To create your own **self-signed certificate**, you can use the `openssl` command-line tool. 
This process involves generating a **private key** and then creating a certificate signed by this key. Here’s a step-by-step guide:

---

### **Step 1: Install OpenSSL**
Ensure that OpenSSL is installed on your system. You can check by running:
```bash
openssl version
```
If it’s not installed, follow these steps:
- **Linux**: Use your package manager (e.g., `sudo apt install openssl` for Ubuntu).
- **Mac**: Install via Homebrew (`brew install openssl`).
- **Windows**: Download OpenSSL binaries from [Shining Light Productions](https://slproweb.com/products/Win32OpenSSL.html).

---

### **Step 2: Generate a Private Key**
Run the following command to generate a private key file (`private.key`):
```bash
openssl genrsa -out private.key 2048
```
- `2048` specifies the key size in bits. You can also use `4096` for a stronger key.
- The key file will look like this:
  ```
  -----BEGIN PRIVATE KEY-----
  (Base64-encoded data)
  -----END PRIVATE KEY-----
  ```
  
## public exponenet is often fixed which is used to create public key. which is e=65537

---

### **Step 3: Generate a Certificate Signing Request (CSR)**
You’ll be asked for information to include in the certificate (like your domain, organization name, etc.):
```bash
openssl req -new -key private.key -out certificate.csr
```
- Important fields:
  - **Common Name (CN)**: The domain name (e.g., `example.com`) or your name for personal use.
  - Leave optional fields blank if not applicable.

---

### **Step 4: Create the Self-Signed Certificate**
Generate the self-signed certificate using the private key and CSR:
```bash
openssl x509 -req -in certificate.csr -signkey private.key -out certificate.pem -days 365
```
- `-days 365`: Sets the validity period of the certificate (1 year in this case).
- The resulting `certificate.pem` file contains the self-signed certificate.

---

### **Step 5: Verify the Certificate**
To inspect the contents of the certificate, use:
```bash
openssl x509 -in certificate.pem -text -noout
```

---

### **Step 6 (Optional): Combine Key and Certificate into One File**
For convenience, you can create a single PEM file containing both the private key and certificate:
```bash
cat private.key certificate.pem > combined.pem
```

---

### **Example Use Case**
You can use the self-signed certificate to:
1. **Test HTTPS servers (locally)**: E.g., for development environments.
2. **Encrypt data for internal communication** (not public-facing).

---

### **Tips**
- **Browsers will show a warning** for self-signed certificates, as they aren’t trusted by default. This is expected and fine for development/testing purposes.
- For production use, always get a certificate from a trusted Certificate Authority (CA).

Let me know if you want a script for automating this process!

### Creating Self signed key

C:\Users\abdul\Downloads\self_sign>openssl genrsa -out private.key 2048



Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
..................+++++

## e is 65537 (0x010001)

C:\Users\abdul\Downloads\self_sign>openssl req -new -key private.key -out certificate.csr



You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

C:\Users\abdul\Downloads\self_sign>openssl x509 -req -in certificate.csr -signkey private.key -out certificate.pem -days 365


Signature ok
subject=C = IN, ST = Some-State, O = Internet Widgits Pty Ltd
Getting Private key


To create a Flask server that uses a self-signed certificate, follow these steps:

### Step 1: Generate a Self-Signed Certificate and Private Key

You can use OpenSSL to generate a self-signed certificate and its corresponding private key.

Run the following commands to create a certificate (`server.crt`) and a private key (`server.key`):

```bash
openssl genpkey -algorithm RSA -out server.key -aes256
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -signkey server.key -out server.crt
```

Here’s what each command does:
- `openssl genpkey -algorithm RSA -out server.key -aes256`: Generates a private key encrypted with AES256.
- `openssl req -new -key server.key -out server.csr`: Creates a certificate signing request (CSR) from the private key.
- `openssl x509 -req -in server.csr -signkey server.key -out server.crt`: Creates a self-signed certificate from the CSR using the private key.

You’ll have two files:
- `server.crt`: The self-signed certificate.
- `server.key`: The private key.

### Step 2: Create a Flask Application

Now, let’s create a simple Flask application and configure it to use the self-signed certificate.

#### Install Flask

If you don’t have Flask installed, you can install it with pip:

```bash
pip install Flask
```

#### Create a Flask Application (`app.py`)

```python
from flask import Flask

app = Flask(__name__)

@app.route('/')
def hello():
    return "Hello, Secure World!"

if __name__ == '__main__':
    # Run the Flask app with the self-signed certificate
    app.run(ssl_context=('server.crt', 'server.key'), host='0.0.0.0', port=443)
```

### Explanation:
- `ssl_context=('server.crt', 'server.key')`: This argument is used to specify the SSL certificate and private key files. Flask uses this to secure the connection with HTTPS.
- `host='0.0.0.0'`: This allows the server to accept requests from any IP address.
- `port=443`: The default HTTPS port.

### Step 3: Run the Flask Server

After creating the `app.py` file, you can run the Flask server by executing:

```bash
python app.py
```

This will start a Flask server that listens on port 443 with HTTPS, using the self-signed certificate for encryption.

### Step 4: Access the Flask Server

Now, if you visit `https://localhost` (or the IP address of the server if you are running this on a remote machine), your browser may warn you that the certificate is not trusted because it is self-signed. You can safely ignore this warning for development purposes.

### Step 5: Trusting the Self-Signed Certificate (Optional)

If you want to avoid the warning in your browser, you can add the self-signed certificate to your system's trusted certificates store. The method to do this varies depending on your operating system (e.g., for macOS, you can add the certificate to Keychain Access; for Linux, you can add it to the system's trusted certificate store).

### Conclusion

You now have a Flask server running with HTTPS, using a self-signed certificate. This setup is useful for development or internal services, but for production environments, it is always recommended to use certificates signed by a trusted Certificate Authority (CA).

Certificates themselves are **not encrypted**; they are usually **base64 encoded** in the PEM format.

Here's a breakdown:

### Certificate Structure:
1. **Base64 Encoding**:
   - X.509 certificates (like the ones used in TLS) are typically encoded in **base64** format to make them easily printable and transferable in text form. This encoding converts the raw binary data of the certificate into ASCII characters, which makes it easier to store and share.
   
   - When you see a certificate in PEM format, it looks like this:
     ```
     -----BEGIN CERTIFICATE-----
     MIIDdzCCAl+gAwIBAgIEUo3N+zANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJV...
     -----END CERTIFICATE-----
     ```
   - The content between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` is **base64 encoded** binary data representing the certificate. This includes the certificate's information like the public key, issuer, subject, validity period, and signature.

2. **What Is In the Certificate**:
   - The certificate contains information about the **public key**, **identity**, and **signature** (from a trusted Certificate Authority).
   - It's **signed**, meaning a trusted CA has verified that the information in the certificate is correct (e.g., the public key belongs to the claimed organization), but the certificate itself is not encrypted.
   
3. **Encryption and Digital Signature**:
   - While certificates aren't encrypted, they may contain a **digital signature** that ensures the integrity and authenticity of the certificate. The signature is made using the **private key** of the CA (Certificate Authority) and can be verified using the **CA's public key**.
   - The public key in the certificate is used for tasks like encrypting data during a TLS handshake, but the certificate itself is not encrypted — it’s **signed**.

4. **How It’s Used**:
   - The certificate is used in a **TLS handshake** (or other protocols like SSL) to authenticate and establish secure communication. During the handshake, the client verifies the certificate’s signature using the public key of the CA, ensuring that the certificate is valid and issued by a trusted authority.

### Summary:
- **No encryption**: The certificate is not encrypted but **base64 encoded**.
- **Signed**: The certificate is signed by a CA to verify its authenticity and integrity.
- **Base64 encoding**: Makes it easier to store and transfer the certificate in a text format.

If you want to decode the certificate to view its contents, you can simply **base64 decode** it to retrieve the raw binary data, and then use tools like `cryptography` or `OpenSSL` to parse and examine the certificate's details.

## chrome://certificate-manager

go here to see all the certificates trusted by chrome

When dealing with self-signed certificates, the **key file** and the **PEM file** serve different purposes but are closely related. Here's a detailed explanation:

---

### **1. Key File (Private Key)**
- The **key file** contains the **private key**, which is a critical component of the certificate.
- The private key is used for cryptographic operations like signing data and decrypting information encrypted with the corresponding public key.
- It is highly sensitive and must be kept private (never shared or exposed).

#### Typical Format:
- The private key is stored in PEM format, beginning with:
  ```
  -----BEGIN PRIVATE KEY-----
  (Base64-encoded key)
  -----END PRIVATE KEY-----
  ```
- It can also be stored in a specific RSA format:
  ```
  -----BEGIN RSA PRIVATE KEY-----
  (Base64-encoded RSA key)
  -----END RSA PRIVATE KEY-----
  ```

---

### **2. PEM File (Public Certificate)**
- The **PEM file** contains the **public certificate**, which includes:
  - The public key (derived from the private key).
  - Metadata such as the subject, issuer, validity period, and extensions.
  - A signature, which is self-signed in the case of a self-signed certificate.
  
- This file can be shared publicly to allow others to verify the certificate's authenticity and encrypt data for the certificate holder.

#### Typical Format:
- The certificate is encoded in PEM format, beginning with:
  ```
  -----BEGIN CERTIFICATE-----
  (Base64-encoded certificate)
  -----END CERTIFICATE-----
  ```

---

### **Self-Signed Certificate: Relationship Between Key and PEM**
1. **Private Key (Key File):**
   - Generated first.
   - Used to create the self-signed certificate.

2. **Public Certificate (PEM File):**
   - Created by signing the certificate contents with the private key.
   - Contains the public key associated with the private key.

---

### **Key vs PEM File in Self-Signed Certificates**
| Aspect                  | Key File                             | PEM File                            |
|-------------------------|--------------------------------------|-------------------------------------|
| **Content**             | Private Key                         | Public Certificate (includes public key) |
| **Purpose**             | Signing, decrypting                 | Verifying, encrypting              |
| **Visibility**          | Private (never shared)              | Public (shared with others)        |
| **PEM Header**          | `-----BEGIN PRIVATE KEY-----`       | `-----BEGIN CERTIFICATE-----`      |

---

### **How to Create a Self-Signed Certificate**
1. Generate a private key:
   ```bash
   openssl genrsa -out private.key 2048
   ```

2. Generate a self-signed certificate (PEM file):
   ```bash
   openssl req -new -x509 -key private.key -out certificate.pem -days 365
   ```

---

### **Combined Key and Certificate (PEM)**
- Sometimes, both the private key and public certificate are stored in a single PEM file for convenience.
- The combined file looks like this:
  ```
  -----BEGIN PRIVATE KEY-----
  (Base64-encoded private key)
  -----END PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  (Base64-encoded certificate)
  -----END CERTIFICATE-----
  ```

This format is often used in web servers to simplify configuration (e.g., Apache or Nginx).

---

Let me know if you need further details or help generating a self-signed certificate!

The operating system (OS) verifies the validity of a certificate through a process called **certificate validation**, which involves several steps. The OS (or more specifically, the application or library that is performing the TLS handshake, such as a browser or a server) uses a chain of trust to verify the certificate. Here's how the process works:

### Steps for Verifying a Certificate

1. **Chain of Trust**:
   - The certificate presented by the server (e.g., during the TLS handshake) is typically not directly trusted by the OS or application. Instead, the trust is established by following a **chain of trust**.
   - The chain starts with the **server certificate** (the one presented by the server), followed by one or more **intermediate certificates**, and ends with a **root certificate** that is trusted by the OS.
   - The OS comes with a set of **trusted root certificates** (e.g., from major Certificate Authorities like DigiCert, GlobalSign, etc.). These root certificates are pre-installed and trusted by default in the OS or browser.

2. **Certificate Path Validation**:
   - The OS or application verifies that the server's certificate is signed by an intermediate certificate, which is in turn signed by a trusted root certificate. This forms a chain.
   - The process involves checking that:
     - Each certificate in the chain is properly signed by the next certificate in the chain (e.g., the server certificate is signed by an intermediate certificate, and the intermediate certificate is signed by a root certificate).
     - The root certificate is found in the **trusted certificate store** of the OS or application.
   
3. **Signature Verification**:
   - For each certificate in the chain (from the server certificate upwards to the root certificate), the OS verifies the **digital signature**.
     - A digital signature is created using the private key of the signing entity (either the server, intermediate CA, or root CA).
     - The OS uses the **public key** of the signing entity (available from the next certificate in the chain) to verify the signature. This ensures the certificate has not been tampered with.
   
4. **Validity Period**:
   - The OS also checks the **validity period** of the certificate (from `Not Before` to `Not After`). If the current date is outside this range, the certificate is considered **expired** or **not yet valid**.
   
5. **Revocation Checking**:
   - The OS checks if the certificate or any intermediate certificates in the chain have been **revoked**. This is done by checking:
     - **Certificate Revocation Lists (CRLs)**: A list of certificates that have been revoked by the issuing CA.
     - **Online Certificate Status Protocol (OCSP)**: A protocol to query the CA in real time to check the status of a certificate.
   - If the certificate or an intermediate certificate has been revoked, the OS will consider the certificate invalid.

6. **Matching Hostname**:
   - Finally, the OS checks that the **hostname** (domain name) in the URL matches the **Common Name (CN)** or **Subject Alternative Name (SAN)** field in the certificate. This ensures that the certificate is actually issued for the domain that is being accessed.

### In Summary: The OS or Application Verifies the Certificate Using:
1. **Chain of Trust**: Ensuring that the server's certificate can be traced back to a trusted root certificate.
2. **Signature Verification**: Ensuring the certificate hasn't been tampered with.
3. **Validity Period**: Ensuring the certificate is within its valid time range.
4. **Revocation Checking**: Ensuring the certificate hasn’t been revoked.
5. **Matching Hostname**: Ensuring the certificate is valid for the domain you're accessing.

### Key Components:
- **Root Certificates**: Pre-installed and trusted by the OS or application.
- **Intermediate Certificates**: Issued by a trusted CA, and they bridge the trust between the root CA and server certificates.
- **Server Certificate**: The actual certificate used by the server during the TLS handshake.


The **digital signature** within a certificate plays a crucial role in establishing the authenticity and integrity of the certificate and its contents. Let's break it down in detail, including how it is used in **chaining the verification** in the context of a **Public Key Infrastructure (PKI)**.

### 1. **What is the Digital Signature in a Certificate?**

A digital signature in a certificate is a cryptographic mechanism used to ensure that the certificate's content is authentic and has not been tampered with. It is created by the **Certificate Authority (CA)** when issuing the certificate.

#### Process of creating the signature:

1. **Hashing the Certificate Data**:  
   The issuer (CA) begins by taking the relevant fields of the certificate, such as the subject name, issuer name, validity period, public key, and other certificate extensions. These fields are used to compute a cryptographic hash of the data, commonly using a hash algorithm like **SHA-256**.

2. **Signing the Hash**:  
   The hash of the certificate is then encrypted using the **private key** of the Certificate Authority (CA). This creates the **digital signature**. The digital signature is unique to both the certificate's contents and the CA’s private key.

   **Signature = Encrypt(Hash of certificate data) using CA's private key**

   This ensures that:
   - The certificate has not been altered (because any change would modify the hash).
   - Only the CA (which holds the private key) could have created this signature.

### 2. **What Happens During Verification?**

When a client (such as a web browser or operating system) receives the certificate, it needs to **verify** the certificate's signature to ensure that the certificate is legitimate and has not been tampered with.

#### Steps in the verification process:

1. **Hashing the Received Certificate Data**: 
   The client receives the certificate, which includes the signature. It then re-computes the hash of the certificate data (same fields the CA used, such as subject, issuer, public key, etc.). (hashing does not need a key)

2. **Decrypting the Signature**:  
   To verify the authenticity of the signature, the client uses the **public key of the CA** (which it trusts) to **decrypt** the signature. The decrypted signature should give the same hash value that the client computed in step 1.

   **Decrypted Signature = Decrypt(Signed Hash) using CA's public key**

3. **Comparison**:  
   If the decrypted hash matches the hash the client computed from the certificate's data, the signature is considered valid. This means:
   - The certificate’s content has not been modified.
   - The certificate was signed by the CA that holds the private key corresponding to the public key used to verify the signature.

4. **Trust Decision**:  
   If the certificate’s signature is valid, the client proceeds with trusting the certificate. If the verification fails (e.g., the signature doesn’t match, or the CA’s public key cannot be found or is untrusted), the certificate is considered invalid, and the connection is often blocked or an alert is raised.

### 3. **The Role of Chaining in Certificate Verification**

In most cases, certificates are **not directly signed by the root CA** but are signed by intermediate CAs. This leads to the concept of **certificate chains**, which help establish trust. The process of **chaining verification** ensures that the certificate was issued by a trusted CA, even if the certificate does not directly link to the root certificate.

#### How Chaining Works:

1. **Certificate Chain**:  
   A certificate chain consists of the following elements:
   - **End-entity certificate**: The certificate issued to the end user or server (e.g., a website’s SSL certificate).
   - **Intermediate certificates**: These are certificates issued by intermediate CAs. They serve as "links" between the end-entity certificate and the root certificate.
   - **Root certificate**: This is the self-signed certificate of the trusted root CA. The root certificate is generally stored in a pre-defined **trusted certificate store** (e.g., a browser’s list of trusted CAs).

2. **Chaining Process**:
   When a client receives a certificate, it needs to verify the entire chain of trust. The process is as follows:
   
   - The **end-entity certificate** is verified by checking its signature against the **intermediate CA’s public key** (which is either provided in the certificate chain or retrieved from the CA’s repository).
   - The **intermediate certificate** is verified by checking its signature against the **next intermediate CA's public key** (if applicable).
   - This process continues until the client reaches the **root certificate**, which is self-signed and stored in the trusted root certificate store on the client system.
   
3. **Why is Chaining Necessary?**
   - Intermediate CAs help distribute the trust, reducing the risk of a compromised root certificate.
   - The root certificate is typically not directly distributed, but instead, the intermediate certificates form the necessary chain to connect the leaf (end-entity) certificate to the root certificate.
   - The root certificate’s public key is pre-installed and trusted by clients (browsers, OS, etc.). Thus, as long as the certificate chain leads to a trusted root, the certificate is valid.

4. **Example of Chaining**:

   - **End-Entity Certificate** (e.g., for `www.example.com`)
   - **Intermediate Certificate 1** (signed by Intermediate CA 1)
   - **Intermediate Certificate 2** (signed by Intermediate CA 2)
   - **Root Certificate** (self-signed by the root CA)

   Each certificate in the chain is verified step-by-step using the public key of the CA that issued it, up until the root certificate is reached and validated.

#### Practical Chaining:
- In practice, when a server sends its certificate to a client (for example, during an HTTPS connection), it typically sends not only its own certificate but also any intermediate certificates required to form the full chain.
- The client will then attempt to validate the entire chain by using the public keys of intermediate certificates and, eventually, the trusted root certificate.


### Summary of Key Points:
- The **digital signature** ensures that the certificate has not been tampered with and was signed by the trusted CA using their private key.
- **Chaining** is necessary to establish a chain of trust, involving intermediate CAs and a root CA, which the client trusts.
- **Verification** of the certificate’s signature involves hashing the certificate’s data and decrypting the signature with the public key of the issuing CA.

 A server can send multiple certificates as part of its **certificate chain** during the TLS handshake. This chain consists of the server’s certificate, intermediate certificates, and possibly the root certificate, all of which are sent in a specific order to allow the client (such as a browser) to validate the server's certificate properly.

Here's how it works:

### 1. **Server's Certificate**:
   This is the certificate that identifies the server (e.g., the website’s domain name and public key). It is signed by an **intermediate CA** or directly by the **root CA**. The server certificate will contain:
   - Information about the server.
   - The public key of the server.
   - The signature from the CA that issued the certificate (which could be an intermediate CA or a root CA).

### 2. **Intermediate Certificates**:
   If the server’s certificate is not directly signed by a root CA, the server may also send **intermediate certificates** that link its certificate to the trusted root certificate. These certificates are signed by another CA (which is the issuer of the server’s certificate) and serve as intermediaries between the server’s certificate and the root certificate. 

   The intermediate certificates ensure that the certificate chain leads back to a trusted root CA.

### 3. **Root Certificate**:
   The **root certificate** is the trust anchor in the certificate chain. In most cases, it’s not necessary for the server to send the root certificate because the client (browser or operating system) already has a pre-installed list of trusted root certificates. However, in some cases, the server may send the root certificate too.

### Certificate Chain Example:
During a TLS handshake, the server might send a chain of certificates, which will look like this (in a **PEM format**):

```
-----BEGIN CERTIFICATE-----
[Server's certificate content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate Certificate 1 content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate Certificate 2 content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root Certificate content]
-----END CERTIFICATE-----
```

Each certificate is separated by the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.

### TLS Handshake and Certificate Chain:
- **Server Sends Certificates**: During the TLS handshake, the server sends its certificate and any intermediate certificates necessary to establish the full certificate chain. 
- **Client Verifies Chain**: The client will verify the server's certificate by checking the validity of the entire chain (starting from the server certificate, through the intermediate certificates, and ultimately to the root certificate).
- **Validation**: The client will check that each certificate in the chain is properly signed by its issuer. The final validation occurs when the client reaches a **root certificate** that is trusted by the client (typically stored in the system or browser’s trusted certificate store).

This allows the client to ensure that the server is properly authenticated, even if the server’s certificate is signed by an intermediate CA rather than directly by a trusted root CA.

### Practical Example in a TLS Handshake:
1. The server sends its own certificate (the server’s identity) and any necessary intermediate certificates.
2. The client attempts to verify the chain by checking if the server's certificate is signed by one of the intermediate certificates.
3. The intermediate certificates are verified against higher intermediates (if applicable) until the root certificate is reached.
4. If the root certificate is found in the client’s trust store, the chain is valid, and the client can trust the server’s certificate. 

This method allows the use of intermediate CAs, making certificate management more flexible and secure by not relying on root certificates for every server certificate.

The `SHA256WithRSAEncryption` signature algorithm is a combination of two cryptographic techniques: **SHA-256 hashing** and **RSA encryption**. This is commonly used in digital certificates, such as X.509 certificates, to ensure data integrity and authenticity.

Let's break down each part:

### 1. **SHA-256 Hashing**
SHA-256 is a cryptographic hash function that generates a 256-bit (32-byte) hash value from input data. This hash is a unique representation of the data. Even a tiny change in the input will produce a completely different hash.

- **SHA-256** is used to create a digest (hash) of the certificate's data (or a message). This digest represents the contents of the certificate in a compressed form.
  
### 2. **RSA Encryption (with private key)**
RSA is an asymmetric encryption algorithm that uses a pair of keys: a **private key** and a **public key**.

- **Private Key**: This is used to encrypt the data (or, in this case, the hash).
- **Public Key**: This is used to decrypt the data (or hash) to verify that it was encrypted by the corresponding private key.

In the context of `SHA256WithRSAEncryption`, the **signing process** works as follows:

1. The issuer (the Certificate Authority, or CA) computes the SHA-256 hash of the certificate data.
2. The issuer **signs** the hash with its **private key**, using RSA encryption. This creates the **digital signature** attached to the certificate.

### Verification Process (Using Public Key)
When the client (or any party verifying the certificate) receives the signed certificate, it performs the following steps to verify it:

1. **Extract the certificate data** (excluding the signature).
2. **Compute the SHA-256 hash** of the certificate data (using the same SHA-256 hashing algorithm).
3. **Decrypt the digital signature** using the **CA's public key**. This will decrypt the signature to reveal the original hash value that the CA signed.
4. If the decrypted hash matches the hash computed from the certificate's data, the certificate is considered **valid** and **authentic**.

### Summary of Steps in `SHA256WithRSAEncryption`
1. **Hashing**: SHA-256 is applied to the certificate's data to create a fixed-size hash.
2. **Signing**: The CA signs the hash with its **private key** using RSA encryption. This is the **digital signature**.
3. **Verification**:
   - The recipient computes the SHA-256 hash of the certificate's data.
   - The recipient uses the **CA's public key** to decrypt the signature.
   - If the decrypted signature hash matches the computed hash, the certificate is verified.

### Why Use `SHA256WithRSAEncryption`?
- **SHA-256** ensures that even a minor change to the certificate data would result in a different hash, making it highly resistant to tampering.
- **RSA** provides a secure method for signing the hash, ensuring the authenticity of the certificate. Since RSA is asymmetric, anyone with the CA's public key can verify the signature, but only the CA's private key can generate it.

This combination is widely used for securing communications in protocols like HTTPS, where server certificates are signed using this method to ensure that the server's identity is authentic and that the data hasn't been tampered with.

In a typical TLS handshake, the client and server use the public and private keys in a way that ensures secure communication, but not in the way you’ve described. Here's how the key exchange typically works:

### Overview of Public and Private Key Usage in SSL/TLS:
1. **Public Key Encryption and Private Key Decryption**:
   - In general, the **public key** is used to **encrypt** data, and the **private key** is used to **decrypt** data.
   - However, during a typical TLS handshake, **public key encryption is used for key exchange** rather than encrypting the main data flow (after the handshake).

### How It Works in TLS:

#### Step 1: **Server Sends Certificate**
- The server sends its **certificate** (which contains the server's **public key**) to the client.
  
#### Step 2: **Client Verifies the Certificate**
- The client verifies the certificate (signed by a trusted Certificate Authority, CA) to ensure the server is legitimate. This involves checking the **signature** of the certificate (created using the server's **private key**).
  
#### Step 3: **Public Key Used for Key Exchange**
- After the client verifies the server's certificate, the client uses the **server's public key** (extracted from the certificate) to **encrypt a pre-master secret** (a piece of random data).
- The encrypted pre-master secret is sent to the server.

#### Step 4: **Server Uses Private Key to Decrypt**
- The server, which has the **private key** corresponding to the **public key** in the certificate, uses its **private key** to **decrypt the pre-master secret**.

#### Step 5: **Session Key Creation**
- Both the client and server use the decrypted pre-master secret along with some additional data (like random values) to independently generate the **session key** for the encrypted data transfer.

#### Step 6: **Symmetric Encryption for Data Transfer**
- Once the session key is established, both the client and server use it for **symmetric encryption** (both parties use the same session key for encrypting and decrypting the data). This is much faster than using public-key encryption for all data transmission.

### In Summary:
- **Client** uses the server's **public key** to encrypt the **pre-master secret**.
- **Server** uses its **private key** to decrypt the **pre-master secret**.
- After the handshake, both use a **shared session key** (established during the handshake) for encrypting and decrypting the actual data transmitted during the session.

So, to clarify:
- **Public Key** is used for encryption during the handshake (by the client).
- **Private Key** is used for decryption during the handshake (by the server).

Yes, you're correct! To enable SSL verification when making HTTP requests using Python's `requests` library, you need to:

1. **Obtain the Root CA certificate** of the server. This is the certificate used to verify the server's SSL certificate. It's typically available from the server's documentation or can be downloaded from the certificate authority's (CA) website.

2. **Use the certificate with the `verify` parameter** in the `requests` library.

Here's how you can do this:

### **Steps to Enable SSL Verification:**

#### 1. **Obtain the Root CA Certificate**
You can download the Root CA certificate file (usually with `.pem`, `.crt`, or `.der` extensions). This certificate file contains the public key of the Certificate Authority (CA) that signed the server’s SSL certificate.

#### 2. **Use the Root CA Certificate in `requests`**
Once you have the CA certificate file, you can pass it to the `verify` parameter in `requests.get()`, `requests.post()`, or any other request method to enable SSL verification.

Here is an example:

```python
import requests

# Path to the root CA certificate file
ca_cert_path = '/path/to/your/root_ca_certificate.pem'

# Making an HTTPS request with SSL verification enabled
response = requests.get('https://example.com', verify=ca_cert_path)

print(response.status_code)
print(response.text)
```

#### **Explanation:**
- `verify`: The `verify` parameter tells `requests` to verify the SSL certificate of the server. 
  - If you provide a **path to a CA certificate** (`root_ca_certificate.pem`), `requests` will use that certificate to verify the server's certificate.
  - If `verify` is set to `True` (default), `requests` will use the system’s CA certificates.
  - If `verify` is set to `False`, SSL verification is disabled, which should only be used for debugging and not in production (as it poses a security risk).

#### 3. **Check SSL Verification Errors**
If the server's certificate cannot be verified against the provided CA certificate (or system CA certificates), you will get an error like:

```
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
```

To avoid errors:
- Make sure the **correct CA certificate** is being used.
- The certificate should not be expired or self-signed unless it is trusted in your environment.

### **Disabling SSL Verification (for Testing)**
If you want to disable SSL verification (not recommended for production), you can set `verify=False`. However, this makes the connection insecure and vulnerable to man-in-the-middle attacks.

```python
response = requests.get('https://example.com', verify=False)
```

### **Conclusion:**
- To enable SSL verification, provide the **root CA certificate** to the `verify` parameter.
- This ensures the server's certificate is verified to be legitimate and signed by a trusted certificate authority.

Yes, exactly! Here's a breakdown of how `cert` and `verify` work in the context of TLS (Transport Layer Security) with the `requests` library:

### 1. **`cert` Parameter** – Client Authentication:
- **Purpose**: The `cert` parameter is used to provide the **client certificate** (and optionally the private key) to authenticate the **client** to the server.
- **Use case**: This is typically used in **mutual TLS (mTLS)**, where both the client and server authenticate each other. The client sends its certificate to the server during the handshake, and the server checks if it trusts the certificate.
- **Example**:
  ```python
  response = requests.get(url, cert=('/path/to/client_cert.pem', '/path/to/client_key.pem'))
  ```
  In this case:
  - The client will authenticate itself to the server using the certificate at `/path/to/client_cert.pem` and the corresponding private key at `/path/to/client_key.pem`.
  - This is useful in systems where the server expects clients to provide a valid certificate for authentication.

### 2. **`verify` Parameter** – Server Certificate Authentication:
- **Purpose**: The `verify` parameter is used to control whether or not the server’s **certificate** is verified against a trusted set of **certificate authorities (CAs)**.
  - When `verify` is set to `True` (default), the `requests` library uses the system's trusted CA certificates to validate the server's certificate.
  - When `verify` is set to a path (e.g., a file containing custom CAs), it will use that CA bundle to validate the server's certificate.
  - If `verify=False` is specified, the server's certificate **will not be validated**, which is generally insecure.
  
- **Use case**: This is used to authenticate the **server** and ensure that the client is communicating with a trusted server. If the server's certificate is not trusted, the connection will fail.
- **Example**:
  ```python
  response = requests.get(url, verify='/path/to/custom_ca_bundle.pem')
  ```
  In this case:
  - The server’s certificate is verified against the CAs in `/path/to/custom_ca_bundle.pem`. If the server’s certificate is signed by a trusted CA in that bundle, the connection is established.
  
  Alternatively, if you don't specify `verify`, it will use the default trusted CA certificates available on your system:
  ```python
  response = requests.get(url, verify=True)  # Verifies with the default CA bundle
  ```

### **Summary**:
- **`cert`**: Used for **client authentication** to authenticate the client to the server (you provide the client's certificate and optionally its private key).
- **`verify`**: Used for **server authentication** to ensure the server's certificate is valid and signed by a trusted certificate authority (CA).

By using these two parameters together, you can ensure both **client and server** are properly authenticated during the TLS handshake.

Yes, if the PEM file you are using for server verification expires (such as when it contains expired certificates or the root certificate authority’s certificate has expired), your code can potentially fail because the server's certificate will no longer be considered valid by the client.

When a certificate expires, the server's certificate chain is no longer trusted, leading to errors in the TLS handshake. Specifically, the following can happen:

### 1. **Certificate Expiration:**
   - If a certificate in the certificate chain (e.g., the server certificate, an intermediate certificate, or the root certificate) expires, the server’s certificate will fail the verification.
   - The verification process will not be able to trust the server’s certificate, and an SSL error will occur.

### 2. **Error Example:**
   You will likely encounter an SSL/TLS verification error such as:
   ```
   requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:1123)
   ```
   This indicates that the certificate verification failed due to an expired certificate.

### How to Prevent This:
To prevent this issue, you should manage your PEM file (or any CA bundle) proactively:

#### 1. **Regularly Update the PEM File:**
   - Ensure that the PEM file contains up-to-date and valid certificates. If you are using custom or self-signed certificates, you should monitor their expiration dates and update the PEM file when necessary.
   - If you're using a trusted CA bundle, check for updates or renewals from the certificate authority.

#### 2. **Automate Certificate Management:**
   - You can automate certificate management by integrating with a certificate management tool (e.g., **Let's Encrypt** for automatically renewing certificates) or implementing a process to periodically check and renew certificates.
   - For example, a script can run periodically to check the expiration dates of certificates and update your PEM file accordingly.

#### 3. **Monitor Certificate Expiry:**
   - Use monitoring tools to alert you when a certificate is nearing expiration, so you can renew it in time.
   - Set up reminders or automate the renewal of certificates (for example, via **ACME** protocol for Let's Encrypt).

#### 4. **Graceful Handling of Errors:**
   - Implement error handling in your code to catch SSL errors gracefully, so the application can react appropriately when the verification fails. For example, you can retry the connection with a fallback mechanism or notify the administrator of the certificate expiration.

### Conclusion:
To avoid server authentication failures due to an expired PEM file or certificate, it's important to actively manage and monitor certificate validity, update them as needed, and incorporate error handling for SSL verification failures in your code.

In [1]:
import ssl
import socket
from cryptography import x509
from cryptography.hazmat.backends import default_backend

ModuleNotFoundError: No module named 'cryptography'

In [3]:
def get_cert_from_url(url):
    # Get the host from the URL
    host = url.split('/')[2]
    
    # Establish a connection and get the certificate
    context = ssl.create_default_context()
    with socket.create_connection((host, 443)) as conn:
        with context.wrap_socket(conn, server_hostname=host) as secure_conn:
            cert_bin = secure_conn.getpeercert(True)
    
    return ssl.DER_cert_to_PEM_cert(cert_bin)

url = "https://letsencrypt.org/getting-started/"
certificate = get_cert_from_url(url)
print(type(certificate))
certificate

certificate = """
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
"""

<class 'str'>


In [4]:
certificate_decrypted = x509.load_pem_x509_certificate(certificate.encode(), default_backend())

details = {}
details['subject'] = certificate_decrypted.subject
details['issuer'] = certificate_decrypted.issuer
details['serial_number'] = certificate_decrypted.serial_number
details['not_valid_before'] = certificate_decrypted.not_valid_before
details['not_valid_after'] = certificate_decrypted.not_valid_after
details['version'] = certificate_decrypted.version
details['public_key'] = certificate_decrypted.public_key()

details['signature_algorithm'] = certificate_decrypted.signature_algorithm_oid
details["signature"]  = certificate_decrypted.signature.hex()

details

{'subject': <Name(C=US,O=Internet Security Research Group,CN=ISRG Root X1)>,
 'issuer': <Name(C=US,O=Internet Security Research Group,CN=ISRG Root X1)>,
 'serial_number': 172886928669790476064670243504169061120,
 'not_valid_before': datetime.datetime(2015, 6, 4, 11, 4, 38),
 'not_valid_after': datetime.datetime(2035, 6, 4, 11, 4, 38),
 'version': <Version.v3: 2>,
 'public_key': <cryptography.hazmat.backends.openssl.rsa._RSAPublicKey at 0x2039777a340>,
 'signature_algorithm': <ObjectIdentifier(oid=1.2.840.113549.1.1.11, name=sha256WithRSAEncryption)>,
 'signature': '551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6c

The output you've received corresponds to the details of an X.509 certificate, specifically the **issuer**, **subject**, **validity period**, and **public key** information. Here's what each field means:

1. **Issuer:**
   - This represents the entity that issued (signed) the certificate. In this case:
     - **C=US**: Country is the United States.
     - **O=DigiCert Inc**: The organization is DigiCert Inc.
     - **CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1**: The common name (CN) of the issuing certificate authority (CA) is "DigiCert Global G2 TLS RSA SHA256 2020 CA1".

2. **Subject:**
   - This represents the entity that the certificate is issued to, usually the domain or the organization. In this case:
     - **C=US**: Country is the United States.
     - **ST=California**: State is California.
     - **L=San Francisco**: Location is San Francisco.
     - **O=Twitter, Inc.**: The organization is Twitter, Inc.
     - **CN=*.twitter.com**: The common name (CN) is "*.twitter.com", which means this certificate is for all subdomains of twitter.com (wildcard certificate).

3. **Not Before and Not After:**
   - These fields define the **validity period** of the certificate:
     - **Not Before: 2024-10-02 00:00:00**: The certificate is valid from October 2, 2024.
     - **Not After: 2025-10-01 23:59:59**: The certificate is valid until October 1, 2025.

4. **Public Key:**
   - The certificate contains the **public key** associated with the entity (Twitter, in this case). This key is used for encrypting data that can only be decrypted by the corresponding private key held by Twitter.
   - In your output, it's shown as a Python object representing the **RSA public key** (`cryptography.hazmat.backends.openssl.rsa._RSAPublicKey`).

### How does the decryption work?

The certificate itself isn’t directly decrypted in the way you might decrypt an encrypted message. Instead:

1. The **public key** in the certificate is used in a process called **asymmetric encryption**. You use the public key to encrypt data (e.g., during the TLS handshake).
2. The **private key** corresponding to this public key, which is held by the server (Twitter, in this case), is used to decrypt the data.
3. The certificate is also part of the **SSL/TLS handshake** process, where the client verifies that the server's public key is indeed trusted by a **trusted Certificate Authority (CA)**. This is where the chain of trust comes in:
   - The client will verify the certificate by checking if the issuing CA is trusted (it will use the CA's public key, which is included in the client's trusted root store).
   - If the server’s certificate is signed by a trusted CA, the client can establish a secure connection.

**CA certificates** (whether root or intermediate) also follow the same format as other X.509 certificates and will be represented as:

```
-----BEGIN CERTIFICATE-----
[Base64 Encoded Data]
-----END CERTIFICATE-----
```

This is the **PEM** format for certificates, and it is used for storing and transmitting the certificate data in a human-readable form. Inside the `BEGIN CERTIFICATE` and `END CERTIFICATE` markers, the certificate data is encoded in **Base64**. 

### Explanation of the Structure:
- **BEGIN CERTIFICATE**: Indicates the start of the certificate data.
- **END CERTIFICATE**: Indicates the end of the certificate data.
- The Base64 encoded data between these markers represents the actual certificate content, including the public key, issuer, subject, validity period, and other metadata.

For example, a CA certificate might look like this:

```
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIJAPV3msGRgT1BMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJTm9ydGggVG93bmxhMRIwEAYD
VQQKEwlNeSBDb21wYW55LCBJbmMwHhcNMjExMDE0MDAwMDAwWhcNMjIwMDEzMTIz
NTk1WjAkMSIwIAYDVQQDExlNaW5lIFN0b3J5IFB1YmxpYyBGb3JtLCBDby4xLXN0
dHJ5Q2VydGlmaWNhdGUwggkAps/ylSy5rT7bsbhm1BldL1imYbFkWQjXTGy2gMGz
dX2tD2osrg+gLP9lGw+L4hvL9zD0jdx9DFgDghbX3U6uCkqU1gHiPkcLPubjwOP
lZG0l9QYOZtbTX78kD+mJFnSMo6Cj9dG61Y00LDOTZgW5gEqOjGRpG4zDg2QF5W9
V6dPRZYt6CU8fE34lg1lo+zVQ0=
-----END CERTIFICATE-----
```

### Summary:
- **CA certificates** are encoded in PEM format.
- They will have the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` markers.
- The content between those markers is Base64 encoded and contains the actual certificate data, which can be decoded to extract the public key, validity dates, issuer, subject, and other information.

These certificates, when validated, are part of a **certificate chain** that leads to a trusted root certificate, ensuring the authenticity of the server's identity in HTTPS communication.

A **CA certificate** (Certificate Authority certificate) is not necessarily a "self-issued" certificate in the same sense as a self-signed certificate, but the terminology can be confusing. Here's a breakdown of the concepts:

### 1. **Self-Signed Certificate**
A self-signed certificate is one where the issuer and the subject are the same. This means the certificate is signed by the same entity that it certifies. It’s typically used in situations where trust isn't externally verified or needed (e.g., testing environments or internal systems). It doesn't involve a trusted third-party CA.

Example:
- A company might generate a self-signed certificate for its internal web server, where it doesn't need to rely on any external authorities.

### 2. **CA Certificate (Certificate Authority Certificate)**
A **CA certificate** is a certificate that belongs to a Certificate Authority. The CA is a trusted third party that issues digital certificates to verify the identity of organizations or individuals. 

There are two types of CA certificates:
- **Root CA Certificate**: This is the certificate of a trusted Certificate Authority that is self-signed. It is at the top of the certificate chain and is used to sign other certificates (like intermediate CA certificates). Root CA certificates are typically pre-installed in operating systems and browsers as part of the list of trusted root authorities.
- **Intermediate CA Certificate**: This certificate is issued by a root CA (or another intermediate CA) and is used to sign end-entity (server or client) certificates. The intermediate certificate forms part of the chain of trust between the server certificate and the root CA certificate. 

So, **Root CA certificates** are technically self-signed, but **Intermediate CA certificates** are signed by a root or another intermediate CA.

### Key Differences:
- **Self-Signed Certificate**: Signed by the entity that it certifies. It's not issued by a trusted third party.
- **CA Certificate**: This can be a self-signed root certificate or an intermediate certificate issued by another CA. The root CA certificate is trusted by clients and devices, and intermediate CA certificates help establish a chain of trust from the root certificate to the end-entity certificate (e.g., a website SSL certificate).

### Example of the CA Chain:
- **Root CA Certificate** (self-signed)
  - **Intermediate CA Certificate** (signed by the Root CA)
    - **Server Certificate** (signed by the Intermediate CA)

When a client (like a browser) connects to a server, it verifies the server's certificate by checking the certificate chain and ensuring that it's trusted through the root CA certificate.

### In summary:
- **Root CA certificates** are self-signed, but **CA certificates** in general (especially intermediate certificates) are not self-signed; they are signed by a trusted root or intermediate CA.


During the TLS handshake, the **application** (or more specifically, the TLS library) tells the **operating system** (or the TLS library itself) which **PEM/CRT file** to use for its **certificate** and **private key**. The process typically involves the application providing the path to the certificate and private key files during the TLS server configuration. This happens before the actual TLS handshake starts.

### How it works:

1. **Certificate and Private Key Files**: The server needs to provide its certificate (in PEM/CRT format) and private key to establish a secure connection. These files are typically stored in the server's filesystem.

2. **Application Configuration**: The application (e.g., a web server like **Nginx**, **Apache**, or a TLS library like **OpenSSL**) is configured to point to the specific certificate and private key files.

    - For example, in **OpenSSL**, the application provides the file paths via API calls when setting up a secure server:
      ```python
      context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
      context.load_cert_chain(certfile='server.crt', keyfile='server.key')
      ```

    - In **Nginx**, you would specify the path to the server certificate and key in the configuration file:
      ```
      server {
          listen 443 ssl;
          ssl_certificate /path/to/server.crt;
          ssl_certificate_key /path/to/server.key;
      }
      ```

3. **TLS Handshake**:
    - During the handshake, when a client connects, the server presents its certificate (which contains the server's public key and other details) to the client.
    - The client will validate the server's certificate, check the issuer, and ensure it is trusted.
    - If everything checks out, the secure connection is established.

### Summary:
- **The application** provides the **certificate (PEM/CRT)** and **private key** files to the TLS library (which is part of the OS or application environment).
- **The TLS library** (such as OpenSSL or the OS's SSL/TLS implementation) handles the handshake and uses the provided files for encryption/decryption.

In [29]:
import certifi
from cryptography.hazmat.backends import default_backend
from cryptography import x509

def get_trusted_cas():
    # Get the path to the CA certificates bundle
    ca_cert_path = certifi.where()
    # ca_cert_path = r"C:\Users\abdul\Downloads\_.google.com"
    print(ca_cert_path)

    # Load all the CA certificates from the bundle
    with open(ca_cert_path, 'rb') as f:
        cert_data = f.read()

    # Load the certificates using cryptography
    certs = []
    try:
        # Parse all certificates in the bundle
        certs = x509.load_pem_x509_certificate(cert_data, default_backend())
    except ValueError as e:
        print(f"Error loading certificate: {e}")
    
    return certs

def display_cert_details(certs):
    if not isinstance(certs, list):
        certs = [certs] 
    for cert in certs:
        print(f"Issuer: {cert.issuer}")
        print(f"Subject: {cert.subject}")
        print(f"Not Before: {cert.not_valid_before}")
        print(f"Not After: {cert.not_valid_after}")
        print("====================================")

# Fetch the list of trusted CAs
trusted_cas = get_trusted_cas()

# Display the details of each trusted CA certificate
display_cert_details(trusted_cas)

C:\Users\abdul\Downloads\_.google.com
Issuer: <Name(C=US,O=Google Trust Services,CN=WR2)>
Subject: <Name(CN=*.google.com)>
Not Before: 2024-12-02 08:35:57
Not After: 2025-02-24 08:35:56


To retrieve the PEM file used by your Windows operating system, you'll typically need to access the Windows Certificate Store. The operating system does not directly use PEM files for its internal certificates; instead, it stores certificates in a native format like **PFX** or **P12**. However, it is possible to export these certificates from the store into PEM format using tools like `certutil`, `PowerShell`, or through programmatically accessing the Windows Certificate Store with Python.

### Method 1: Using `certutil` Command Line Tool

1. **Export certificates to PEM using `certutil`:**
   You can use the `certutil` tool available on Windows to export certificates from your certificate store to a PEM file.

   Steps:
   1. Open Command Prompt with administrative privileges.
   2. Run the following command to list all certificates in the "Personal" store (`MY`):

      ```bash
      certutil -store MY
      ```

   3. Locate the certificate you want to export (by Thumbprint or Friendly Name).
   4. Export the certificate to a PEM file:

      ```bash
      certutil -exportPFX -store MY "Thumbprint" C:\path\to\certificate.pfx
      ```

   5. Convert the `.pfx` file to `.pem`:

      ```bash
      openssl pkcs12 -in C:\path\to\certificate.pfx -out C:\path\to\certificate.pem -nodes
      ```

### Method 2: Using PowerShell

PowerShell provides a method to export certificates from the store. Below is a script to export a certificate to PEM format.

```powershell
# Open PowerShell with administrative privileges
# Fetch certificates from the personal store

$certStore = Get-ChildItem -Path Cert:\CurrentUser\My

# Export the first certificate to PEM
$cert = $certStore[0]  # Get the first certificate (change this index for a different certificate)

# Export the certificate to a file
$cert.Export("CertPem") | Set-Content -Path "C:\path\to\certificate.pem" -Encoding utf8
```

### Method 3: Using Python with `pywin32`

To programmatically retrieve the certificates from the Windows Certificate Store and export them to PEM format using Python, the `pywin32` package allows you to access the Windows Certificate Store.

1. **Install the `pywin32` library** if not installed:

   ```bash
   pip install pywin32
   ```

2. **Python script to export the certificate to PEM:**

```python
import win32com.client
import OpenSSL.crypto

# Initialize the certificate store
store = win32com.client.Dispatch("CAPICOM.Store")
store.Open(2, "MY", 0)  # "MY" refers to the Personal store

# Fetch certificates from the store
certificates = store.Certificates
cert_info = certificates.Item(1)  # Get the first certificate (adjust as needed)

# Get certificate in PEM format
cert_data = cert_info.Export(0)  # 0 means exporting in X.509 format (PEM)

# Save to a file
with open("certificate.pem", "wb") as f:
    f.write(cert_data)

store.Close()
```

### Method 4: Manually Exporting Certificates Using the Certificate Manager (MMC)

1. Press `Windows + R`, type `mmc`, and press Enter.
2. In the MMC console, go to **File** → **Add/Remove Snap-in**.
3. Add the **Certificates** snap-in and choose **My User Account** or **Computer Account**.
4. Navigate to **Personal** → **Certificates**.
5. Right-click on the certificate you want to export, select **All Tasks** → **Export**.
6. Choose **No, do not export the private key**.
7. Select **DER encoded binary X.509 (.CER)** and then export it.

You can convert this `.CER` file to PEM format using `openssl`:

```bash
openssl x509 -inform DER -in certificate.cer -out certificate.pem
```

### Summary:

- **Method 1** (`certutil`): Directly export certificates using command line utilities.
- **Method 2** (PowerShell): Use PowerShell to export certificates.
- **Method 3** (Python): Use the `pywin32` library to programmatically fetch certificates.
- **Method 4** (MMC): Manually export certificates via the Microsoft Management Console (MMC).

Each of these methods will allow you to fetch and convert certificates into PEM format. Let me know if you need more help with any specific method!

## RSA

RSA (Rivest-Shamir-Adleman) is a widely used asymmetric encryption algorithm that relies on the mathematical properties of prime numbers and modular arithmetic. Here's a detailed explanation of the RSA algorithm, including its key generation, encryption, and decryption steps, all explained mathematically.

### **1. Key Generation**
The first step in the RSA algorithm is generating the public and private keys. This process involves selecting two large prime numbers and performing a series of mathematical operations to derive the public and private keys.

#### Step 1: Select Two Large Prime Numbers
- Choose two large prime numbers, \( p \) and \( q \). These numbers should be kept secret.
  
#### Step 2: Compute the Modulus \( n \)
- Compute \( n \), the modulus, as the product of \( p \) and \( q \):
  
  \[
  n = p \times q
  \]
  
  The modulus \( n \) is used for both the public and private keys. The size of \( n \) determines the key length (usually in bits, like 2048 bits).

#### Step 3: Compute Euler's Totient Function \( \phi(n) \)
- Compute Euler's totient function \( \phi(n) \), which is the number of integers less than \( n \) that are coprime (i.e., their greatest common divisor is 1) with \( n \). For \( n = p \times q \), \( \phi(n) \) is calculated as:
  
  \[
  \phi(n) = (p - 1) \times (q - 1)
  \]
  
  This value is important for calculating the private key.

#### Step 4: Choose the Public Exponent \( e \)
- Choose an integer \( e \) (public exponent) such that \( 1 < e < \phi(n) \) and \( \gcd(e, \phi(n)) = 1 \). This means \( e \) should be coprime with \( \phi(n) \) (i.e., the greatest common divisor of \( e \) and \( \phi(n) \) should be 1).
- Common values for \( e \) are small numbers like 3 or 65537, as they make the encryption process efficient.

#### Step 5: Compute the Private Exponent \( d \)
- The private exponent \( d \) is the modular multiplicative inverse of \( e \) modulo \( \phi(n) \). This means \( d \) satisfies the following equation:
  
  \[
  d \times e \equiv 1 \ (\text{mod} \ \phi(n))
  \]
  
  In other words, \( d \) is the number that, when multiplied by \( e \), gives a remainder of 1 when divided by \( \phi(n) \).

  This can be computed using the Extended Euclidean Algorithm.

#### Step 6: Public and Private Key Pair
- The public key consists of \( (e, n) \).
- The private key consists of \( (d, n) \).

The public key is shared with everyone, while the private key is kept secret.

---

### **2. Encryption**
Once the keys are generated, the encryption process is used to convert plaintext into ciphertext, which can only be decrypted using the private key.

#### Step 1: Convert the Plaintext Message to an Integer
- Let \( M \) be the plaintext message that needs to be encrypted. If the message is in text, it is first converted to an integer using a reversible encoding scheme (such as ASCII encoding).
  
#### Step 2: Apply the Public Key for Encryption
- The encryption is done using the public key \( (e, n) \) and the following formula:
  
  \[
  C = M^e \ (\text{mod} \ n)
  \]
  
  Where:
  - \( C \) is the ciphertext (the encrypted message).
  - \( M \) is the plaintext message as an integer.
  - \( e \) is the public exponent.
  - \( n \) is the modulus.

The ciphertext \( C \) can now be sent over insecure channels.

---

### **3. Decryption**
The decryption process allows the receiver to recover the original plaintext message using the private key.

#### Step 1: Apply the Private Key for Decryption
- The ciphertext \( C \) is decrypted using the private key \( (d, n) \) and the following formula:
  
  \[
  M = C^d \ (\text{mod} \ n)
  \]
  
  Where:
  - \( M \) is the decrypted plaintext message.
  - \( C \) is the ciphertext.
  - \( d \) is the private exponent.
  - \( n \) is the modulus.

Since \( (e \times d) \equiv 1 \ (\text{mod} \ \phi(n)) \), the equation ensures that the original message \( M \) is recovered after decryption.

---

### **4. Example (Mathematical Walkthrough)**

#### Key Generation (Simplified Example)

1. Choose two primes \( p = 61 \) and \( q = 53 \).
2. Compute the modulus \( n = p \times q = 61 \times 53 = 3233 \).
3. Compute \( \phi(n) = (p-1)(q-1) = 60 \times 52 = 3120 \).
4. Choose \( e = 17 \) (commonly used and \( \gcd(17, 3120) = 1 \)).
5. Compute \( d \) such that \( d \times 17 \equiv 1 \ (\text{mod} \ 3120) \). Using the Extended Euclidean Algorithm, we find \( d = 2753 \).

So, the public key is \( (e = 17, n = 3233) \) and the private key is \( (d = 2753, n = 3233) \).

#### Encryption Example

1. Convert the plaintext message \( M = 123 \) (e.g., the ASCII code for "C").
2. Encrypt the message using the public key \( (e = 17, n = 3233) \):
   
   \[
   C = 123^{17} \ (\text{mod} \ 3233) = 855
   \]
   
   So, the ciphertext is \( C = 855 \).

#### Decryption Example

1. Decrypt the ciphertext \( C = 855 \) using the private key \( (d = 2753, n = 3233) \):
   
   \[
   M = 855^{2753} \ (\text{mod} \ 3233) = 123
   \]
   
   After decryption, the original message \( M = 123 \) is recovered, which corresponds to the letter "C".

---

### **Key Properties and Security of RSA**

1. **Asymmetry**: RSA uses a pair of keys — one public and one private — that are mathematically related but difficult to derive from each other. The private key cannot be easily computed from the public key.
   
2. **Factorization**: The security of RSA relies on the difficulty of factoring large numbers. The modulus \( n \) is the product of two large primes, and factoring this number is computationally infeasible for sufficiently large primes.

3. **Private Key Security**: The private key \( d \) must remain secret to ensure that only the holder of the private key can decrypt messages.

4. **Public Key Distribution**: The public key \( (e, n) \) can be shared freely and used by anyone to encrypt messages intended for the private key holder.

---


Yes, private keys are typically **Base64 encoded** in files (such as `.pem` or `.key` files) for easier storage and transmission. In RSA, the private key consists of several key components, including \(d\) (the private exponent) and \(n\) (the modulus). To create an RSA private key file from just these components, follow these steps:

### 1. **Structure of the RSA Private Key**
An RSA private key consists of several components:

- **Modulus** \(n\)
- **Private Exponent** \(d\)
- **Public Exponent** \(e\) (typically 65537)
- **Prime Factors** \(p\) and \(q\) (these are not mandatory in the standard key representation but can be included for faster decryption operations)
- **CRT Coefficients**: Additional information used for faster decryption, including \(dp = d \mod (p-1)\), \(dq = d \mod (q-1)\), and the **inverse of q modulo p** \(qinv\).

However, **if you're manually constructing a key file** and only have the values \(d\) and \(n\), we can skip the CRT components and public exponent.

### 2. **Constructing the RSA Private Key Format**

RSA private keys in PEM format are typically stored in a structure defined by **ASN.1** (Abstract Syntax Notation One), which is a standard encoding for data structures. The private key in PEM format is encoded using **DER (Distinguished Encoding Rules)** format, then wrapped with a **Base64 encoding**.

The structure of an RSA private key in ASN.1 is:

```plaintext
SEQUENCE {
    INTEGER  (version)
    INTEGER  (n)        -- Modulus
    INTEGER  (e)        -- Public Exponent (often 65537)
    INTEGER  (d)        -- Private Exponent
    INTEGER  (p)        -- Prime p
    INTEGER  (q)        -- Prime q
    INTEGER  (dp)       -- d mod (p-1)
    INTEGER  (dq)       -- d mod (q-1)
    INTEGER  (qinv)     -- q^-1 mod p
}
```

If you only have **\(d\)** and **\(n\)**, the structure will be simplified.

### 3. **Generating the RSA Private Key File**

Let's break down how to construct an RSA private key from the given values:

#### 3.1. **Create the ASN.1 Structure**

1. **Version**: A standard version field is typically `0x00` for the version.
2. **Modulus \(n\)**: Your modulus value.
3. **Public Exponent \(e\)**: This is usually `65537` for RSA.
4. **Private Exponent \(d\)**: The private key exponent.
5. **Prime Factors \(p\) and \(q\)**: If not available, these can be omitted or set to null in the basic case.
6. **CRT Coefficients**: Similar to \(p\) and \(q\), if not available, they are omitted.

#### 3.2. **Encoding the Key**

Once the structure is constructed, it needs to be encoded in **DER format** (binary encoding of ASN.1) and then **Base64** encoded.

You can use **PyCryptodome** (or similar libraries) in Python to help create this DER-encoded file.

### Example Steps:

#### 3.3. **Using PyCryptodome to Create the Private Key**

Here’s how you can generate the private key in Python using `PyCryptodome`:

1. **Install the library** if you don’t have it already:
   ```bash
   pip install pycryptodome
   ```

2. **Python Code** to generate the private key file:
   ```python
   from Crypto.PublicKey import RSA
   from Crypto.Random import get_random_bytes
   from Crypto.Cipher import PKCS1_OAEP
   import base64

   # You need to have d and n to generate the private key
   d = 1234567890123456789012345678901234567890123456789012345678901234  # Replace with your 'd' value
   n = 24675787771726259943571442768379278941373406158037839075311817006024244918536053393982133681055690722774751469575645246249269763705037558558432847609805377435796317347338367863408864842042331116098877597064875989089957183831186441528738427454384727638271433507865221065860355099421643076372215215729150909762505984499626333706048694133755976451924576050456713244839158650571891794590726317834913567199227400960209397803068295668149593934471975949214739043399418247394771420801132978758514202931200224490102411530691918341368865066801822322640165710172504331263920578012118226039841256839802557651936719623078911118753  # Replace with your 'n' value

   # Construct RSA private key using d and n
   key = RSA.construct((n, 65537, d))

   # Export private key in PEM format (Base64 encoded)
   private_key_pem = key.export_key()

   # Print the private key in PEM format
   print(private_key_pem.decode())

   # Optionally, you can save it to a .pem file
   with open("private_key.pem", "wb") as f:
       f.write(private_key_pem)
   ```

#### 3.4. **Understanding the Output**

The output of the above code will be a **PEM-formatted private key** (Base64 encoded). For example:

```plaintext
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA7Zj1V4zG4uJ3dKjd6Kb85YHEF1OtPVdy3V0lIj4qFsBBckrH...
...
-----END RSA PRIVATE KEY-----
```

This key will be the private key containing your \(d\) and \(n\) values, along with other necessary fields in a proper format.

### 4. **Storing the Key**

- **PEM format** is text-based, so it can be safely stored in a text file (e.g., `private_key.pem`).
- It is common to store private keys **securely**, and access to the file should be restricted.

### 5. **Verifying the Key**

You can use tools like `openssl` to verify the private key and ensure it was correctly generated:

```bash
openssl rsa -in private_key.pem -check
```

This will display information about the private key, including modulus \(n\) and private exponent \(d\).

### Conclusion

- You can manually construct a private key file if you have the modulus \(n\) and private exponent \(d\).
- The key file is typically stored in **PEM format**, which is Base64 encoded.
- You can use libraries like `PyCryptodome` to create and export the key.


In [79]:
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization

# Load the private key from a PEM file
private_key_pem = b"""
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAw3hKzsaSI4JmM6GibfIP/p7gqfUKUIG5Ricy5smBBgCVTBPZ
J5aMIcVwOUfRHYLl8iukpZmQA4G0DrIXiDtr/C/Psdsicu2KNU589tEZfJY9/5S+
DS29fgYS2Ks/cbmYC/0e2W5dmB5CcJYjApLK2csmgvK+w3Cn+fpKyVpi0VStftwh
MqKi4qV3zyLu9zPbtIBQTZwtw0XE4Mlpo1CTKpgf/94rgK/8eV04DdUHqzK4As/I
gBxoCDrvZNDfx/fbBoVk273wtmRyjDnVYVsyIoP+kQ45/AW1K1pUAZlT04pFrPpy
I0WT40Ycw9UuFFBvxP6ENZdDQipzOKoHqiuNoQIDAQABAoIBACcLiU3ihmCHdKjN
maeCmcVPsSrh4qyQLRUhUV6eU6KCTVBECrWIsfcw/CjE+rV9ZzdHlnzpvsWki/X/
hwnUbM6UMlWhozD32Aqr4fRfckrbrAi4inoRb++TgQI8utCZtRB4AEiIbjOrn7Pj
mZyy+8gjd07i9E4P283oPDYaUvDjMjzJnh8dCy7ghjeastHMhL8ZVvehnlx7xpUC
XKtxccujaqpNcrYkkbA+/wwn8UBWLGFz3c8ddgzLP5zwLZ+SYt2LyCSQs+PhMIK+
p8r11WraCTDBlu6fRIP+umdnZNix75aBTFZyqpMUl4pJ86Wi5XGGQ76KY5vO9SOE
/4c6wz0CgYEA/EtcnVmd3AfoqQ8gxz6SHPiTTuR6f3eWiuNcQWLRPJA4IkcyE5Hl
kuNTFHPqKMUgp68kxUlJB9XVgyNXReQcz3MU0MKqO1YDvA8KvIiKr1QWpo0gtXNe
PuN0K6sqoE7zL23MKjqqruoOidF5V1hwZ/OwSkz8YJlb73U32tDXklMCgYEAxldE
jqXHvQ8I0VQudZ7K4QWv6b/KK6TVv9nbLquAn9EgQQlgD85Dt8+29tD8WGQd0nX2
oNTKAWgg7ozEd8VPVS8RlZjQ5fXWmtbDnCZH47CnqEFbDcAC+oxvn9aVQndf/mZu
RPDvgqJeQxWvjosX4RbyuJyrMRKhKq3fqkDeSbsCgYEAo0CEmlDN4/2+H/7o/+RO
Ga8Dau5PEcIpSI/cN3cg22aa3BtjnOQwQD8WmEp1P5JnEfoz+fD077v/X87zfwcf
WWEnG/qKusBqxDqbgOl9i/wGeBkkDCWt21XE6yjj+T19ALi0frLdlTdg1u8T7GAO
xEUcUsfEGyHBKo6X6OBwTX8CgYB9r6t4IcHTIoXZ8NiIHJo/wlTZcXnx8kCplKp6
hp+5ptIjpIdFPNZY0r4E5iYi9T6YsbwZ6v4fqhbEVFvj8hr1xiAEhpRKRWE7OcE3
YGLJ/JYh31iN/BFnKDtMNLTdK7ye/9X8xhlg1Pea11EqqSX2s44YQt+Q91c+LnS/
9N9oJQKBgFe5gFVs4p4wGia/AswEXDfLNhYs09EcoYQY5CROo5iwds62/kWtbx7E
GD15ixqtY49+DE8LB7JpF2P3Z4YnbHSrOCEPRpDjaIoye3ncGocYsO5RnUrSCagC
LDtRGDELtM5Z+CRhGsLy/zPUKtNyTCiZhiFgZW5d7PSx82JnwnNx
-----END RSA PRIVATE KEY-----
"""

# Deserialize the private key from PEM format
private_key = serialization.load_pem_private_key(
    private_key_pem,
    password=None  # If your private key is password protected, specify it here
)

# Ensure that the key is an RSA private key
if isinstance(private_key, rsa.RSAPrivateKey):
    # Extract the modulus (n) and private exponent (d)
    private_numbers = private_key.private_numbers()
    d = private_numbers.d
    n = private_numbers.public_numbers.n

    # Print the values of d and n
    print(f"Private exponent (d): {d}")
    print(f"Modulus (n) This is the most important because finding p and q from n is computationally near impossible: {n}")
else:
    print("The provided private key is not an RSA key.")


Private exponent (d): 4928982677261218379255897543080292668592081725054142718386667019025335157675137326710409570451806571125383699104548147132904931209280966157871803836915974121671873756717679687808191550531396869567578720771110846898341844965959102584077921690119329073845481728664168469310128760952267108851315583397322345540638467390624257839432486798810222326681544242358753529928571944178473050457815126291794978809893634863340944635081047982773031581091178356869924517041609871070502830936608702782910120574809824848263950701070355554031474737852764044993788271245329746541453476938554144546617898310850832508528543600736848233277
Modulus (n) This is the most important because finding p and q from n is computationally near impossible: 246757877717262599435714427683792789413734061580378390753118170060242449185360533939821336810556907227747514695756452462492697637050375585584328476098053774357963173473383678634088648420423311160988775970648759890899571838311864415287384274543847276382714

In [53]:
ord('😡')

128545

In [61]:
byte_val = '😡😭😭 பொங்கல் பரிசுத்தொகுப்பு'.encode()
byte_val

b'\xf0\x9f\x98\xa1\xf0\x9f\x98\xad\xf0\x9f\x98\xad \xe0\xae\xaa\xe0\xaf\x8a\xe0\xae\x99\xe0\xaf\x8d\xe0\xae\x95\xe0\xae\xb2\xe0\xaf\x8d \xe0\xae\xaa\xe0\xae\xb0\xe0\xae\xbf\xe0\xae\x9a\xe0\xaf\x81\xe0\xae\xa4\xe0\xaf\x8d\xe0\xae\xa4\xe0\xaf\x8a\xe0\xae\x95\xe0\xaf\x81\xe0\xae\xaa\xe0\xaf\x8d\xe0\xae\xaa\xe0\xaf\x81'

In [62]:
byte_val.decode()

'😡😭😭 பொங்கல் பரிசுத்தொகுப்பு'

In [63]:
type(byte_val)

bytes

In [64]:
len(byte_val)

80

In [70]:
int('0xf09f98a1', 16)

4036991137

In [6]:
import ssl
import socket

def get_cert_chain(host, port=443):
    # Create an SSL context with the default settings
    context = ssl.create_default_context()
    
    # Connect to the server using a socket
    with socket.create_connection((host, port)) as sock:
        # Wrap the socket with SSL
        with context.wrap_socket(sock, server_hostname=host) as ssock:
            # Retrieve the certificate chain
            cert_chain = ssock.getpeercert(binary_form=True)
            # Print each certificate in the chain
            cert_chain_list = ssock.getpeercert(chain=True)
            
            for cert in cert_chain_list:
                print(cert)
                
# Example usage
get_cert_chain('google.com')

TypeError: getpeercert() got an unexpected keyword argument 'chain'

In [7]:
!python -version

Unknown option: -e
usage: python [option] ... [-c cmd | -m mod | file | -] [arg] ...
Try `python -h' for more information.
