This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Certificate
Certificate

Version management

Difference between version and

At line 1 added 79 lines
!!! Overview[1]
[{$pagename}] is a [credential] issued by an [Identity Provider (IDP)] ([Certificate Authority]) and is used by a [Relying Party] that [trusts] the [Identity Provider (IDP)] ([Certificate Authority]) by way of the [Trust Anchor]
[{$pagename}] is an binary [data structure|Example Certificate] containing element of [Public Key] [cryptography] that may be used to perform [Asymmetric Key Cryptography].
In particular, a [{$pagename}] consists of a pair of keys (called the "[Public Key]" and the "[Private Key]") that are linked so that any data encrypted using the [Public Key] can __ONLY__ be decrypted using the [Private Key]. With many [Public Key] algorithms, like [RSA], the reverse is also true so that any data encrypted with the [Private Key] can __ONLY__ be [decrypted|Decryption] using the [Public Key].
[{$pagename}] bind together:
* A domain name, server name or hostname.
* A [Digital Identity] of an [Organizational Entity] (i.e. company name) and location.
[{$pagename}] are the electronic counterparts to driver [license]s, [passport], [Payment Cards] and [loyalty Cards].
[{$pagename}] can be used to establish [Encryption], [Identification], [Authentication] and [Confidentiality] and with a little bit of additional effort even [Authorization].
[{$pagename}]s provide an [Assertion] by the [Certificate Authority] (or [Registration Authority]) of [Identification] by binding an [Digital Identity] to a [Private Key] and [Public Key] which, is by definition, [Authentication].
!! Different Meanings
The term "[{$pagename}]" may have different meanings based on the [context] in which it is used.
In many cases, [{$pagename}] refers to only the [Public Key] (in particular, whenever the server presents its [{$pagename}] to the client, or if a client presents only the [Public Key] certificate to the server, then only the [Public Key] is included). However, in other cases, it does include the [Private Key] (i.e., the server will require the use of the [Private Key] to establish a secure communication channel with the client, and the client will need access to its [Private Key] in order to send its own certificate to the server).
Most often, [{$pagename}] is in reference to a [X.509] [{$pagename}].
We use the following specific terms:
* [Site Certificate] - for any [Certificate] presented by a server.
* [Subject Certificate] for any [Certificate] that is __NOT__ a [Trusted Certificate] (though it may be in the future)
* [Trusted Certificate] for any [Certificate] that is [Trusted|Trust]
* [Intermediate Certificate] for any [Certificate] Signed by a [Root Certificate] that issues [Certificates]
* [Root Certificate] for any [Root Certificate] ([Trust Anchor]) and is implied to be a [Trusted Certificate]
* [Identity Certificate] - any [{$pagename}] with a [Public Key]
* [{$pagename}] - when used alone might be any of the above and should be taken in [context]
!! [LDAP] and [{$pagename}]
The [LDAPSyntaxes] for [{$pagename}] is [1.3.6.1.4.1.1466.115.121.1.8].
[{$pagename}]s have two primary uses with [LDAP] [servers|DSA].
First, and most common, is for providing a secure communication mechanism, generally through the use of [SSL] or [StartTLS]. In this case, the negotiation process involves the client encrypting information using the server's [Public Key] so that only the server can decrypt it using its [Public Key] and that information will be [Confidential].
!! Structure of a [{$pagename}][2]
The structure foreseen by the standards is expressed in a formal language, namely [Abstract Syntax Notation One|ASN.1].
Structure of a [X.509] [Certificate] is shown with the [Example Certificate]
!! Other [{$pagename}] Information
* [Certificate Extensions]
* [Certificate Fingerprint]
* [Key pair] - [Public Key], [Private Keys]
* [Certificate Validation]
* [Certificate Level Of Assurance]
!! [{$pagename}] [Security Considerations]
[{$pagename}]s are typically part of the [Public Key Infrastructure] and therefore subject to all the [Public Key Infrastructure Weaknesses]
!! [Certificate Formats]
Common filename extensions and [Certificate Formats] for X.509 certificates are:
* [.pem|Privacy-Enhanced Mail] – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
* [.cer, .crt, .der|Distinguished Encoding Rules] – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
* [.p7b, .p7c|PKCS7] – [PKCS#7|PKCS7] Signed Data structure without data, just certificate(s) or CRL(s)
* [.p12|PKCS12] – [PKCS#12|PKCS12], may contain certificate(s) (public) and [Private Key]s (password protected)
* [.pfx|PKCS12] – PFX, predecessor of [PKCS#12|PKCS12] - usually contains data in PKCS#12 format, e.g., with PFX files typically generated in IIS
!! Single Binary Certificate
A Single Binary [Certificate] is a [binary] data structure containing the fields listed in [X.509] certificates. [Certificates] are encoded using [Distinguished Encoding Rules] ([DER]).
Be careful when transferring Binary Certificates, remember to transfer a binary certificate in binary format, for example using binary FTP, when you copy to or from a system.
Usually, Binary Certificates are stored in a [Certificate File Formats|Certificate Formats] when exported from [Certificate Formats|Certificate Keystores|Certificate Formats] and when used to transmit and store certificates.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?|https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity|target='_blank'] - based on 2015-03-16
* [#2] - [The First Few Milliseconds of an HTTPS Connection|http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html|target='_blank'] - based on 2015-03-16
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop