Digital Certificate with example:
In this post, we will try covering topic Digital Certificates with an example certificate.
Content:
1. Example of Digital Certificate
2. Certificate Terminology
3. Digital Certificate definition
4. Class of Certificates
5. Certificate Extension
6. Certificate Fields
7. Good to know facts about Certificate.
Example of Digital Certificate
Before we know anything about certificates, its good know where and how certificates are used. In this post, i will try covering what are certificates, why are certificates used for.
Asymmetric key encryption, Public key infrastructure (PKI) are the places where certificates are used.
Imagine party A and party B wants to exchange a secret code like password between them and currently they don't have any prior communication between them.
To Solve this problem, party A will have private key and public key with him. party B also has its own private and public key with in.
public will be shared with all, private keys are never shared to any one.
Now if Party A wants to send secret code to party B.
Party A will use party B public key and encrypt the data and send it across to party B.
Only Party B knows its private key, so only party B will be able to decrypt the secret code .
Lengthy example but this a one of basic use case of PKI.
Second example, more practical one
One more example is HTTPS communication in a browser. it uses PKI.
Certificate Terminology
CA : Certificate Authority
DN: Distinguished Name
PKI: Pulbic Key infrastructure
What is Digital Certificate:
A certificate is based on the X.509 standard and which holds information about an individual or an organization or a company to which a certificate is issued. .
It holds a public key.
It also holds the information about certificate authority that issued the certificate.
Encoding used for a certificate: ASN.1 ( Abstract Syntax Notation One).
Each Field in the certificate are tagged with a number.
Sample Certificate:
A certificate contains
Certificate can be used for encryption of emails, signing a library file etc.
Types of Certificate:
Definition of class might vary from vendor to vendor.
Class 0
Type of certificate used for demo or test purpose.
Class 1
Issued to individuals.
Contains name (alias name) and email address of the individual
Usage : Digitally sign email, Encrypt email
It does not facilitate strong authentication of the identity
Class 2
Certificates are issued as Managed Digital Certificates
Class 3
Class 3 certificate are issued to individuals and servers. It provides important assurance of identity of individuals It is used for Digital signature , encryption of messages.
As per Verisign
class 1: Individuals
class 2 : organizations
Class 3 : servers and software signing
Class 4 : Business transaction
Class 5 : Government security etc.
This classification may vary from authority to authority.
Digital Certificate Extension:
Extensions are used to associate additional information with the user or public key etc.
Each extension has
Critical Extension
If a critical extension is not understood the certificate should be refused.
Critical flag value is true.
Yellow mark is seen on the critical extension
Basic Constraint critical extension specifies if the certificate can be used to sign other certificate.
Non Critical Extension
If a critical extension is not understood the certificate may not be refused. This extension is ignored.
Critical flag is false in the certificate
Subject Alternate Names is non critical extension contain alternative name like email or such.
Digital certificate and its each field in details
Version : its version number of the certificate.
Version: v3, is a X.509 Version 3 Certificate refer for more details https://www.ietf.org/rfc/rfc2459
Serial number: Its a unique number that identifies a certificate.
A Signature is cryptographic signature of the content of the certificate.it is made up of issuer private key and it can be verified with issuer public key.
Signature Algorithm: Algorithm used to create certificate.
Signature Hash Algorithm
Issuer:
Certificate Authority who issued the certificate.
Valid From: Date and Time the certificate is issued from.
Valid To: Date and Time the certificate is valid to use.
Public Key: The public key is present in a certificate and it has a corresponding private key which is not present in cer.
Public Key Parameters:
parameters are used over many key exchanges
Subject:
A subject contains distinguished name. it contains common name, optionally contain other details like organization unit, country etc. Subject is entity to whom certificate is issued.
CRL Distribution list:
contains the URL list of website that contains Certificate Revocation list. When a certificate is revoked, the information is sent to the CA and the CA authenticates the request and advertises the revoked certificate in the Certificate Revocation List. URL would contain that list.
Certificate Policies
Certificate Policies is a set of rules that defines how the CA will issue the certificates.
Certificate Practice Statements
It is a document written in text that describes how the CA plans to manage the certificates that it issues.
Thumbprint algorithm
The algorithm used to create the unique value of the certificate.
Example : sha1
Thumbprint
The unique value that identifies the certificate. This can be checked with the issuer of the certificate.
Authority Key Identifier
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate
Subject key identifiers SHOULD be derived from the public key or a method that generates unique values.
Authority Info Access (AIA)
AIA extension allows SSL/TLS clients to go get the missing intermediate certificates, not presented by the server. This extension, that adds in the final certificate a CA Issuer containing a URL, allows the browser to find the missing certificate and to check the chain again.
Good to know facts:
Generally : VeriSign, Entrust, Thwate, GeoTrust
In Internet explorer you can find the list of trusted authorities in
Tools->Internet Options -> Content->Certificates -> Trusted Root Certificate Authorities.
In this post, we will try covering topic Digital Certificates with an example certificate.
Content:
1. Example of Digital Certificate
2. Certificate Terminology
3. Digital Certificate definition
4. Class of Certificates
5. Certificate Extension
6. Certificate Fields
7. Good to know facts about Certificate.
Example of Digital Certificate
Before we know anything about certificates, its good know where and how certificates are used. In this post, i will try covering what are certificates, why are certificates used for.
Asymmetric key encryption, Public key infrastructure (PKI) are the places where certificates are used.
Imagine party A and party B wants to exchange a secret code like password between them and currently they don't have any prior communication between them.
To Solve this problem, party A will have private key and public key with him. party B also has its own private and public key with in.
public will be shared with all, private keys are never shared to any one.
Now if Party A wants to send secret code to party B.
Party A will use party B public key and encrypt the data and send it across to party B.
Only Party B knows its private key, so only party B will be able to decrypt the secret code .
Lengthy example but this a one of basic use case of PKI.
Second example, more practical one
One more example is HTTPS communication in a browser. it uses PKI.
 |
| HTTPS OPTION |
Certificate Terminology
CA : Certificate Authority
DN: Distinguished Name
PKI: Pulbic Key infrastructure
What is Digital Certificate:
A certificate is based on the X.509 standard and which holds information about an individual or an organization or a company to which a certificate is issued. .
It holds a public key.
It also holds the information about certificate authority that issued the certificate.
Encoding used for a certificate: ASN.1 ( Abstract Syntax Notation One).
Each Field in the certificate are tagged with a number.
Sample Certificate:
 |
| Certificate |
A certificate contains
 |
| digital certificate |
Certificate can be used for encryption of emails, signing a library file etc.
Types of Certificate:
Definition of class might vary from vendor to vendor.
Class 0
Type of certificate used for demo or test purpose.
Class 1
Issued to individuals.
Contains name (alias name) and email address of the individual
Usage : Digitally sign email, Encrypt email
It does not facilitate strong authentication of the identity
Class 2
Certificates are issued as Managed Digital Certificates
Class 3
Class 3 certificate are issued to individuals and servers. It provides important assurance of identity of individuals It is used for Digital signature , encryption of messages.
As per Verisign
class 1: Individuals
class 2 : organizations
Class 3 : servers and software signing
Class 4 : Business transaction
Class 5 : Government security etc.
This classification may vary from authority to authority.
Digital Certificate Extension:
Extensions are used to associate additional information with the user or public key etc.
Each extension has
- Extension ID
- Critical flag
- Extension value.
Critical Extension
If a critical extension is not understood the certificate should be refused.
Critical flag value is true.
Yellow mark is seen on the critical extension
Basic Constraint critical extension specifies if the certificate can be used to sign other certificate.
Non Critical Extension
If a critical extension is not understood the certificate may not be refused. This extension is ignored.
Critical flag is false in the certificate
Subject Alternate Names is non critical extension contain alternative name like email or such.
Digital certificate and its each field in details
Version : its version number of the certificate.
Version: v3, is a X.509 Version 3 Certificate refer for more details https://www.ietf.org/rfc/rfc2459
Serial number: Its a unique number that identifies a certificate.
A Signature is cryptographic signature of the content of the certificate.it is made up of issuer private key and it can be verified with issuer public key.
Signature Algorithm: Algorithm used to create certificate.
Signature Hash Algorithm
Issuer:
Certificate Authority who issued the certificate.
Valid From: Date and Time the certificate is issued from.
Valid To: Date and Time the certificate is valid to use.
Public Key: The public key is present in a certificate and it has a corresponding private key which is not present in cer.
Public Key Parameters:
parameters are used over many key exchanges
Subject:
A subject contains distinguished name. it contains common name, optionally contain other details like organization unit, country etc. Subject is entity to whom certificate is issued.
CRL Distribution list:
contains the URL list of website that contains Certificate Revocation list. When a certificate is revoked, the information is sent to the CA and the CA authenticates the request and advertises the revoked certificate in the Certificate Revocation List. URL would contain that list.
Certificate Policies
Certificate Policies is a set of rules that defines how the CA will issue the certificates.
Certificate Practice Statements
It is a document written in text that describes how the CA plans to manage the certificates that it issues.
Thumbprint algorithm
The algorithm used to create the unique value of the certificate.
Example : sha1
Thumbprint
The unique value that identifies the certificate. This can be checked with the issuer of the certificate.
Authority Key Identifier
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate
Subject Key Identifier
Subject key identifiers SHOULD be derived from the public key or a method that generates unique values.
Authority Info Access (AIA)
AIA extension allows SSL/TLS clients to go get the missing intermediate certificates, not presented by the server. This extension, that adds in the final certificate a CA Issuer containing a URL, allows the browser to find the missing certificate and to check the chain again.
 |
| AIA |
Good to know facts:
- Self Signed certificate are self generated certificate with issuer and subject been same.
- Well known certificate authorities:
Generally : VeriSign, Entrust, Thwate, GeoTrust
In Internet explorer you can find the list of trusted authorities in
Tools->Internet Options -> Content->Certificates -> Trusted Root Certificate Authorities.
 |
| internet explorer |
