Certificate is a credential issued by an Identity Provider (IDP) (Certificate Authority) and is used by a Relying Party that trusts the Identity Provider (IDP) (Certificate Authority) by way of the Trust Anchor

Certificate is an binary data structure containing element of Public Key cryptography that may be used to perform Asymmetric Key Cryptography.

In particular, a Certificate consists of a pair of keys (called the "Public Key" and the "Private Key") that are linked so that any data encrypted using the Public Key can ONLY be decrypted using the Private Key. With many Public Key algorithms, like RSA, the reverse is also true so that any data encrypted with the Private Key can ONLY be decrypted using the Public Key.

Certificate bind together:

Certificate are the electronic counterparts to driver licenses, passport, Payment Cards and loyalty Cards.

Certificate can be used to establish Encryption, Identification, Authentication and Confidentiality and with a little bit of additional effort even Authorization.

Certificates provide an Assertion by the Certificate Authority (or Registration Authority) of Identification by binding an Digital Identity to a Private Key and Public Key which, is by definition, Authentication.

Different Meanings#

The term "Certificate" may have different meanings based on the context in which it is used. In many cases, Certificate refers to only the Public Key (in particular, whenever the server presents its Certificate to the client, or if a client presents only the Public Key certificate to the server, then only the Public Key is included). However, in other cases, it does include the Private Key (i.e., the server will require the use of the Private Key to establish a secure communication channel with the client, and the client will need access to its Private Key in order to send its own certificate to the server).

Most often, Certificate is in reference to a X.509 Certificate.

We use the following specific terms:

LDAP and Certificate#

The LDAPSyntaxes for Certificate is

Certificates have two primary uses with LDAP servers. First, and most common, is for providing a secure communication mechanism, generally through the use of SSL or StartTLS. In this case, the negotiation process involves the client encrypting information using the server's Public Key so that only the server can decrypt it using its Public Key and that information will be Confidential.

Structure of a Certificate[2]#

The structure foreseen by the standards is expressed in a formal language, namely Abstract Syntax Notation One. Structure of a X.509 Certificate is shown with the Example Certificate

Other Certificate Information#

Certificate Security Considerations#

Certificates are typically part of the Public Key Infrastructure and therefore subject to all the Public Key Infrastructure Weaknesses

Certificate Formats#

Common filename extensions and Certificate Formats for X.509 certificates are:
  • .pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7cPKCS#7 Signed Data structure without data, just certificate(s) or CRL(s)
  • .p12PKCS#12, may contain certificate(s) (public) and Private Keys (password protected)
  • .pfx – PFX, predecessor of PKCS#12 - usually contains data in PKCS#12 format, e.g., with PFX files typically generated in IIS

Single Binary Certificate#

A Single Binary Certificate is a binary data structure containing the fields listed in X.509 certificates. Certificates are encoded using Distinguished Encoding Rules (DER).

Be careful when transferring Binary Certificates, remember to transfer a binary certificate in binary format, for example using binary FTP, when you copy to or from a system.

Usually, Binary Certificates are stored in a Certificate File Formats when exported from Certificate Formats and when used to transmit and store certificates.

More Information#

There might be more information for this subject on one of the following: