Using Wireshark to extract certificates from a TLS session

In the context of Public Key Infrastructure (PKI), a certificate is a digital document that binds a public key to an entity, such as an individual, organization, or device and is used to establish the authenticity of that entity during secure communications. Here’s a detailed breakdown of what a certificate is and its role within PKI:

Components of a Certificate

  1. Public Key: The certificate contains the public key of the entity it identifies. This key is used to encrypt data and verify digital signatures.
  2. Subject: This is the identity of the entity associated with the certificate. It can include the name, organization, domain name, email address, or other identifiers.
  3. Issuer: The certificate is issued by a Certificate Authority (CA), a trusted entity responsible for verifying the subject’s identity and issuing the certificate.
  4. Serial Number: A unique identifier assigned by the CA to differentiate this certificate from others.
  5. Validity Period: Certificates have a specified start and end date (issue and expiration dates) to ensure they are valid only for a limited time.
  6. Signature: The certificate is digitally signed by the issuing CA. This signature verifies that the CA issued the certificate and has not been tampered with.
  7. Extensions: Certificates may include additional information, such as usage constraints (e.g., whether the certificate can be used for encryption or signing), key usage, and any additional attributes relevant to the certificate.

Types of Certificates

  • SSL/TLS Certificates: These are used to secure communications over the internet, such as HTTPS websites.
  • Code Signing Certificates: Software developers use these to sign their applications, ensuring their integrity and authenticity.
  • Email Certificates (S/MIME): Used to sign and encrypt email messages.
  • Client Certificates: Used to authenticate users or devices in a network.

Role of Certificates in PKI

  1. Authentication: Certificates establish the parties’ identity in communication, ensuring that a user or device is who it claims to be.
  2. Encryption: The public key within a certificate can encrypt data, ensuring that only the holder of the corresponding private key can decrypt and access the information.
  3. Integrity: Digital signatures within certificates help ensure that the data has not been altered in transit. If the signature does not match, it indicates that the data may have been compromised.
  4. Trust Establishment: Certificates create a chain of trust. If users trust a CA (often included in the list of trusted root CAs on their devices), they can trust any certificate issued by that CA.
  5. Management: PKI provides processes for managing certificates throughout their lifecycle, including issuance, renewal, revocation, and expiration.

Obtain the packet capture.

Locate the “server hello” transaction.

Trying to understand the certificates in Wireshark can be cumbersome.

A certificate chain in Public Key Infrastructure (PKI) refers to the hierarchical structure of digital certificates that establishes a chain of trust from a specific certificate back to a trusted root Certificate Authority (CA). This chain typically consists of multiple certificates, each linking to the next until the trust anchor (the root CA) is reached.

Example:

Each certificate in the chain can be extracted from Wireshark.

Extracting certificates from Wireshark
  1. Right-click on the last certificate

2. Save the certificate

3. Repeat the steps for each certificate in the chain.

In the example below, three certificates were extracted from Wireshark.

4. Open each file and verify the contents of the certificate chain.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.