Just another tech site

5. Certificates


A public key certificate, usually just called a certificate, is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. [1]

Purporse of certificate:

1.- Authentication: The digital certificate is a common credential that provides a means to verify identity.
2.- Privacy: Certificates enable privacy of transmitted data using a number of different methods.
3.- Encryption: public key encryption. If user A will send user B some sensitive data, user A will get the user B public key from the user B certificate. The data will be encrypted. User B will be able to decrypt the data using his private key.
4.- Digital signature: A digital signature is a way to ensure the integrity and origin of data.

Types of certificates

Certificate Authority (CA) certificates

A Certificate Authority certificate is a digital credential that validates the identity of the Certificate Authority (CA) that owns the certificate.Others can use the CA certificate’s public key to verify the authenticity of the certificates that the CA issues and signs.

Server or client certificates

A server or client certificate is a digital credential that identifies the server or client application that uses the certificate for secure communications. Server or client certificates contain identifying information about the organization that owns the application, such as the system’s distinguished name. The certificate also contains the system’s public key. A server must have a digital certificate to use the Secure Sockets Layer (SSL) for secure communications. Applications that support digital certificates can examine a server’s certificate to verify the identity of the server when the client accesses the server. The application can then use the authentication of the certificate as the basis for initiating an SSL-encrypted session between the client and the server. You can manage these types of certificates from the *SYSTEM certificate store only.

Object signing certificates

An object signing certificate is a certificate that you use to digitally “sign” an object. By signing the object, you provide a means by which you can verify both the object’s integrity and the origination or ownership of the object. You can use the certificate to sign a variety of objects, including most objects in the Integrated File System and *CMD objects. You can find a complete list of signable objects in the Object signing and signature verification topic. When you use an object signing certificate’s private key to sign an object, the receiver of the object must have access to a copy of the corresponding signature verification certificate in order to properly authenticate the object signature. You can manage these types of certificates from the *OBJECTSIGNING certificate store only.

Signature verification certificates

A signature verification certificate is a copy of an object signing certificate without that certificate’s private key. You use the signature verification certificate’s public key to authenticate the digital signature created with an object signing certificate. Verifying the signature allows you to determine the origin of the object and whether it has been altered since it was signed. You can manage these types of certificates from the *SIGNATUREVERIFICATION certificate store only.

User certificates

A user certificate is a digital credential that validates the identity of the client or user that owns the certificate. Many applications now provide support that allows you to use certificates to authenticate users to resources instead of user names and passwords. Digital Certificate Manager (DCM) automatically associates user certificates that your private CA issues with the user’s profile. You can also use DCM to associate user certificates that other Certificate Authorities issue with the user’s profile.

X.509 certificate format

Contents of a typical digital certificate

– Serial Number: Used to uniquely identify the certificate.
– Subject: The person, or entity identified.
– Signature Algorithm: The algorithm used to create the signature.
– Issuer: The entity that verified the information and issued the certificate.
– Valid-From: The date the certificate is first valid from.
– Valid-To: The expiration date.
– Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing…).
– Public Key: the purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone’s been willing to invest time and money into proving the authenticity and ownership of their domain.
– Thumbprint Algorithm: The algorithm used to hash the certificate.
– Thumbprint: The hash itself to ensure that the certificate has not been tampered with.

The certificate also contains some variable information. this will be regrouped in a extension section
the “enhanced key usage” specify the objectif of the sertificate

Certificate filename extensions

File extention

Common filename extensions for X.509 certificates are:

.pem (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
.cer, .crt, .der usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12 PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.

PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.

Windows icons

SSL certificate Sample

The following screenshot we will show the content of the godaddy.com public information.
in the internet browser just select the view certificate option

The genral information will show the basic information of the certificate

The detailed section will present the certificate hioerarchy. from the Certificate authority down to the certificate itself.

Another view of the detailed information

Windows Certificate Tools

Windows Certificate stores

The storage location is called the certificate store. A certificate store will often have numerous certificates, possibly issued from a number of a different certification authorities.
the public/private key pair is imported into something called the “Windows Protected Store”

Cert manager


[1] http://technet.microsoft.com/en-us/library/cc728388(WS.10).aspx
[2] http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzahu%2Frzahutypesofcerts.htm
[3] http://en.wikipedia.org/wiki/X.509


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Tag Cloud

%d bloggers like this: