I gotta say... I've been through some websites and videos trying to explain certificates. But this is the one video that explains it the most simplest and well-understandable manner.
I know I'm 5 years late, but if you want simple and understandable, another person to look into is Sunny's Classroom. I haven't checked his video on certificates yet, but everything I've watched from him has clarified my confusion immensely, and his comments section is full of people saying the same thing. Just so that you have another source to go to for good informative videos :)
Love the training series. It's really taken everything and put it into baby steps so that anyone, even if they aren't particulary from the IT field, can easily understand these concepts. This goes for all of your videos, I love watching them all.
Thank you! Have been using certificates for years now without really knowing how this Trust Model works. Now that I know how it works I can use certificates with more confidence.
*(Updated)* 5:09 The hash is put through (what is known to be) the Public key, actually. In this case, that kind of key is kept private. The asymmetric key pair actually works both ways: anything encrypted with any (really, any) of two keys, can be decrypted with another key in the pair. And vice versa! Typically, one does not want 3rd party to know the secret, thus one of keys in pair is sough to be used for encryption and is given to public, labelled "Public". The other key is kept (and labelled) P/private and is sought to be used for decryption in mind, so only destination can decrypt the message. But one can use Private key also to encrypt. And encrypted result can only be then decrypted with "Public key". Why would one want to encrypt something which anyone can decrypt? With certificates, this is apparently the situation, when signing hash. Authority wants anyone be able to decrypt, but not to encrypt.
itfreetraining Update: Apparently it works both ways. Anything encrypted with one key, can be decrypted with another. And vice versa. But what there is usually no sense in encrypting something with secret key - to give it away, when everyone can decrypt that with public key. Certificates apprently are an exception.
No, that hash is put through the private key. This purpose of the digital signature is not to provide confidentiality of the data, but non-repudiation. If you know how public key cryptography works, data that is encrypted with one key can only be decrypted by the other. So if the hash is encrypted with the private key, only the public key can be used to decrypt it. Therefore, if the hash is able to be decrypted with the server's public key, we know that the server's private key MUST have been used to encrypt it in the first place. This provides a way to prove that the message truly came from the server, as only the server has its private key, and thus nobody else should be able to encrypt a message that is able to be decrypted by that public key. It's called authentication, look up HMAC if you want to know more about this topic.
If you have a look at the maths behind it, there is no such thing as a private and public key. You use one key to encrypt the other key is used to decrypt. When the keys are created one key is called private and one called public to make it simple for us to use. Have a look in the video at 5:57. Change hash to the certificate. What do you have? You have a private key that is used to create a digital signature. The digital signature can be used with the public key to get the certificate. One key encrypts, one decrypts. This is really bad, as it breaks the security. Since you now have something known by both sides, you can reverse the process and get the private key. So how do you get around this? What you need is something known by both sides that does not break security. What you do is you create a hash of the certificate. A hash function is a one way process and cannot be reversed. You cannot get the certificate from the hash value. Same way you can't tell anything about a person from their fingerprints, but it is unique to that person. So the digital signature and hash are used to verify the certificate is authenticate. Both sides can create a hash of the certificate giving them a shared value. But only the side with the private key can create a digital signature using the hash. If someone were to reverse the encryption, they can't get the private key. They will only be able to get the hash, which is public anyway. Only someone with the private key can create the digital signature. This is how digital signatures work.
jeet the keys are really "asymmetrical" keys, like itfreetraining said. One can be used for encryption - only other can decrypt - and also in opposite direction. When using a typical scheme for "private"-"public", "public" is called a key used to encrypt data and is given to all (hence public). The "private" is called other key in pair, which is used to decrypt data and kept private. These words are to simplify concept and prevent expose of private key due to confusion. However, in case of certificate authority, it wants others to decrypt stuff - not to hide secret, but to show secret thus prove identity to anyone - hence it gives away publically what would be called a "private key"(decrypt), and keep what would be called "public key"(encrypt). Those are clearly just labels, but very important labels. Hence my understanding why some switched to different wording - saying "open key" and "closed key" instead of "private"/"public", to eliminate confusion. I know key pairs and ssh handshake, spent whole week finding exact infos to properly configure sshd. :) This video was very helpful to understand certificate authentication.
At the end of the video, you suggest that the Root CA cert has to be installed on the laptop, this will require the Root CA to be online... So how does that work?
Lets see if understood this please. When accessing a web site, your computer downloads the cert from the site and then determines if it can be trusted based on the cert authority or who issues it. If trusted , your computer uses the public key for that domain ? to encrypt. The web server on particular domain can decrypt using the private key. That forms the secure ssl channel. Sound good or not ?
Very Well Explained , thanks a lot . I have a question related to intermediate CA , when we get SSL Certificate through ICA , do we need to include ICA Certificate while installing it in the web Server ? If we install only our SSL cert; got through ICA , will the web browser trust our SSL cert without ICA cert? , I mean Root CA is able to identify Certificates generated by ICAs under them with out separate ICA ? and the other question is , web browsers and client applications behave in the same manner in this regards ?
So can people who make the certificates track what you do online? Where I attend, it comes up with the following screen at 11:49 on your video. The IT tells peers to download a .cer file from their website. When I install the .cer , can it have some vulnerability or negative impact to me when I install and trust their certificate on my computer, for instance, when I am at home can it track stuff or do other harmful things???
Tell me if this is right: If I wanted to start my own certificate issuing authority, I would only be able to serve computers being manufactured from now on since I have to have my root trust pre-installed on the OS? For computers already in existence and in use, it's too late, they'll never trust me since they have no internal record of me. Is that right?
+Raphi Stein From what the video has told me, you need to install the root CA certificate on any computer that you want to trust the child certificates for. So, for computers already in existence and use, you would need to install the Root CA certificate. If anyone else wouldn't mind chiming in, if I am right, this would help solidify my understanding of the topic.
+Raphi Stein Certificates work off trust, so unless the computer trusts the CA it will not be able to use the certificate. In Active Directory Certificate Services the trust that is created when the computer is joined to the domain is used to issue certificates to the computer. With a standalone CA, you need to get the certificate on the computer so it will trust the issuing CA. If you are using a commercial CA, chances are the root certificate is already pre-installed on Windows.
How do I Renew a my Certificate? When I try to give out my Email Address on the internet I get "Invalid Email Address". I know my Certificate went Out of Date this month (Sept 2014). I am on Vista. So, can you please tell me how to Renew My Certificate or Certificates ? Thanks
At time 5:09 of the video. Shouldn't the digital signature be made using the Public Key of the Certificate and not Private Key. Also, shouldn't the Private Key be used to get the original Hash Value back to check if the Certificate is not altered.
Ok, let's say you use the public key is used to create the digital signature. Who has the public key? Everyone. So this does not prove anything. So you need to use something that only the person you are trying to prove the identify has. Which is the private key. To think of it easier, think of it as two keys. We label each key public and private to make it simple. But it works like this. Use k1 to encrypt. Use k2 to decrypt. Or you can do this. Use K2 to encrypt. Use K1 to decrypt. Easy, which every key is used to encrypt, use the other to decrypt. So, it would seem that all you would need to do is encrypt with the private key a known value. For example the persons name. If you decrypt this with the public key you would get the persons name, so this would seem to be the easier way to do digital signatures.But, we don't do it that way, why? The problem is that if you know the data, public key and the encrypted data. You have enough information now to determine what the private key is. So, to get around this, we use a hash function. We hash some known data that both sides have, in this case the certificate as both parties have it, then we encrypt hash this with the private key making a digital signature. The digital signature can be decrypted with the public key giving us the hash. Now if we put the certificate through the hash function, if both are the same the digital signature has been validated. Since we have put a one way function in the process, we cannot no longer get the private key. It a complicate process, but it is done that way to identify the person who created the digital signature has the private key and make it so you can't go backwards and get the private key.
So does this mean that a Certificate has its own pair of Public and Private Keys and these don't function as Public Key Encryption technique to create Digital Signature. One is for encrypting the data (the Private Key) and the other is for decrypting the data (the Public Key). As in the Public key Encryption only the Private key can be used to decrypt the data. Just two separate keys for encrypting and decrypting.
Think of a certificate as a file that contains data. It contains keys that are used for certificates and fields that contains data. On your computer, you will have a certificate that contains your private and public keys. You want to keep this safe. However, people need to have your public key. So, you create a certificate that contains your public key only. You give this certificate to everyone and keep it for yourself also. So, you put your certificate containing the public key through a hashing. Then use your private key to create a digital signature. When someone wants to verify it is you, they get this digital signature and apply the public key to it. The public key is in the certificate you gave to everyone. They then get the certificate and hash it. The value should be the same and thus your identity is verified. When you attempt to export a certificate from your computer, you have the option to export the certificate with or without the private key. When you export it with the private key it will ask for a password to be applied. You never want to give out a certificate to the general public that contains your private key.
In reality, as long as you use the other key to decrypt either key can be used to encrypt. So if you use the public key to encrypt you need the private key to decrypt. If you use the private key to encrypt you would need the public key to decrypt.The public key is shared and the private is keep secret.
@3:37 i am confused .. you said that public key is used to encrypt the data and private key is used to decrypt data ? shouldnt it be the opposite ? because privte key is not shared with others.. it is private.. and therefore how come it be possible for others to decrypt with it ?
All the certificates at any level have public and private keys. The private keys are used to create sub CAs, however once this process is done the private key is no longer needed. Thus, to protect the private key the CA is removed from the network. Sub CA's are still issuing certificates and encryption keys etcs and thus can't be taken offline.
+Bahaa Khateib Thank you very much! We strive to provide the best IT training videos for free so we're more than happy to hear you believe we did a great job.
CA encrypts public key of certificate by it's own private key to make digital signature. It doesn't encrypt hash value of message to create digital signature
i need help, i lost my laptop in an accident and i left with my external hard drive that has encrypted files in it. the issue is i didn't do backups of those files or the windows certificates of those encrypted files.
Unfortunately, if you don't have access to the private key to decrypt the date then recovery is exceedingly difficult. Assuming the laptop was the only location of the files and certificates, then it is likely that the data will be irrecoverable.
Amazing Video.. So simple explanation to understand and still the topic relevant to me after these many years.. Thank you very much for this.. Subscribed.! :-)
Best of luck, though investigating ICOs are better served by looking at the whitepaper of the coin you are specifically looking into. Those that don't have a well written enough whitepaper, pass and find another.
Having a Skills Proficiency certificate in Basic Plumbing is a positive step towards gaining knowledge and skills in plumbing. However, whether or not you can be considered a plumber depends on various factors, including the specific requirements in your region, your level of experience, and any additional certifications or licensing that may be necessary. Here are some considerations: Certification: Basic Plumbing certification is a valuable starting point, but it may not be sufficient to work as a licensed plumber in many areas. To become a licensed plumber, you often need to complete an apprenticeship program and pass a licensing exam. The requirements for licensure vary by location. Experience: Practical experience is crucial in the plumbing profession. Many plumbers gain hands-on experience through apprenticeships or on-the-job training, working alongside experienced plumbers. Licensing: In many regions, plumbers are required to obtain a license to practice professionally. Licensing typically involves meeting specific educational and training requirements, passing an exam, and adhering to local regulations. Continuing Education: Plumbing technology and practices evolve over time. Even after obtaining a basic certificate, it's important to stay updated with the latest industry standards and techniques through continuing education and training. Legal and Regulatory Requirements: Different areas have different regulations regarding who can perform plumbing work, especially related to safety and health. Ensure that you are aware of and comply with local laws and regulations. Specializations: Plumbing is a diverse field with various specializations such as residential plumbing, commercial plumbing, pipefitting, and more. Consider which area of plumbing you are interested in and whether additional certifications or training are required. In summary, while a Basic Plumbing Skills Proficiency certificate is a valuable start and can be a stepping stone towards a plumbing career, becoming a licensed and professional plumber often requires meeting specific requirements set by your local or regional authorities. It's essential to research and follow the regulations and licensing requirements in your area if you aspire to work as a licensed plumber.
It is almost understandable. But... still many questions left unanswered and without any example. 1. Where computer gets public key to check digital signatures from? 2. Why computer has to have certificate from the organisation which issued the certificate? Why user certificate is not enough? 3. How computer know the exact algorithm to compute the certificate hash? Which hashing algorithm to use to get the hash which is digitally signed? 4. How root certificate verifies lower level user certificates? 5. What if the browser or other application is altered by malware to disable the checking of any certificates? Certificate will not help if ap app does not check them before executing the code. 6. Why XXX hacker malware can not install their own certificate to your local OS (undetectable) so that your computer OS start to trust all the cersificates issued by XXX hacker? And many other questions. Can you offer a link or a book that explains digital certificates in more details and examples?
1. On Windows, open certmmgr from control panel. This will show the certificates installed on the computer. Certain certificates are installed by default on Windows. 2. Using the certificates installed locally, it can check any certificate the computer it downloads and confirm that it is part of that certificate hierarchy. That is, it was issued under the root certificate, the one you have installed on your computer. 3. This information is in the certificate. 4. Certificate are issued by certificate authority. They come under the root certificate and are essentially mathematical chained to the certificate authority above it. A user would not generate their own certificate, they would get one issued from a certificate authority. Using the root certificate, they can verify the certificate is part of that hierarchy. 5. Certificate are used for secure channels. For example, for HTTPS. It could be possible I guess for malware to disable this some how making your connection insure. If this were to occur, the server could just reject the connection. 6. Yes, a hacker could do this.
but the root CA can't just install the certificate on the client browser automatically, how does it work? does the client get a message like "do you trust this root CA?" ? if so then most common users will not understand what it is and click yes and then man in the middle attacks can happen
This is why prudent IT policy is required to properly distribute the certificate to the clients in the domain. For the most part, 3rd party certificate authorities act as the trustee for Internet purposes and HTTPS, however within domains ideally the root CA would create the certificate and then certificate authorities (CA) would distribute via appropriate channels. You'd want to secure the root CA since if it becomes compromised, the attacker can create fraudulent certificates and perform man in the middle attacks.
If the root CA is taken offline, after the Second level CAs are given certificates. Then how can the client computers get a certificate from the Root CA? . And btw a fantastic video
A certificate server will only allocate or create subordinate certificates for the level below it. Client will get certificates from a subordinate CA. Thus to set up a certificate structure. You would create your root CA. Create some subordinate CA's. Take the root CA offline to protect the private keys. Now, the only CA's that can create certificates or add new CA's is the subordinate CA's.
@@itfreetraining First of all thank you for your quick response. To trust the certificates from the subordinate CA, the client computer must have a certificate from the Root CA installed locally. But, if the Root CA is taken down, how will the client computers get this certificate from Root CA? .
@@sankaranand503 The computers require a certificate from each CA in the chain. So, if you have a root CA, subordinate CA and another subordinate under that CA (Let's call it sub2), when the computer gets a certificate from sub 2 it needs to authenticate it is a valid by confirming all the other CA's are valid. So what you do before you take the root CA offline is export a certificate from it that contains the public key but not the private key. This root certificate you can give you anyone and must be added to your computers local certificate store before the computer will trust any certificate from any CA in that hierarchy. When the computer gets its certificate from the sub 2, it will know it is from the hierarchy so it will look for the root certificate in the local certificate store. If it finds it, it knows it can trust that hierachy. However, is next need to check the sub2 certificate. To do this, it either needs to have this certificate added to the local certificate store or have the ability to download it from somewhere. This certificate like the root CA does not contain a private key, only the public key. The computer only needs to confirm the chain the certificate came from is valid, so it does not matter if the root certificate and subnornate CA's were exported years ago, they just needs to be valid. These certificates only contain public keys. The root CA is taken offline to protect the private key. the subordinate CA's still need to create new certificates thus need access to their private key. If you want to add a subornate CA under the root CA this is the only time you would need to bring the root CA online. Once you create the subornate CA you would take it offline again. It is important to protect this root CA's private key because if it is lost the whole hierarchy is comprised.
Very Nice Explanation !! I have few questions on this topic. As shown in the video , In case of certificate hierarchies where multiple certificates are involved a) On Parent server -- i have installed Root Certificate from a CA1 --- so this OS would hold the Certificate CA1 with private key ANy webbrowser accessing the Parent server (a) would get the Root certificate CA1 with "Public Key" Installed over here. b) Child Server ---I have a self signed certificate here OR certificate from another CA lets say CA2 ----so this OS would hold the Certificate of Selfsigned or another CA2 with private key How can i maintain the root, intermediate and personal certificate hierarchies? Question1 : To maintain hierarchy , is it essential that i also install Root certificate CA1 (a) with a private key on to Childserver along with CA2 certificate and its private key? Question 2 : Any web browser accessing the Parent server (a) would get the Root certificate CA1 with "Public Key" Installed on the OS hosting browser which alone would sufficient to access Child Server (b)? How Child Serve (B) is allowing authentication to a client with Root certificate in it, is it because its having CA1 with private key installed ? Can you please comment on it kind Regards Sameer
+Sameer Rao a) The root CA would have the certificate with the private key. It needs that to create certificates. Other computers only require the root CA certificate containing the public key. b) I am not sure why you are using a self signed certificate. If you want a hierarchy you need to install a root CA. You do not have to set up intermediate CA. The advantage of having an intermediate is that once they are set up you can take the root CA offline and only bring it back online to install additional intermediate CA's. Q1) To have a hierarchy you need a root CA. The private key should never leave the root CA. The private key is only needed when you create certificates using the intermediate CA. Q2) With certificates you have a chain of trust. For each CA it goes through the client will need a certificate from that CA containing it's public key, otherwise the chain of trust is broken.
is there anyway to recover those encrypted files, which are in my external hard drive. they are all encrypted and i am trying to decrypt them but i am failing. may you please help me if there is anyway to recover my data.
Clearest explanation I’ve ever seen.
Still twists my brain into a knot.
Same here. It doesn't matter how simply it is explained it is difficult to wrap your head around it :)
Ah yes, glad i'm not alone
I gotta say...
I've been through some websites and videos trying to explain certificates.
But this is the one video that explains it the most simplest and well-understandable manner.
Coballes19 Thanks very much, we're glad you found or videos helpful
I know I'm 5 years late, but if you want simple and understandable, another person to look into is Sunny's Classroom. I haven't checked his video on certificates yet, but everything I've watched from him has clarified my confusion immensely, and his comments section is full of people saying the same thing. Just so that you have another source to go to for good informative videos :)
I love when stuff is simplified. You can give me more complicated perhaps real life scenarios but make it simple at first. Thank you!
You're most welcome! Thanks for watching.
Love the training series. It's really taken everything and put it into baby steps so that anyone, even if they aren't particulary from the IT field, can easily understand these concepts. This goes for all of your videos, I love watching them all.
jjaroc86 Thank you, Happy to hear you enjoyed our video
itfreetraining is making the best educational videos. I got my job thanks to your videos
+Богдан Захариев Thanks! We couldn't be happier that our videos helped you get a job.
Thanks for disabling adblock, but there is no need to click on the ads, unless you are interested in the product. Glad you like the videos.
Thank you. This was really good, even 9yrs later
Glad you enjoyed it!
One of the best videos I have seen on certificates. I am pointing my colleagues here if they want to learn more about certificates!
Thanks for the referrals! Thanks for watching.
Loved the examples and visuals you used as it helps someone like me relate and understand so much better!
We're glad you enjoyed it!
No problem at all, thanks for watching.
Excellent vid! After several days of trying to "get" this stuff, this is by far the best explanation out there.
+Raf Van Haver we're glad you found the videos useful and informative!
My god it took for ever stumble upon an explanation this good. Thanks.
Glad it was helpful!
Thank you! Have been using certificates for years now without really knowing how this Trust Model works. Now that I know how it works I can use certificates with more confidence.
Glad to help!
Wow. I feel much more confident now after watching this video. Thanks ITFreetraining.
Thank you, we're glad you found the video helpful!
If only all tutorial videos could be this good! Awesome explanation. Thanks.
You're very welcome!
No problem, thanks for watching.
Thank very much and thanks for watching.
Great Video by IT Free training. Cheers to you guys. The demonstration is awesome.
Great explanation - just what I needed right now to help me understand how this all works. Thank you very much...
Glad it helped!
Thanks. I have to manage certificates as a licence/sofware manager. It has really helped.
+Kevin Stoneham Thank you. Happy our video was helpful
*(Updated)* 5:09 The hash is put through (what is known to be) the Public key, actually. In this case, that kind of key is kept private. The asymmetric key pair actually works both ways: anything encrypted with any (really, any) of two keys, can be decrypted with another key in the pair. And vice versa!
Typically, one does not want 3rd party to know the secret, thus one of keys in pair is sough to be used for encryption and is given to public, labelled "Public". The other key is kept (and labelled) P/private and is sought to be used for decryption in mind, so only destination can decrypt the message. But one can use Private key also to encrypt. And encrypted result can only be then decrypted with "Public key".
Why would one want to encrypt something which anyone can decrypt? With certificates, this is apparently the situation, when signing hash. Authority wants anyone be able to decrypt, but not to encrypt.
Thanks for the feedback!
itfreetraining Update: Apparently it works both ways. Anything encrypted with one key, can be decrypted with another. And vice versa.
But what there is usually no sense in encrypting something with secret key - to give it away, when everyone can decrypt that with public key. Certificates apprently are an exception.
No, that hash is put through the private key. This purpose of the digital signature is not to provide confidentiality of the data, but non-repudiation. If you know how public key cryptography works, data that is encrypted with one key can only be decrypted by the other. So if the hash is encrypted with the private key, only the public key can be used to decrypt it. Therefore, if the hash is able to be decrypted with the server's public key, we know that the server's private key MUST have been used to encrypt it in the first place. This provides a way to prove that the message truly came from the server, as only the server has its private key, and thus nobody else should be able to encrypt a message that is able to be decrypted by that public key. It's called authentication, look up HMAC if you want to know more about this topic.
If you have a look at the maths behind it, there is no such thing as a private and public key. You use one key to encrypt the other key is used to decrypt. When the keys are created one key is called private and one called public to make it simple for us to use.
Have a look in the video at 5:57. Change hash to the certificate. What do you have? You have a private key that is used to create a digital signature. The digital signature can be used with the public key to get the certificate. One key encrypts, one decrypts.
This is really bad, as it breaks the security. Since you now have something known by both sides, you can reverse the process and get the private key.
So how do you get around this?
What you need is something known by both sides that does not break security.
What you do is you create a hash of the certificate. A hash function is a one way process and cannot be reversed. You cannot get the certificate from the hash value. Same way you can't tell anything about a person from their fingerprints, but it is unique to that person.
So the digital signature and hash are used to verify the certificate is authenticate.
Both sides can create a hash of the certificate giving them a shared value. But only the side with the private key can create a digital signature using the hash. If someone were to reverse the encryption, they can't get the private key. They will only be able to get the hash, which is public anyway. Only someone with the private key can create the digital signature.
This is how digital signatures work.
jeet the keys are really "asymmetrical" keys, like itfreetraining said. One can be used for encryption - only other can decrypt - and also in opposite direction.
When using a typical scheme for "private"-"public", "public" is called a key used to encrypt data and is given to all (hence public). The "private" is called other key in pair, which is used to decrypt data and kept private. These words are to simplify concept and prevent expose of private key due to confusion.
However, in case of certificate authority, it wants others to decrypt stuff - not to hide secret, but to show secret thus prove identity to anyone - hence it gives away publically what would be called a "private key"(decrypt), and keep what would be called "public key"(encrypt). Those are clearly just labels, but very important labels.
Hence my understanding why some switched to different wording - saying "open key" and "closed key" instead of "private"/"public", to eliminate confusion.
I know key pairs and ssh handshake, spent whole week finding exact infos to properly configure sshd. :) This video was very helpful to understand certificate authentication.
Does the private key mentioned in 5:12 belong to Server or Certificate Authority (Verisign)?
I'm just impressed that you managed to navigate your subtitle settings.
Thank you!
That feeling when it finally clicks. Thank you.
Thanks for watching.
I like your video very much. It's really great. I'll keep an eye on your channel. I am your fan and I will support you.
At the end of the video, you suggest that the Root CA cert has to be installed on the laptop, this will require the Root CA to be online... So how does that work?
Lets see if understood this please. When accessing a web site, your computer downloads the cert from the site and then determines if it can be trusted based on the cert authority or who issues it. If trusted , your computer uses the public key for that domain ? to encrypt. The web server on particular domain can decrypt using the private key. That forms the secure ssl channel. Sound good or not ?
Hi,
Please give an example where Electronic certificate is issued to User, computer & a device?
Thanks
Excellent Work.. Very Useful.. Thank you ITFreeTraining team..
No problem at all, thanks for watching.
That was wonderful! Thanks, for making it so clear and linking it to real life examples! Keep up the good work!
Very crisp and clear explanation. Thank you for sharing.
Thanks for watching.
Thank you for a great video. But why didn't you put this one in "certificates" playlist?
One of the best channels , well-explained!
+Yehya Mnaimneh Thank you very much.
Thanks for the video. It is crisp, clear and to the point. Great day ahead.
You're very welcome!
John's certificate is invalid now
I wish people taught more like you.
Thanks for the kind words! :)
Very Well Explained , thanks a lot .
I have a question related to intermediate CA , when we get SSL Certificate through ICA , do we need to include ICA Certificate while installing it in the web Server ?
If we install only our SSL cert; got through ICA , will the web browser trust our SSL cert without ICA cert? , I mean Root CA is able to identify Certificates generated by ICAs under them with out separate ICA ?
and the other question is , web browsers and client applications behave in the same manner in this regards ?
+ishantha Muthukumarana In order to have the chain of trust, the client needs to have access to all the certificates in the chain.
So can people who make the certificates track what you do online? Where I attend, it comes up with the following screen at 11:49 on your video. The IT tells peers to download a .cer file from their website. When I install the .cer , can it have some vulnerability or negative impact to me when I install and trust their certificate on my computer, for instance, when I am at home can it track stuff or do other harmful things???
Is Thumbprint another word for Digital Signature? I'm looking at a certificate in Windows.
Amazing introduction of the fundamentals and the concept. Thank you so much
You're very welcome!
certificate is no longer valid on 0:45 :(
Out of curiosity, why does itfreetraining not use https?
We just changed web servers and it has not been set up yet. We will get set up at some stage.
Tell me if this is right: If I wanted to start my own certificate issuing authority, I would only be able to serve computers being manufactured from now on since I have to have my root trust pre-installed on the OS? For computers already in existence and in use, it's too late, they'll never trust me since they have no internal record of me. Is that right?
+Raphi Stein From what the video has told me, you need to install the root CA certificate on any computer that you want to trust the child certificates for. So, for computers already in existence and use, you would need to install the Root CA certificate. If anyone else wouldn't mind chiming in, if I am right, this would help solidify my understanding of the topic.
+Raphi Stein Certificates work off trust, so unless the computer trusts the CA it will not be able to use the certificate. In Active Directory Certificate Services the trust that is created when the computer is joined to the domain is used to issue certificates to the computer. With a standalone CA, you need to get the certificate on the computer so it will trust the issuing CA. If you are using a commercial CA, chances are the root certificate is already pre-installed on Windows.
How do I Renew a my Certificate? When I try to give out my Email Address on the internet I get "Invalid Email Address". I know my Certificate went Out of Date this month (Sept 2014). I am on Vista. So, can you please tell me how to Renew My Certificate or Certificates ? Thanks
wow what a great teacher....i really like the scenario u created .is extremely understandable
with this scenario you created
+Stephen Boakye Thank you!
What are the problems with CertAuth? Why are internet companies like google and facebook going against these Certificate Authorities lately?
At time 5:09 of the video. Shouldn't the digital signature be made using the Public Key of the Certificate and not Private Key. Also, shouldn't the Private Key be used to get the original Hash Value back to check if the Certificate is not altered.
Ok, let's say you use the public key is used to create the digital signature. Who has the public key? Everyone. So this does not prove anything. So you need to use something that only the person you are trying to prove the identify has. Which is the private key.
To think of it easier, think of it as two keys. We label each key public and private to make it simple. But it works like this. Use k1 to encrypt. Use k2 to decrypt. Or you can do this. Use K2 to encrypt. Use K1 to decrypt. Easy, which every key is used to encrypt, use the other to decrypt.
So, it would seem that all you would need to do is encrypt with the private key a known value. For example the persons name. If you decrypt this with the public key you would get the persons name, so this would seem to be the easier way to do digital signatures.But, we don't do it that way, why?
The problem is that if you know the data, public key and the encrypted data. You have enough information now to determine what the private key is. So, to get around this, we use a hash function. We hash some known data that both sides have, in this case the certificate as both parties have it, then we encrypt hash this with the private key making a digital signature. The digital signature can be decrypted with the public key giving us the hash. Now if we put the certificate through the hash function, if both are the same the digital signature has been validated. Since we have put a one way function in the process, we cannot no longer get the private key. It a complicate process, but it is done that way to identify the person who created the digital signature has the private key and make it so you can't go backwards and get the private key.
So does this mean that a Certificate has its own pair of Public and Private Keys and these don't function as Public Key Encryption technique to create Digital Signature. One is for encrypting the data (the Private Key) and the other is for decrypting the data (the Public Key). As in the Public key Encryption only the Private key can be used to decrypt the data. Just two separate keys for encrypting and decrypting.
Think of a certificate as a file that contains data. It contains keys that are used for certificates and fields that contains data. On your computer, you will have a certificate that contains your private and public keys. You want to keep this safe. However, people need to have your public key. So, you create a certificate that contains your public key only. You give this certificate to everyone and keep it for yourself also. So, you put your certificate containing the public key through a hashing. Then use your private key to create a digital signature. When someone wants to verify it is you, they get this digital signature and apply the public key to it. The public key is in the certificate you gave to everyone. They then get the certificate and hash it. The value should be the same and thus your identity is verified.
When you attempt to export a certificate from your computer, you have the option to export the certificate with or without the private key. When you export it with the private key it will ask for a password to be applied. You never want to give out a certificate to the general public that contains your private key.
In reality, as long as you use the other key to decrypt either key can be used to encrypt. So if you use the public key to encrypt you need the private key to decrypt. If you use the private key to encrypt you would need the public key to decrypt.The public key is shared and the private is keep secret.
Thanks you a lot. It's too good for a free training vid
Thank you, we're glad you found the video helpful
Please make a playlist for this certificate services ..
@3:37 i am confused .. you said that public key is used to encrypt the data and private key is used to decrypt data ? shouldnt it be the opposite ?
because privte key is not shared with others.. it is private.. and therefore how come it be possible for others to decrypt with it ?
Very helpful video, gives me much better understanding now.
+Xiangyu Zhang We're so glad our videos helped you further understand! Thanks for choosing and watching IT Free Training!
If the Root CA holds the private key and is then taken offline, and the subordinate CAs are only issuing certificates, how will data be decrypted?
Subordinate CA's hand out both public and private keys as well.
All the certificates at any level have public and private keys. The private keys are used to create sub CAs, however once this process is done the private key is no longer needed. Thus, to protect the private key the CA is removed from the network. Sub CA's are still issuing certificates and encryption keys etcs and thus can't be taken offline.
does anyone have the PDF linked above, it's gone now
Hi Thanks for the tutorial, How the Public CA works & any one can go for Public CA.
what if u get a warning?
All i can say is thank you, you did a great job sir
+Bahaa Khateib Thank you very much! We strive to provide the best IT training videos for free so we're more than happy to hear you believe we did a great job.
Very Nice video.Every basic information is caputed perfectly
Thanks!
Thank you so much, this video was incredibly insightful !
Glad it was helpful!
CA encrypts public key of certificate by it's own private key to make digital signature. It doesn't encrypt hash value of message to create digital signature
i need help, i lost my laptop in an accident and i left with my external hard drive that has encrypted files in it. the issue is i didn't do backups of those files or the windows certificates of those encrypted files.
Unfortunately, if you don't have access to the private key to decrypt the date then recovery is exceedingly difficult. Assuming the laptop was the only location of the files and certificates, then it is likely that the data will be irrecoverable.
Amazing Video.. So simple explanation to understand and still the topic relevant to me after these many years.. Thank you very much for this.. Subscribed.! :-)
very good video .... explained well !!!! thank you
Glad it was helpful!
I'm hoping to apply this to learning about wallets and keys to buy and sell Bitcoin ICOs etc. Hard to get a useful video on this
Best of luck, though investigating ICOs are better served by looking at the whitepaper of the coin you are specifically looking into. Those that don't have a well written enough whitepaper, pass and find another.
amazingly clearly explained, thank you
Thanks, glad you liked the video.
Thumbs Up, incredible explanation!
Glad you liked it!
Great video!!! Clear explanations.
I have a playlist of videos on SSL (Secure Socket Layer) and this particular videos is among the best on that list.
Does my Skills Proficiency certificate Basic Plumbing... Makes me a Plumber.
Having a Skills Proficiency certificate in Basic Plumbing is a positive step towards gaining knowledge and skills in plumbing. However, whether or not you can be considered a plumber depends on various factors, including the specific requirements in your region, your level of experience, and any additional certifications or licensing that may be necessary.
Here are some considerations:
Certification: Basic Plumbing certification is a valuable starting point, but it may not be sufficient to work as a licensed plumber in many areas. To become a licensed plumber, you often need to complete an apprenticeship program and pass a licensing exam. The requirements for licensure vary by location.
Experience: Practical experience is crucial in the plumbing profession. Many plumbers gain hands-on experience through apprenticeships or on-the-job training, working alongside experienced plumbers.
Licensing: In many regions, plumbers are required to obtain a license to practice professionally. Licensing typically involves meeting specific educational and training requirements, passing an exam, and adhering to local regulations.
Continuing Education: Plumbing technology and practices evolve over time. Even after obtaining a basic certificate, it's important to stay updated with the latest industry standards and techniques through continuing education and training.
Legal and Regulatory Requirements: Different areas have different regulations regarding who can perform plumbing work, especially related to safety and health. Ensure that you are aware of and comply with local laws and regulations.
Specializations: Plumbing is a diverse field with various specializations such as residential plumbing, commercial plumbing, pipefitting, and more. Consider which area of plumbing you are interested in and whether additional certifications or training are required.
In summary, while a Basic Plumbing Skills Proficiency certificate is a valuable start and can be a stepping stone towards a plumbing career, becoming a licensed and professional plumber often requires meeting specific requirements set by your local or regional authorities. It's essential to research and follow the regulations and licensing requirements in your area if you aspire to work as a licensed plumber.
Excellent explanation!
Glad it was helpful!
Very helpful video to understand certificates. Thanks.
You're very welcome!
How about McLeaks certificate should i trust or not please tell me!
McLeaks certificate?
It is almost understandable. But... still many questions left unanswered and without any example.
1. Where computer gets public key to check digital signatures from?
2. Why computer has to have certificate from the organisation which issued the certificate? Why user certificate is not enough?
3. How computer know the exact algorithm to compute the certificate hash? Which hashing algorithm to use to get the hash which is digitally signed?
4. How root certificate verifies lower level user certificates?
5. What if the browser or other application is altered by malware to disable the checking of any certificates? Certificate will not help if ap app does not check them before executing the code.
6. Why XXX hacker malware can not install their own certificate to your local OS (undetectable) so that your computer OS start to trust all the cersificates issued by XXX hacker?
And many other questions. Can you offer a link or a book that explains digital certificates in more details and examples?
1. On Windows, open certmmgr from control panel. This will show the certificates installed on the computer. Certain certificates are installed by default on Windows.
2. Using the certificates installed locally, it can check any certificate the computer it downloads and confirm that it is part of that certificate hierarchy. That is, it was issued under the root certificate, the one you have installed on your computer.
3. This information is in the certificate.
4. Certificate are issued by certificate authority. They come under the root certificate and are essentially mathematical chained to the certificate authority above it. A user would not generate their own certificate, they would get one issued from a certificate authority. Using the root certificate, they can verify the certificate is part of that hierarchy.
5. Certificate are used for secure channels. For example, for HTTPS. It could be possible I guess for malware to disable this some how making your connection insure. If this were to occur, the server could just reject the connection.
6. Yes, a hacker could do this.
A good introduction to Digital Certificates and PKI.
Thanks for your great feedback!
Hi,
Can you please post a video on how the Certificate Revocation Work.
We are looking at redoing the certificate course and including that subject. However, I am not sure when that will happen.
okk. Will be waiting for it. Thnx
Brilliant! Great 15min video!
Thanks very much.
Thank you. Awesome. But I still need to watch it about 7 more times to fully get it :p
Glad you liked the video.
John Doe's cert has expired.
10:10 Is this certificate now sent to VeriSign for an actual certification?
a perfect video !!!! thank you so much you saved me !!!
You're very welcome! Thanks for watching!
noelque
hello sir mine internet is blocked by an antiviruse its eset nod32 some pop up pops up and says you this website deosnt lock safe wi fi help!
Are you getting that popup with every website?
yea but i found out that i can fix it so simple il go to the time and change something so ya thanks for the guide u saved mine internet :D
but the root CA can't just install the certificate on the client browser automatically, how does it work?
does the client get a message like "do you trust this root CA?" ? if so then most common users will not understand what it is and click yes and then man in the middle attacks can happen
This is why prudent IT policy is required to properly distribute the certificate to the clients in the domain. For the most part, 3rd party certificate authorities act as the trustee for Internet purposes and HTTPS, however within domains ideally the root CA would create the certificate and then certificate authorities (CA) would distribute via appropriate channels. You'd want to secure the root CA since if it becomes compromised, the attacker can create fraudulent certificates and perform man in the middle attacks.
That was indeed a great video!!!! Many thanks...
You're very welcome!
wonderful explanation!!!
Glad you think so!
you are awesome . thank you very much dude. your video is great .
Outstanding tutorial.
It's very good explanation indeed, I have been looking for this a while, thanks a lot :D
Thank you very much!
I followed all the steps but still I can't connect to my wifi (radius). Please help.
Are you receiving any error messages?
Thank you! great effort and very clear. Very valuable 15 mins of my day.
You're very welcome! We're so glad you enjoyed it. Thanks for spending your 15 minutes with ITFreeTraining. ;)
Great video, very well explained, Thank you very much.
Thanks very much and thanks for adding us to the playlist.
Best channel ever.
+ScoringStageDe Thanks!
If the root CA is taken offline, after the Second level CAs are given certificates. Then how can the client computers get a certificate from the Root CA? . And btw a fantastic video
A certificate server will only allocate or create subordinate certificates for the level below it. Client will get certificates from a subordinate CA.
Thus to set up a certificate structure. You would create your root CA. Create some subordinate CA's. Take the root CA offline to protect the private keys. Now, the only CA's that can create certificates or add new CA's is the subordinate CA's.
@@itfreetraining First of all thank you for your quick response. To trust the certificates from the subordinate CA, the client computer must have a certificate from the Root CA installed locally. But, if the Root CA is taken down, how will the client computers get this certificate from Root CA? .
@@sankaranand503 The computers require a certificate from each CA in the chain. So, if you have a root CA, subordinate CA and another subordinate under that CA (Let's call it sub2), when the computer gets a certificate from sub 2 it needs to authenticate it is a valid by confirming all the other CA's are valid.
So what you do before you take the root CA offline is export a certificate from it that contains the public key but not the private key. This root certificate you can give you anyone and must be added to your computers local certificate store before the computer will trust any certificate from any CA in that hierarchy.
When the computer gets its certificate from the sub 2, it will know it is from the hierarchy so it will look for the root certificate in the local certificate store. If it finds it, it knows it can trust that hierachy. However, is next need to check the sub2 certificate. To do this, it either needs to have this certificate added to the local certificate store or have the ability to download it from somewhere. This certificate like the root CA does not contain a private key, only the public key.
The computer only needs to confirm the chain the certificate came from is valid, so it does not matter if the root certificate and subnornate CA's were exported years ago, they just needs to be valid. These certificates only contain public keys.
The root CA is taken offline to protect the private key. the subordinate CA's still need to create new certificates thus need access to their private key. If you want to add a subornate CA under the root CA this is the only time you would need to bring the root CA online. Once you create the subornate CA you would take it offline again. It is important to protect this root CA's private key because if it is lost the whole hierarchy is comprised.
@@itfreetraining Thank you for your explanation, It helped me a lot to understand. And I am clear now.😊
thx for being free :) ...ive just disabled the adblock from your videos and website ...
and im clicking on them too... hope it helps you :)
Very Nice Explanation !! I have few questions on this topic.
As shown in the video , In case of certificate hierarchies where multiple certificates are involved
a) On Parent server -- i have installed Root Certificate from a CA1 --- so this OS would hold the Certificate CA1 with private key
ANy webbrowser accessing the Parent server (a) would get the Root certificate CA1 with "Public Key" Installed over here.
b) Child Server ---I have a self signed certificate here OR certificate from another CA lets say CA2 ----so this OS would hold the Certificate of Selfsigned or another CA2 with private key
How can i maintain the root, intermediate and personal certificate hierarchies?
Question1 : To maintain hierarchy , is it essential that i also install Root certificate CA1 (a) with a private key on to Childserver along with CA2 certificate and its private key?
Question 2 : Any web browser accessing the Parent server (a) would get the Root certificate CA1 with "Public Key" Installed on the OS hosting browser which alone would sufficient to access Child Server (b)?
How Child Serve (B) is allowing authentication to a client with Root certificate in it, is it because its having CA1 with private key installed ?
Can you please comment on it
kind Regards
Sameer
+Sameer Rao a) The root CA would have the certificate with the private key. It needs that to create certificates. Other computers only require the root CA certificate containing the public key.
b) I am not sure why you are using a self signed certificate. If you want a hierarchy you need to install a root CA. You do not have to set up intermediate CA. The advantage of having an intermediate is that once they are set up you can take the root CA offline and only bring it back online to install additional intermediate CA's.
Q1) To have a hierarchy you need a root CA. The private key should never leave the root CA. The private key is only needed when you create certificates using the intermediate CA.
Q2) With certificates you have a chain of trust. For each CA it goes through the client will need a certificate from that CA containing it's public key, otherwise the chain of trust is broken.
is there anyway to recover those encrypted files, which are in my external hard drive. they are all encrypted and i am trying to decrypt them but i am failing. may you please help me if there is anyway to recover my data.
What method did you use for encryption? Did you back up any of the private keys required to decrypt the content?
Very nicely explained.
+Eddie Kumar Shrivastava (Aditya) Thanks! We work hard to give you the best explanations.
Exactly what I was looking for!
Glad we could help.
Excellent work.
Thanks very much.
very clear explanation
Glad you think so!
Thank you for great explanation.
Glad it was helpful!