Ldapwiki: Certificate

Overview[1]#

Certificate is a credential issued by an Identity Provider (IDP) (Certificate Authority) and is used by a Relying Party that trusts the Identity Provider (IDP) (Certificate Authority) by way of the Trust Anchor

Certificate is an binary data structure containing element of Public Key cryptography that may be used to perform Asymmetric Key Cryptography.

In particular, a Certificate consists of a pair of keys (called the "Public Key" and the "Private Key") that are linked so that any data encrypted using the Public Key can ONLY be decrypted using the Private Key. With many Public Key algorithms, like RSA, the reverse is also true so that any data encrypted with the Private Key can ONLY be decrypted using the Public Key.

Certificate bind together:

A domain name, server name or hostname.
A Digital Identity of an Organizational Entity (i.e. company name) and location.

Certificate are the electronic counterparts to driver licenses, passport, Payment Cards and loyalty Cards.

Certificate can be used to establish Encryption, Identification, Authentication and Confidentiality and with a little bit of additional effort even Authorization.

Certificates provide an Assertion by the Certificate Authority (or Registration Authority) of Identification by binding an Digital Identity to a Private Key and Public Key which, is by definition, Authentication.

Different Meanings#

The term "Certificate" may have different meanings based on the context in which it is used. In many cases, Certificate refers to only the Public Key (in particular, whenever the server presents its Certificate to the client, or if a client presents only the Public Key certificate to the server, then only the Public Key is included). However, in other cases, it does include the Private Key (i.e., the server will require the use of the Private Key to establish a secure communication channel with the client, and the client will need access to its Private Key in order to send its own certificate to the server).

Most often, Certificate is in reference to a X.509 Certificate.

We use the following specific terms:

Site Certificate - for any Certificate presented by a server.
Subject Certificate for any Certificate that is NOT a Trusted Certificate (though it may be in the future)
Trusted Certificate for any Certificate that is Trusted
Intermediate Certificate for any Certificate Signed by a Root Certificate that issues Certificates
Root Certificate for any Root Certificate (Trust Anchor) and is implied to be a Trusted Certificate
Identity Certificate - any Certificate with a Public Key
Certificate - when used alone might be any of the above and should be taken in context

LDAP and Certificate#

The LDAPSyntaxes for Certificate is 1.3.6.1.4.1.1466.115.121.1.8.

Certificates have two primary uses with LDAP servers. First, and most common, is for providing a secure communication mechanism, generally through the use of SSL or StartTLS. In this case, the negotiation process involves the client encrypting information using the server's Public Key so that only the server can decrypt it using its Public Key and that information will be Confidential.

Structure of a Certificate[2]#

The structure foreseen by the standards is expressed in a formal language, namely Abstract Syntax Notation One. Structure of a X.509 Certificate is shown with the Example Certificate

Other Certificate Information#

Certificate Security Considerations #

Certificates are typically part of the Public Key Infrastructure and therefore subject to all the Public Key Infrastructure Weaknesses

Certificate File Formats #

Common filename extensions and Certificate File Formats for X.509 certificates are:

.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c – PKCS#7 Signed Data structure without data, just certificate(s) or CRL(s)
.p12 – PKCS#12, may contain certificate(s) (public) and Private Keys (password protected)
.pfx – PFX, predecessor of PKCS#12 - usually contains data in PKCS#12 format, e.g., with PFX files typically generated in IIS

Single Binary Certificate#

A Single Binary Certificate is a binary data structure containing the fields listed in X.509 certificates. Certificates are encoded using Distinguished Encoding Rules (DER).

Be careful when transferring Binary Certificates, remember to transfer a binary certificate in binary format, for example using binary FTP, when you copy to or from a system.

Usually, Binary Certificates are stored in a Certificate File Formats when exported from Certificate Formats and when used to transmit and store certificates.

More Information#

There might be more information for this subject on one of the following:

[#1] - SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? - based on 2015-03-16
[#2] - The First Few Milliseconds of an HTTPS Connection - based on 2015-03-16

Active Sessions	36
Uptime	1d, 7h 37m 35s
Number of pages	16290

Overview[1]#

Different Meanings#

LDAP and Certificate#

Structure of a Certificate[2]#

Other Certificate Information#

Certificate Security Considerations #

Certificate File Formats #

Single Binary Certificate#

More Information#

Lead Pages#

Donations#

Overview[1]#

Different Meanings#

LDAP and Certificate#

Structure of a Certificate[2]#

Other Certificate Information#

Certificate Security Considerations#

Certificate File Formats#

Single Binary Certificate#

More Information#

Lead Pages#

Donations#

Certificate Security Considerations #

Certificate File Formats #