Digital Certificate

---

A digital certificate is identification and authentication information issued by a certificate authority (CA) as a guarantee that a key pair is valid for a particular subject.

• often used as a form of electronic identification for that person
• contains
  • public key
  • information about the subject and certificate issuer
• digitally signed to prove that it was issued to the subject by a particular CA
  • in case of digital signatures, someone might have falsified the keys used to sign the message
  • maybe keys did not belong to the original sender
• subject can be:
  • human user
  • computer server

Formats

The X.509 standard defines the format of a public key certificate.

• approved by the International Telecommunications Union
• standardized by the Internet Engineering Task Force RFC 5280
• consists of key-value pairs
• multiple formats:
  • Privacy Enhanced Mail (PEM) ASCII format
    • defines methods for encoding binary data using Base64
      • is a binary-to-text encoding scheme that represents binary data in ASCII string format
    • filename extension is .pem, .crt, or .cer
  • Distinguished Encoding Rules (DER) binary format
    • is a subset of the Abstract Syntax Notation One (ASN.1)
      • is a platform-independent encoding format
    • ensures that the contents of a certificate can only be encoded one way
    • filename extension is .der or .cer
  • Personal Information Exchange (PFX) binary format
    • PFX file is a password protected archive file format that contains the certificate and corresponding private key
    • used by a server to import a certificate and private key from a single file
    • filename extension is .pfx
  • Public Key Cryptography Standards #7 (PKCS #7) and PKCS #12 binary formats
    • these formats define a standard syntax for storing encrypted and signed data
    • stored in DER binary or PEM ASCII formats
    • filename extensions are .p7b and .p12
    • created by RSA to promote the use of public key infrastructure

X.509 Certificate Format Fields

How it Works

• Create a certificate:
  • create by taking the public key and identifying information, such as name and address, and having them signed by certificate authority
• Public key infrastructure (PKI) is the infrastructure that handles certificates on a large scale

Subject Name Attributes

• common name (CN) attribute is used to identify the FQDN of the server
  • usage grew by custom rather than design
  • can contain various information
  • thus now deprecated of validating subject identity

The subject alternative name (SAN) is an extension field in a digital certificate allowing a host to be identified by multiple host names/subdomains.

• supports different types of identifiers
  • e.g., FQDN, IP addresses
• if cert is configured with SAN, browser validates this instead of CN
• allows a cert to represent different subdomains
  • more secure, but need new cert for each one
  • wildcard domain (*.example.com) means the cert issued to the parent domain will be accepted as valid for all subdomains
    • for just a single level (z.example.com but not y.z.example.com)

Info

It is still safer to put the FQDN in the CN as well, because not all browsers and implementations stay up to date with the standards.

Other Attributes

• Organization (O)
• Organizational Unit (OU)
• Locality (L)
• State (ST)
• Country (C)
• These are concatenated with the common name to form a Distinguished Name (DN)

Info

Different certificate types can be used for purposes other than server/computer identification.

• User accounts can be issued with email certificates
  • in which case the SAN is an RFC 822 email address
• A code-signing certificate is used to verify the publisher or developer of software and scripts
  • don’t use a SAN, but the CA must validate the organization and locate details to ensure accuracy and that a rogue developer is not attempting to impersonate a well-known software company

Types

• Web Server Certificate
  • aka domain certificate or SSL/TLS certificate
  • is a certificate that is used by a web server and a web client to establish a secure connection over a network
  • 4 types:
    • domain validation (DV) certificate
      • only verifies the identity of a domain’s owner
    • organization validation (OV) certificate
      • granted to a company or institution
      • CA checks the registration of the company, its address, its business, the applicant name, phone, authority, etc.
      • provides assurance about who is behind the website
    • domain extended validation (EV) certificate
      • verifies the identity of a domain’s owner, the domain owner’s exclusive control over the domain, and the domain owner’s legal and physical existence
      • highest standard for certification
    • wildcard certificate
      • validates a domain and all the domain’s subdomains
    • subject alternative name (SAN) certificates
      • used by multiple domains owned by the same domain owner
      • aka unified communication certificate (UCC)
• Root certificate
  • is created and self-signed by a Certificate Authority (CA)
  • self-signed means the certificate issuer and subject are the same
• Code signing certificate
  • is used by a software developer to digitally sign software programs
  • ensures integrity of a program
• Email certificate
  • used by an email user to digitally sign emails
• Machine certificate
  • aka computer certificate
  • is issued to a hardware device
  • used to authenticate a device on a network