Certificate is a credential issued by an Identity Provider (IDP) (Certificate Authority) and is used by a Relying Party that trusts the Identity Provider (IDP) (Certificate Authority) by way of the Trust Anchor

Certificate is an binary data structure containing element of Public Key cryptography that may be used to perform Asymmetric Key Cryptography.

In particular, a Certificate consists of a pair of keys (called the "Public Key" and the "Private Key") that are linked so that any data encrypted using the Public Key can ONLY be decrypted using the Private Key. With many Public Key algorithms, like RSA, the reverse is also true so that any data encrypted with the Private Key can ONLY be decrypted using the Public Key.

Certificate bind together:

Certificate are the electronic counterparts to driver licenses, passport, Payment Cards and loyalty Cards.

Certificate can be used to establish Encryption, Identification, Authentication and Confidentiality and with a little bit of additional effort even Authorization.

Certificates provide an Assertion by the Certificate Authority (or Registration Authority) of Identification by binding an Digital Identity to a Private Key and Public Key which, is by definition, Authentication.

Different Meanings#

The term "Certificate" may have different meanings based on the context in which it is used. In many cases, Certificate refers to only the Public Key (in particular, whenever the server presents its Certificate to the client, or if a client presents only the Public Key certificate to the server, then only the Public Key is included). However, in other cases, it does include the Private Key (i.e., the server will require the use of the Private Key to establish a secure communication channel with the client, and the client will need access to its Private Key in order to send its own certificate to the server).

Most often, Certificate is in reference to a X.509 Certificate.

We use the following specific terms:

LDAP and Certificate#

The LDAPSyntaxes for Certificate is

Certificates have two primary uses with LDAP servers. First, and most common, is for providing a secure communication mechanism, generally through the use of SSL or StartTLS. In this case, the negotiation process involves the client encrypting information using the server's Public Key so that only the server can decrypt it using its Public Key and that information will be Confidential.

Structure of a Certificate[2]#

The structure foreseen by the standards is expressed in a formal language, namely Abstract Syntax Notation One. Structure of a X.509 Certificate is shown with the Example Certificate

An Example Certificate#

Example Certificate

Certificate Extensions#

Certificate Extensions defined for X.509 v3 certificates provide methods for associating additional attributes with users or Public Key and for managing relationships between CAs. The X.509 v3 certificate format also allows communities to define private extensions to carry information unique to those communities.

Other Certificate Information#

Certificate Fingerprint#

The Certificate Fingerprint is generated from the whole certificate, including the signature itself.

A X.509 certificate contains information needed to verify the integrity of the certificate such as a Public Key that is owned by the certificate owner and a field describing the hash and encryption functions used to create the Digital Signature of the Certificate. The Digital Signature is an encrypted one way hash of the Certificate contents. This Digital Signature is created using the Private Key of either the certificate owner or, for certificates issued by a Certificate Authority, the Private Key of the Certificate Authority.

Certificate Weakness #

Certificates are typically part of the Public Key Infrastructure and therefore subject to all the Public Key Infrastructure Weaknesses

Certificate File Formats#

Common filename extensions and Certificate File Formats for X.509 certificates are:
  • .pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7cPKCS#7 Signed Data structure without data, just certificate(s) or CRL(s)
  • .p12PKCS#12, may contain certificate(s) (public) and Private Keys (password protected)
  • .pfx – PFX, predecessor of PKCS#12 - usually contains data in PKCS#12 format, e.g., with PFX files typically generated in IIS

Certificate Validation#

Certificate Validation must be performed to insure validity of the Certificate.

Single Binary Certificate#

A Single Binary Certificate is a binary data structure containing the fields listed in X.509 certificates. Certificates are encoded using Distinguished Encoding Rules (DER).

Be careful when transferring Binary Certificates, remember to transfer a binary certificate in binary format, for example using binary FTP, when you copy to or from a system.

Usually, Binary Certificates are stored in a Certificate File Formats when exported from Certificate Formats and when used to transmit and store certificates.

Public, Private Keys#

The Public Key, as implied by its name, is public information that can be disseminated freely. The Private Key, on the other hand, is private and should NEVER be revealed to anyone other than the owner of the key pair.

Data or Code Signing#

Certificates may also be used for data signing, in which case the server will encrypt information using its Private Key, and clients will know that the data is legitimately from the server if it can be decrypted using the server's Public Key.

Certificate Level Of Assurance#

Certificate Level Of Assurance describes the different Level Of Assurance for Certificate

More Information#

There might be more information for this subject on one of the following: