remote provisioning of and IP phone…)
I need to get a certificate from an Issuer which is known and trusted. Which has the burden of validating that I AM really the owner of bank-of-stefan.com and will forward this trust to you. So what do I need from this “Issuer”? A Certificate, but what steps do I need to take to get one?
Now we will look at private key and certificate signing request (CSR). And this is the most complicated part. Think about the certificate as your home address (the PBX FQDN is equal to your address). And the key is the method to open your home door. Without the key you can see my house but nothing more. In terms of computers this “key” has the ability to enter and decrypt traffic to and from the server. And the issuer guarantees that I have not provided you with a fake address where you should drop off your money..
My key, my precious key…
So to begin, we need to create such a key and this key must remain confidential. Now I need to get a certificate which is linked to this precious private key and this comes from an issuer outside of my control. If I gave them my key, they can gain control over my traffic. Bad idea.
My sort of key…
Here is where the CSR comes into the game. This CSR (certificate signing request) is built against my key and has only a temporary use. If you have never generated such keys or a CSR, don’t worry we have you covered, download this little tool which creates both for you: CSR Generator
Inside this CSR the FQDN I like to be trusted by my clients is included. Next step, I send the CSR to the issuer. Based on the FQDN inside of this CSR, and some validation made by the issuer service (most likely some money is changing hands), the issuer returns me a certificate and guarantees that the person who has this certificate and the matching key (which never left my PC) is the real owner of the domain…
Elastix 5 includes without cost a valid SSL Certificate
Elastix 5 powered by 3CX, working with Let’s Encrypt, is able to provide trusted security certificates for its customers. By managing this process, which can be time-consuming and costly, 3CX provides an inestimable service at no cost to its partners and end-users. Users get the certificates delivered automatically and immediately – it is no longer necessary to work with third-party certificate providers who can take days and even weeks to provide the certificates.
What’s more, the user is assured that the security certification is of the highest quality in the industry: Let’s Encrypt root certificates are cross-signed by IdenTrust, a company that already runs a long-standing and trusted CA. Let’s Encrypt is also sponsored by some of the best-known names in the software industry.