!!! Overview[1]
[{$pagename}] is a [credential] issued by an [Identity Provider (IDP)] ([Certificate Authority]) and is used by a [Relying Party] that [trusts] the [Identity Provider (IDP)] ([Certificate Authority]) by way of the [Trust Anchor]

[{$pagename}] is an binary [data structure|Example Certificate] containing element of [Public Key] [cryptography] that may be used to perform [Asymmetric Key Cryptography].

In particular, a [{$pagename}] consists of a pair of keys (called the "[Public Key]" and the "[Private Key]") that are linked so that any data encrypted using the [Public Key] can __ONLY__ be decrypted using the [Private Key].  With many [Public Key] algorithms, like [RSA], the reverse is also true so that any data encrypted with the [Private Key] can __ONLY__ be [decrypted|Decryption] using the [Public Key].

[{$pagename}] bind together:
* A domain name, server name or hostname.
* A [Digital Identity] of an [Organizational Entity] (i.e. company name) and location.

[{$pagename}] are the electronic counterparts to driver [license]s, [passport], [Payment Cards] and [loyalty Cards]. 

[{$pagename}] can be used to establish [Encryption], [Identification], [Authentication] and [Confidentiality] and with a little bit of additional effort even [Authorization].

[{$pagename}]s provide an [Assertion] by the [Certificate Authority] (or [Registration Authority]) of [Identification] by binding an [Digital Identity] to a [Private Key] and [Public Key] which, is by definition, [Authentication].


!! Different Meanings
The term "[{$pagename}]" may have different meanings based on the [context] in which it is used.
 
In many cases, [{$pagename}] refers to only the [Public Key] (in particular, whenever the server presents its [{$pagename}] to the client, or if a client presents only the [Public Key] certificate to the server, then only the [Public Key] is included).  However, in other cases, it does include the [Private Key] (i.e., the server will require the use of the [Private Key] to establish a secure communication channel with the client, and the client will need access to its [Private Key] in order to send its own certificate to the server).

Most often, [{$pagename}] is in reference to a [X.509] [{$pagename}].

We use the following specific terms:
* [Site Certificate] - for any [Certificate] presented by a server.
* [Subject Certificate] for any [Certificate] that is __NOT__ a [Trusted Certificate] (though it may be in the future)
* [Trusted Certificate] for any [Certificate] that is [Trusted|Trust]
* [Intermediate Certificate] for any [Certificate] Signed by a [Root Certificate] that issues [Certificates]
* [Root Certificate] for any [Root Certificate] ([Trust Anchor]) and is implied to be a [Trusted Certificate]
* [Identity Certificate] - any [{$pagename}] with a [Public Key]
* [{$pagename}] - when used alone might be any of the above and should be taken in [context]

!! [LDAP] and [{$pagename}]
The [LDAPSyntaxes] for [{$pagename}] is [1.3.6.1.4.1.1466.115.121.1.8].

[{$pagename}]s have two primary uses with [LDAP] [servers|DSA].
First, and most common, is for providing a secure communication mechanism, generally through the use of [SSL] or [StartTLS].  In this case, the negotiation process involves the client encrypting information using the server's [Public Key] so that only the server can decrypt it using its [Public Key] and that information will be [Confidential].  


!! Structure of a [{$pagename}][2]
The structure foreseen by the standards is expressed in a formal language, namely [Abstract Syntax Notation One|ASN.1].
Structure of a [X.509] [Certificate] is shown with the [Example Certificate]

!! Other [{$pagename}] Information

* [Certificate Extensions]
* [Certificate Fingerprint]
* [Key pair] - [Public Key], [Private Keys]
* [Certificate Validation]
* [Certificate Level Of Assurance]

!! [{$pagename}] [Security Considerations]
[{$pagename}]s are typically part of the [Public Key Infrastructure] and therefore subject to all the [Public Key Infrastructure Weaknesses]

!! [Certificate Formats]
Common filename extensions and [Certificate Formats] for X.509 certificates are:
* [.pem|Privacy-Enhanced Mail] – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
* [.cer, .crt, .der|Distinguished Encoding Rules] – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
* [.p7b, .p7c|PKCS7] – [PKCS#7|PKCS7] Signed Data structure without data, just certificate(s) or CRL(s)
* [.p12|PKCS12] – [PKCS#12|PKCS12], may contain certificate(s) (public) and [Private Key]s (password protected)
* [.pfx|PKCS12] – PFX, predecessor of [PKCS#12|PKCS12] - usually contains data in PKCS#12 format, e.g., with PFX files typically generated in IIS

!! Single Binary Certificate
A Single Binary [Certificate] is a [binary] data structure containing the fields listed in [X.509] certificates. [Certificates] are encoded using [Distinguished Encoding Rules] ([DER]).

Be careful when transferring Binary Certificates, remember to transfer a binary certificate in binary format, for example using binary FTP, when you copy to or from a system.

Usually, Binary Certificates are stored in a [Certificate File Formats|Certificate Formats] when exported from [Certificate Formats|Certificate Keystores|Certificate Formats] and when used to transmit and store certificates.
 


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?|https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity|target='_blank'] - based on 2015-03-16
* [#2] - [The First Few Milliseconds of an HTTPS Connection|http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html|target='_blank'] - based on 2015-03-16