At 14:27, you will see that the CNNIC cert is indeed listed in the keychain of the macOS (an oversight by me). However, built into browsers is a "black list" where the browser itself can invalidate a root certificate. So when Google found the breach, it added code to the next update of its browser that will effectively revoke CNNIC's root cert even though one appears in the operating system's certificate storage area. When users launched Chrome, it will search for an update.. when one exists it installs the new code and .. there.. that certificate is revoked and so Chrome will no longer validate CNNIC's certs. I believe that browsers have both white and black lists of root certs built into their code so they can add root certs, if they don't think one exists in the OS, or invalidate root certs. But all OSes have a central storage area for CA root certs so browsers don't need to store a complete list.
@@DataVids I am not that familiar with the internal workings of all browsers. Chrome contains a CRLset that is a list of banned sites. It can’t be viewed directly but can be dumped with public code. (dev.chromium.org/Home/chromium-security/crlsets).
I finished my IT studies 2 years ago and never got clear in certificates understanding. Now I wanted to acquire this competence once for all. Watched many videos, still didn't get the thing. Then I found yours. This is masterpiece explanations, everything is now crystal clear into my mind. Most of the videos skip steps so it's not understandable. Thank you so much for this high quality lesson.
Searched the Google, searched TH-cam didn't find a good explanation of certificate for beginners, THIS VIDEO IS GEM IT HAS ALL THAT A BEGINNER NEED TO UNDERSTAND. THANK YOU FOR THE VIDEO!!!
Awesome tutorial. I am struggling to understan the chan of trust since ages and today this tutorial has cleared all my doubts. It made my day. Million of thanks to Dave. Long live and god bless you.
One piece of information missing in this video that will be helpful: Data encrypted with the public key can only be decrypted with the private key, and data encrypted with the private key can only be decrypted with the public key. So notice that the hash of the SSL certificate is encrypted with the private key and can only be decrypted with the public key.
I'd like to echo what others have already said and thank you so much for such a clear explanation of this process. I have been able to explain PKI principles to colleagues from the knowledge learnt in this video. I've been an IT professional for the past 9 years and PKI principles have never really stuck but this one made the penny drop. Excellent work.
This is by far the best explanation, if you have basic understanding, I learned first 3 chapters from book called PKI uncovered from cisco press and then watched this video, which resolved all the grey areas, thanks man
This is the most amazing video I have ever passed by , because you are the only one I saw that explains the SSL and Chain of Trust in details with a great example. Thank you very much dear and I am very happy that I have passed by while I was searching on tutorials to understand how this process works. Best Wishes and Blesses.
Sir, the video is simply perfect. I work in IT, I dont play a lot with certs or CA but this was to the point where i had enough to do my job. Thanks :)
This was a nice and comprehensive step-by-step overview! I've browsed through a bunch of information regarding certificates, validation etc, and this video turned out to be a gold nugget in a topic where other information sources choose to gloss over the details and specifics (perhaps due to a lack of understanding?).
Wow, you made understand those SSL certs once and for all, and it's much appreciated. Also, you have a great hand writing. Keep up the great content sharing in your channel, I'm definitely subscribing.
The problem is if the private key ever gets compromised at some point in the entire future of humanity, all past communication becomes compromised. Not good. Private key should only be used for identification and after a breach simply be replaced without further damage.
great video thanks! What I'd like to see next is what happens if the private key is compromised. My understanding is that the certificates can be forged using this key. But I would like to hear an explanation from a professional! Thank you again for the great content
If the private key is compromised all certificates created with that private key are compromised. If the private key of a ROOT authority is compromised there is a way to invalidate all certificates issued from that ROOT authority. I believe all browsers check some central repository for a list of ROOT authorities that have been compromised and will not process a certificate if the issuer is on that 'black' list.
Just wanted to commend you on the quality of your videos in explaining a complicated subject - I was able to clarify multiple concepts after muddling through several documents.
Glad you enjoyed.. With all the complete details, it is a very complex topic. My attempt was to break it down into only the necessary components so that people understand how the basic principle works.
Great video. I can see multiple comments of 1) encrypting vs. validation and 2)encrypting with either private or public key and undoing the process with the other key. Second comment that was useful was the reason to using an intermediate certificate authority (a security feature, limit damage if private key ever gets leaked). Thank you! Would it be possible to make a video about wild domain (multiple domain) certificates? My homework now is to encrypt with a private key and decrypt with the public and to compare against other validation/signature verification flows. In JWT, (head.payload.signature) I would thought that you had the payload, you would encrypt it using the public key (generate the signature) and then compare it against the signature for validation.
I also had trouble spelling Hierarchical! (Thank goodness for auto correct😁) Fantastic explanation btw - I've been scouring the web for a decent explanation and after your video I feel my knowledge gap has been quenched. Liked the video so that after I've had a sleep and forgotten it I can simply refer back to the masterclass. Thanks again
If Microsoft didn't revoke CNNIC, then it may be reasonable to believe that Apple didn't either. If they didn't, then Safari would still ship with CNNIC as a trusted root and would therefore be installed on his computer.
Thanks a lot! great explanation. But I'm a little bit confused, 10:12 where you said the browser has the public key so it can decrypt the data encrypted by the private key. But I thought public key is used to encrypt and not decrypt. Can you please explain?
In PKI, either the public OR the private key encrypts.. the OTHER key will decrypt.. This allows different applications of PKI.. such as digital signatures vs SSL communication. So in SSL, the PRIVATE key of the vendor you are attached to encrypts some information and I (the client) can decrypt it with that vendor's public key. If I want to send something secure back to the vendor, I can encrypt it with the Vendor's public key and they are the only one who can decrypt it with their vendor private key.
Very good tutorial! The only thing I misunderstood is that before you talked that signing is done via public key and then I find out that CA and ICA certificates are signed by CA/ICA private key ?!
Great video. When you say certificate hash data is encrypted using private key of issuer, does it mean that private is also sent along with certs? I am bit confused, why private key is being used to encrypt hash? Isn't public keys are used to encypt( as browser is doing with symmetric key) ? Or it is not neccesary to encrypt using public key always?
Hi Dave, thank you for the wonderful explanation but I am a little confused to see the private key encrypted hash is being decrypted by the public key present in the cert when you explain the chain of trust..... I don't get that... cause my understanding is that public key encrypted data is decrypted by private key but here it seems to be vice-versa.. please can you shed some light
There are some applications where the private key encrypts and some applications where the public key encrypts.. If you want to send something private to a friend then you use their public key to encrypt and they can decrypt with their private key.. If I want to “digitally sign” a document, I encrypt with my private key and anyone can get my public key to decrypt.. Since only my public key can decrypt it, it must have come from me. In all cases, the private key is kept secret with the entity that created the private/public key pair.
@MetaTreatment I want to send a message to John and have him validate it comes from me. I write the message in plain text. I add my signature and then encrypt just my signature with my private key.. I then encrypt the message using John’s public key.. John gets the message.. only he can decrypt the entire message with his private key.. He then uses my Public key (which I personally send him .. or it could be posted on my personal web site.. ) He uses my public key to decrypt the signature .. since he knows he has my public key.. he can validate that I sent the message. No one but John can decrypt the message. Most email clients support all this.. you can play around with it.
@@davecrabbe4579 I have never heard of a case where public keys are used to decrypt. This breaks the fundamentals. Rather I can see where encrypting using the public key would match the encryption of a hash. So if you know the checksum of some document you could then use the public key to encrypt that checksum and then check that encrypted checksum against the encrypted checksum sent to you. This solution makes more sense to me.
@@osirioncomputing8521 Used for Digital Signatures. When digitally signing something, you encrypt the signature part with your private key. Since everyone has your public key, they can decrypt the signature.. Since only my private key can be decrypted by my public key, you know that info came from me.
Need a bit more explanation at 10:26, How hash is validated? Correct me: the decrypted hash from the received 'google-certificate' using public-key of root CA installed in browser is matched with the generated hash from public key present in the certificate?
Browsers do the key exchange process in the way you described at 12:00 only in case of TLS_RSA cipher suite. If there server and the browser agree on a better cipher suite like TLS_DH_RSA (Diffie Hellman key ex) or TLS_ECDHE_RSA (Elliptic Curve Diffie Hellman key ex) the key exchange process would be very different. Very good explanation nonetheless!
grin.. you know too much.. I purposely did not want to get into that level of detail as many readers who are just learning this for the first time might not get a good overview of the concept.
Great explanation!! Thanks I have question, at 11:14 you mentioned that the public key from the ICA can be used to decrypt the hashed encrypted part from the NSCC certificate. Can a public key be used for decryption? I am still a little confused on this point.
Either key can be used to encrypt. But the *OTHER* key must be used to decrypt. Which key is used to encrypt depends on the application (digital signatures, encryption certs, etc). However, the private key is *ONLY* known to the person issued. It must never be distributed.
At 10:30 you show that Google signs with the Private Key from Geotrust, and Geotrust use the Public Key to encript the Hash. But isnt it vice versa and Google is signing the Hash with the Public Key from the NSCC and they validate it with their Private Key ? Because why should Google have the Private Key from Geotrust ? And at 14:40 the CNNIC is seen in the picture where you say it is not valid to use it ?
No, you are misunderstanding the information here. Here, Google is an ICA and as such, no client has Google's Public key in their certificate store. As an organization, Google must obtain a certificate from a known and trusted CA (GeoTrust). Thus, GeoTrust creates a cert for Google and signs it with their own private key. You are right, NO ONE must see the private key of another. This cert is sent to Google and they distribute this cert whenever Google issues a Cert. In the case shown, Google is issuing an SSL cert and encrypts the hash with their (Google's private key). The client would not have Google's public key and so could not decrypt the hash. This is why the Google cert (signed by GeoTrust) must be sent with the SSL cert. Every client has access to GeoTrust's public key since they are a well known CA. They can validate Google's cert and get Google's public key and they use this key to validate the SSL cert.
Great video but I would advise everyone watching that the last version of SSL was deprecated in 2015. The term "SSL Certificate/s" is a misnomer. The certificates exist outside of the protocol. Now a days, the protocol they are most often associated with is TLS.
yes.. SSL is an older term. TLS was the common protocol when I made the video, but SSL was the more recognized (older) term. The video is not intended to show current details, but an overview of how PKI can be used to exchange a symmetric key to make a communication secure.
@@davecrabbe4579 Yes thank you sir the video is extremely helpful. I was just highlighting this in case anyone got confused. There are even a lot of frameworks and projects out there that reference SSL in their properties/configuration files, but they really mean TLS. Kafka is such an example - if you look at Kafka's documentation they specifically state that whenever they use the term SSL, they actually mean TLS..
Q@ 10:10: (1) The browser does not need to specifically request each single certificate, but instead gets all certs on the server at once, right? (2) What happens in cases of longer chains? For example: NSCC -> Google CA -> GeoTrust -> CompanyA -> GoDaddy. Would NSCC have to provide each certificate of the chain? How does NSCC know which CA is actually listed in the browser? (3) What drawing/presentation software are you using?
There are not that many intermediate CAs in a chain. Generally there is one intermediate cert and then the root CA. NSCC would send its cert and all other public certs needed to validate its certificate. They are not requested individually. I used a Sketching program from Adobe that I don’t believe they still provide.
Thanks for teaching, it's very clear and understandable. I have a personal question: what software tool do you use for draw and write your videos? I really appreciate your answer
I use an Apple iMac as the desktop. I use the camera built in and simply use the Apple cheap headphones with mic for sound. I use Autodesk Sketch as the page on which I scribble. The layers allow me to expose ‘pages’ as required. I’ve also used a s/w package called ‘DeskScribble”. To create the actual video, I use ScreenFlow. It’s all very lo-tech and relatively inexpensive (except for the Mac).
I use a Mac and ScreenFlow to capture the video.. for doing the graphics I create a stack of drawings in Sketchbook and turn layers on/off to review the next 'page'. I've also found DeskScribble very useful.
At 14:27, you will see that the CNNIC cert is indeed listed in the keychain of the macOS (an oversight by me). However, built into browsers is a "black list" where the browser itself can invalidate a root certificate. So when Google found the breach, it added code to the next update of its browser that will effectively revoke CNNIC's root cert even though one appears in the operating system's certificate storage area. When users launched Chrome, it will search for an update.. when one exists it installs the new code and .. there.. that certificate is revoked and so Chrome will no longer validate CNNIC's certs. I believe that browsers have both white and black lists of root certs built into their code so they can add root certs, if they don't think one exists in the OS, or invalidate root certs. But all OSes have a central storage area for CA root certs so browsers don't need to store a complete list.
Can we see the blacklist that a browser, has for root certs? Or do you think that is intentionally hidden from end users?
@@DataVids I am not that familiar with the internal workings of all browsers. Chrome contains a CRLset that is a list of banned sites. It can’t be viewed directly but can be dumped with public code. (dev.chromium.org/Home/chromium-security/crlsets).
@@davecrabbe4579 thank you!
Ha, I was about to comment that!. BTW in my key chain it is not. So at some point Apple also removed it.
This has to be the clearest, melodrama-free explanation of digital certificates on TH-cam. Thank you for taking the time to explain this.
I finished my IT studies 2 years ago and never got clear in certificates understanding. Now I wanted to acquire this competence once for all. Watched many videos, still didn't get the thing. Then I found yours. This is masterpiece explanations, everything is now crystal clear into my mind. Most of the videos skip steps so it's not understandable. Thank you so much for this high quality lesson.
This is by far the best explanation on Certificates.
Indeed!
best explanation!! well done
clear explanation without using any fluff or word salad, straight to the point! thank you!!!!
Searched the Google, searched TH-cam didn't find a good explanation of certificate for beginners, THIS VIDEO IS GEM IT HAS ALL THAT A BEGINNER NEED TO UNDERSTAND. THANK YOU FOR THE VIDEO!!!
Amazing explanation. What I couldn't understand for over 2 months was water clear in less than 30 minutes. Thanks.
Awesome tutorial. I am struggling to understan the chan of trust since ages and today this tutorial has cleared all my doubts. It made my day. Million of thanks to Dave. Long live and god bless you.
Excellent explanation! Searched everywhere to lean more about how the chain of trust worked in detail - finally found it here! Thank you!
Thanks.. older video, but its all built on the same basic concept, so far.
Thank you Dave, excellent explanation!! Clear and direct. Agreed that this is the best chain certificate explanation I´ve ever seen to date.
I had so many doubts / confusion about digital signature and how it works, now i understood completely, thanks for the nice explanation
This is great and simple, finally someone covers how the certificate is verified to actually be from the specific CA.
The best explanation ever I've faced about "Chain of Trust".
By the way, you have the root certificate of CNNIC on your browser. :)
yeah.. I picked that up after it was posted.. I'm still learning too :)
This is the best explanation so far on the internet
Straight forward and comprehensive explanation. This is the only resource on the topic that made sense to me and filled in all the gaps.
One piece of information missing in this video that will be helpful: Data encrypted with the public key can only be decrypted with the private key, and data encrypted with the private key can only be decrypted with the public key. So notice that the hash of the SSL certificate is encrypted with the private key and can only be decrypted with the public key.
I'd like to echo what others have already said and thank you so much for such a clear explanation of this process. I have been able to explain PKI principles to colleagues from the knowledge learnt in this video. I've been an IT professional for the past 9 years and PKI principles have never really stuck but this one made the penny drop. Excellent work.
This is THE BEST explanation ever
thanks for taking the time to post these videos. i'm a network engineer and your teaching and explanations are excellent! appreciate it!
Glad you enjoyed it.. thanks
This is by far the best explanation, if you have basic understanding, I learned first 3 chapters from book called PKI uncovered from cisco press and then watched this video, which resolved all the grey areas, thanks man
super! Thanks for the comment.
One of the best and crystal clear explanation I have ever seen !!
This is the most amazing video I have ever passed by , because you are the only one I saw that explains the SSL and Chain of Trust in details with a great example.
Thank you very much dear and I am very happy that I have passed by while I was searching on tutorials to understand how this process works.
Best Wishes and Blesses.
Thanks..
This is the best video on SSL I have come across!
This is the perfect video i found in youtube which explains the concept of cerficate chain.. take a bow Dave
Best explanation about chain of trust I've ever faced.
This is the best explanation across all articles and videos.
Sir, the video is simply perfect. I work in IT, I dont play a lot with certs or CA but this was to the point where i had enough to do my job. Thanks :)
the best explanation on youtube I've found so far
thank you so much for your work!
Thanks Dave! These two episodes on TLS certificates was the best I have seen. Thank you, Thank You.
One of the best videos to understand chain of trust
Finally! found some quality material... and it was free. thanks
By far the best video on this subject. Thank you.
this is the best and most simplified explainnation of topic... loveed thatt...thanks much for your efforts
This is really awesome explanation. Probably the best that i have ever seen till now.
A fantastic and clear explanation of the Chain of trust..Kudos!
A great presentation about chain of trust and certificates! Really great. Thanks for that
Simple and to the point without age old theoretical rhetoric.
This was a nice and comprehensive step-by-step overview! I've browsed through a bunch of information regarding certificates, validation etc, and this video turned out to be a gold nugget in a topic where other information sources choose to gloss over the details and specifics (perhaps due to a lack of understanding?).
Some go into too much detail and you never grasp the overall concepts.
Thanks for delving into the details of this process. Other videos don't seem to discuss the details in much depth.
I had to change the speed to 1.25 and the video became so much better! Thank you for the nice explanation.
grin.. I'm older and I go slow these days..
Wow, you made understand those SSL certs once and for all, and it's much appreciated. Also, you have a great hand writing. Keep up the great content sharing in your channel, I'm definitely subscribing.
I've been watching SSL related videos for the past hour and this explanation at 11:52 was what I needed to fill the gap!
This is not how it works nowadays. If you want information about that part, look for diffie hellmann key exchange.
Yeah the latest version of SSL was deprecated in 2015
The problem is if the private key ever gets compromised at some point in the entire future of humanity, all past communication becomes compromised. Not good. Private key should only be used for identification and after a breach simply be replaced without further damage.
great video thanks! What I'd like to see next is what happens if the private key is compromised. My understanding is that the certificates can be forged using this key. But I would like to hear an explanation from a professional! Thank you again for the great content
If the private key is compromised all certificates created with that private key are compromised. If the private key of a ROOT authority is compromised there is a way to invalidate all certificates issued from that ROOT authority. I believe all browsers check some central repository for a list of ROOT authorities that have been compromised and will not process a certificate if the issuer is on that 'black' list.
Finally an explanation that connects all the dots! Great explanation.
Just wanted to commend you on the quality of your videos in explaining a complicated subject - I was able to clarify multiple concepts after muddling through several documents.
Glad you enjoyed.. With all the complete details, it is a very complex topic. My attempt was to break it down into only the necessary components so that people understand how the basic principle works.
Seriously love the way, the information provided, clear concept
Thank you Dave for the excellent presentation and i like the case study you put at the end.
Excellent instructional "Chain of Trust" SSL process. Thank you for your valuable time. :)
Finally a satisfying explanation of certificates, thanks
Thank you! This is the best explanatory video for ssl certificates
Many thanks for this clear, concise and well presented explanation,
Best regards.
Great video. I can see multiple comments of 1) encrypting vs. validation and 2)encrypting with either private or public key and undoing the process with the other key. Second comment that was useful was the reason to using an intermediate certificate authority (a security feature, limit damage if private key ever gets leaked). Thank you! Would it be possible to make a video about wild domain (multiple domain) certificates?
My homework now is to encrypt with a private key and decrypt with the public and to compare against other validation/signature verification flows. In JWT, (head.payload.signature) I would thought that you had the payload, you would encrypt it using the public key (generate the signature) and then compare it against the signature for validation.
It's was an deep and easy to follow dive into the e-certificates world. Many thanks!
I agree with earlier comments. This is the best video on SSL I could find on TH-cam. I shared it with my coworkers. Thank you.
Thanks for the comments. The actually technical implementation has so many more details. I tried to distill it into the core concepts.
At 14:25, you can see CNNIC ROOT listed in browser certificate list.
excellent presentation. one of the best. thanks.
I also had trouble spelling Hierarchical! (Thank goodness for auto correct😁)
Fantastic explanation btw - I've been scouring the web for a decent explanation and after your video I feel my knowledge gap has been quenched. Liked the video so that after I've had a sleep and forgotten it I can simply refer back to the masterclass. Thanks again
Great and simple.......good job sir
BTW, I can see CNNIC ROOT listed in your browser.
14:27
LOL - I was just about to post this exact same observation.
lmao
hehe small mistake but we got the point....
If Microsoft didn't revoke CNNIC, then it may be reasonable to believe that Apple didn't either. If they didn't, then Safari would still ship with CNNIC as a trusted root and would therefore be installed on his computer.
Done thanks took notes in onenote
Best video on the topic!
awesome explanation ! cleared my doubt... this clearly explains why do we have chain of trust in the first place...
Thanks Dave for clear cut explanation. Have a good time.
great explanation, Thanks Dave for putting this together. really helpful.
Thanks a lot! great explanation.
But I'm a little bit confused, 10:12 where you said the browser has the public key so it can decrypt the data encrypted by the private key. But I thought public key is used to encrypt and not decrypt. Can you please explain?
In PKI, either the public OR the private key encrypts.. the OTHER key will decrypt.. This allows different applications of PKI.. such as digital signatures vs SSL communication. So in SSL, the PRIVATE key of the vendor you are attached to encrypts some information and I (the client) can decrypt it with that vendor's public key. If I want to send something secure back to the vendor, I can encrypt it with the Vendor's public key and they are the only one who can decrypt it with their vendor private key.
Very good tutorial! The only thing I misunderstood is that before you talked that signing is done via public key and then I find out that CA and ICA certificates are signed by CA/ICA private key ?!
This is awesome! You explained it soooo well.
Great video.
When you say certificate hash data is encrypted using private key of issuer, does it mean that private is also sent along with certs? I am bit confused, why private key is being used to encrypt hash?
Isn't public keys are used to encypt( as browser is doing with symmetric key) ? Or it is not neccesary to encrypt using public key always?
perfect video ,really good explanation to how the chain of trust occurs
Shame on those who have watched this masterpiece 🤩 and did not subscribe 👊👊👊
Hi Dave, thank you for the wonderful explanation but I am a little confused to see the private key encrypted hash is being decrypted by the public key present in the cert when you explain the chain of trust..... I don't get that... cause my understanding is that public key encrypted data is decrypted by private key but here it seems to be vice-versa.. please can you shed some light
There are some applications where the private key encrypts and some applications where the public key encrypts.. If you want to send something private to a friend then you use their public key to encrypt and they can decrypt with their private key.. If I want to “digitally sign” a document, I encrypt with my private key and anyone can get my public key to decrypt.. Since only my public key can decrypt it, it must have come from me. In all cases, the private key is kept secret with the entity that created the private/public key pair.
@@davecrabbe4579 noted thank you very much
@MetaTreatment I want to send a message to John and have him validate it comes from me. I write the message in plain text. I add my signature and then encrypt just my signature with my private key.. I then encrypt the message using John’s public key.. John gets the message.. only he can decrypt the entire message with his private key.. He then uses my Public key (which I personally send him .. or it could be posted on my personal web site.. ) He uses my public key to decrypt the signature .. since he knows he has my public key.. he can validate that I sent the message. No one but John can decrypt the message. Most email clients support all this.. you can play around with it.
@@davecrabbe4579 I have never heard of a case where public keys are used to decrypt. This breaks the fundamentals. Rather I can see where encrypting using the public key would match the encryption of a hash. So if you know the checksum of some document you could then use the public key to encrypt that checksum and then check that encrypted checksum against the encrypted checksum sent to you. This solution makes more sense to me.
@@osirioncomputing8521 Used for Digital Signatures. When digitally signing something, you encrypt the signature part with your private key. Since everyone has your public key, they can decrypt the signature.. Since only my private key can be decrypted by my public key, you know that info came from me.
Just one word "Excellent" !!
Fantastic explanation !!!
Need a bit more explanation at 10:26, How hash is validated?
Correct me: the decrypted hash from the received 'google-certificate' using public-key of root CA installed in browser is matched with the generated hash from public key present in the certificate?
Great Explanation.. Thank you. God bless you.
Browsers do the key exchange process in the way you described at 12:00 only in case of TLS_RSA cipher suite. If there server and the browser agree on a better cipher suite like TLS_DH_RSA (Diffie Hellman key ex) or TLS_ECDHE_RSA (Elliptic Curve Diffie Hellman key ex) the key exchange process would be very different. Very good explanation nonetheless!
grin.. you know too much.. I purposely did not want to get into that level of detail as many readers who are just learning this for the first time might not get a good overview of the concept.
great explanation ... CNNIC was still in your browser though (14:28)
yeah.. see Pinned reply just below
Great explanation!! Thanks
I have question, at 11:14 you mentioned that the public key from the ICA can be used to decrypt the hashed encrypted part from the NSCC certificate.
Can a public key be used for decryption?
I am still a little confused on this point.
Either key can be used to encrypt. But the *OTHER* key must be used to decrypt. Which key is used to encrypt depends on the application (digital signatures, encryption certs, etc). However, the private key is *ONLY* known to the person issued. It must never be distributed.
At 10:30 you show that Google signs with the Private Key from Geotrust, and Geotrust use the Public Key to encript the Hash. But isnt it vice versa and Google is signing the Hash with the Public Key from the NSCC and they validate it with their Private Key ? Because why should Google have the Private Key from Geotrust ? And at 14:40 the CNNIC is seen in the picture where you say it is not valid to use it ?
No, you are misunderstanding the information here. Here, Google is an ICA and as such, no client has Google's Public key in their certificate store. As an organization, Google must obtain a certificate from a known and trusted CA (GeoTrust). Thus, GeoTrust creates a cert for Google and signs it with their own private key. You are right, NO ONE must see the private key of another. This cert is sent to Google and they distribute this cert whenever Google issues a Cert. In the case shown, Google is issuing an SSL cert and encrypts the hash with their (Google's private key). The client would not have Google's public key and so could not decrypt the hash. This is why the Google cert (signed by GeoTrust) must be sent with the SSL cert. Every client has access to GeoTrust's public key since they are a well known CA. They can validate Google's cert and get Google's public key and they use this key to validate the SSL cert.
@@davecrabbe4579 Ah now I get it! Thanks! 😊
Best video of SSL
AWESOME explanation!
Great video but I would advise everyone watching that the last version of SSL was deprecated in 2015. The term "SSL Certificate/s" is a misnomer. The certificates exist outside of the protocol. Now a days, the protocol they are most often associated with is TLS.
yes.. SSL is an older term. TLS was the common protocol when I made the video, but SSL was the more recognized (older) term. The video is not intended to show current details, but an overview of how PKI can be used to exchange a symmetric key to make a communication secure.
@@davecrabbe4579 Yes thank you sir the video is extremely helpful. I was just highlighting this in case anyone got confused. There are even a lot of frameworks and projects out there that reference SSL in their properties/configuration files, but they really mean TLS. Kafka is such an example - if you look at Kafka's documentation they specifically state that whenever they use the term SSL, they actually mean TLS..
thank you, I am just wondering why it is called SSL certificate instead of TLS certificate. now you give me the answer!
Awesome explanation Sir......
thank you so much....
good one. nice explanation
Absolutely brilliant explanation, thanks!
Q@ 10:10:
(1) The browser does not need to specifically request each single certificate, but instead gets all certs on the server at once, right?
(2) What happens in cases of longer chains? For example: NSCC -> Google CA -> GeoTrust -> CompanyA -> GoDaddy. Would NSCC have to provide each certificate of the chain? How does NSCC know which CA is actually listed in the browser?
(3) What drawing/presentation software are you using?
There are not that many intermediate CAs in a chain. Generally there is one intermediate cert and then the root CA. NSCC would send its cert and all other public certs needed to validate its certificate. They are not requested individually. I used a Sketching program from Adobe that I don’t believe they still provide.
@@davecrabbe4579 Thank you :)
Very well explained. Thank You !
Great Video, really informative! Exactly the information I knew I didn't know.. Thanks!
Really good explanation
Thanks this was easy to follow and understand.
Excellent explanation..thankyou
Great explanation, thanks!
Thanks for teaching, it's very clear and understandable. I have a personal question: what software tool do you use for draw and write your videos? I really appreciate your answer
I use an Apple iMac as the desktop. I use the camera built in and simply use the Apple cheap headphones with mic for sound. I use Autodesk Sketch as the page on which I scribble. The layers allow me to expose ‘pages’ as required. I’ve also used a s/w package called ‘DeskScribble”. To create the actual video, I use ScreenFlow. It’s all very lo-tech and relatively inexpensive (except for the Mac).
@@davecrabbe4579 thank you
Great video, this helped me a lot!
Great explanation and impressive visualization! Would you share what tools (hw & sw) you used to create the video?
I use a Mac and ScreenFlow to capture the video.. for doing the graphics I create a stack of drawings in Sketchbook and turn layers on/off to review the next 'page'. I've also found DeskScribble very useful.
Thank you for this very thorough explanation
Thank you, very good explained!
Awesome video. Thank you very much
GREAT Explanation, thanks Dave!
very well explained!!
Thank you very much! Very insightful.