This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Certificate Formats
Certificate Formats

Version management

Difference between version and

At line 1 added 103 lines
!!! Overview
[{$pagename}] are used as [Certificates] are a [binary] format.
These are the most common [{$pagename}]:
* [Privacy-Enhanced Mail] (PEM) (Often referred to as [base64])
* [Distinguished Encoding Rules (DER)|Distinguished Encoding Rules]
* [PKCS#7|PKCS7]
* [PFX Format (PKCS#12)|PKCS12]
!! [{$pagename}] [Encoding]
[Certificates] maybe encoded in using different Encoding formats.
! [Base64] [Encoding] [X.509]
[Base64] [Encoding] [X.509] is an encoding method developed for use with Secure/[Multipurpose Internet Mail Extensions] (S/[MIME]), which is a popular, standard method for transferring [binary] attachments over the Internet.
* [Base64] [Encoding] does __NOT__ support storage of a [Certificate Chain].
* [Base64] [Encoding] does __NOT__ support storage of a [Private Key].
Because all MIME-compliant clients can decode [Base64] files, this format might be used by [Certificate Authority] that are not on computers running [Windows Server 2003], so it is supported for interoperability. [Base64] certificate files might use the .cer extension.
! [Privacy-Enhanced Mail] (PEM) (Often referred to as [base64])
[Privacy-Enhanced Mail] certificates usually have extensions such as .pem, .crt, .cer, and .key.
!! [Distinguished Encoding Rules (DER)|Distinguished Encoding Rules]
[Distinguished Encoding Rules (Distinguished Encoding Rules)|Distinguished Encoding Rules] ([DER]) supports only a single [Certificate]:
* [DER] [Encoding] does __NOT__ support storage of a [Certificate Chain].
* [DER] [Encoding] does __NOT__ support storage of a [Private Key].
!! [Canonical Encoding Rules] ([CER])
Often, someone will provide a [Certificate] and imply it is in [Canonical Encoding Rules]. Usually, certificates would not be exported in [Canonical Encoding Rules] format and the certificate is __most__ likely [Privacy-Enhanced Mail].
!! [File System] extensions
* *.crt - Probably this is __most__ likely [Privacy-Enhanced Mail]
!! [Public-Key Cryptography Standards] ([PKCS])
Produced by [RSA] Labs. Specifies format of objects used during public key operations
In cryptography, [PKCS] refers to a group of [Public-Key Cryptography Standards] devised and published by RSA Security.
* Language is [ASN.1]
* Implemented in [RSAREF] and [BSAFE] libraries
* Standards from [IETF] [PKIX] working group are a superset and generally compatible
! [PKCS#7|PKCS7]
An envelope that can store multiple [certificates] in [PEM] or [DER] format. [RFC 2315] for detailed specifications.
* [PKCS#7|PKCS7] supports storage of a [Certificate Chain].
* [PKCS#7|PKCS7] does __NOT__ support storage of a [Private Key].
! [PKCS#12|PKCS12]
Similar to [PKCS#7|PKCS7], [PKCS#12|PKCS12] is a standard for storing [Private Keys] and [certificates] securely. [PKCS#7|PKCS7] defines a file format commonly used to store [Private Keys] with accompanying [Public Key] [certificates] protected with a [password-based] [symmetric Key].
* [PKCS#12|PKCS12] supports storage of a [Certificate Chain].
* [PKCS#12|PKCS12] supports storage of a [Private Key].
! Bundle Contains
*Three parts; all are optional
** [Certificates]
** Content
** Signature (with signer information)
* Include all three: opaque signing
* Omit content: detached signature
* Only [certificates]: "certs only"
** Used for set/list/chain of [Certificate Chain]
** File extension = .p7c (or .p7b)
!! [S/MIME|Secure MIME]
* IETF Standard for "secure electronic mail"
* Digital signatures
** Need canonical form of message to be signed
* Encryption
* Other information for recipient
** Certificates for verification
** Sender's public encryption key (certificate)
** Sender's cryptographic algorithms
!! Example S/MIME (Signed)
{{{
From: Eric Norman <ejnorman@doit.wisc.edu>
MIME-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature";
boundary=Apple-Mail-3-2162327; micalg=sha1
--Apple-Mail-3-2162327
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message text
--Apple-Mail-3-2162327
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Disposition: attachment; filename=smime.p7s
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGQzCCAsMw
ggIsoAMCAQICAgMzMA0GCSqGSIb3DQEBBAUAMIG3MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lz
... snip ...
icLcyxUobN5sT+ttMbm1S6Q+6wAAAAAAAA==
--Apple-Mail-3-2162327--
}}}
!!! [Netscape Certificate Sequence]
[Netscape Certificate Sequence] is another PKCS#7 object format, and like the SignedData format, it allows multiple certificates to be imported together. This format is simpler than the PKCS#7 SignedData object format. It consists of a PKCS#7 ContentInfo structure, wrapping a sequence of certificates.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop