KEMBAR78
Certificates Part2 PDF | PDF | Public Key Certificate | Public Key Cryptography
Scribd
Upload
89 views5 pages

Certificates Part2 PDF

The X.509 standard defines the format for digital certificates. A certificate contains the certificate version, serial number, signature algorithm, issuer name, validity period, subject name, subject's public key, and signature. Certificates are issued by Certification Authorities (CAs) and include the CA's signature. Multiple CAs can exist in a hierarchy, with CAs exchanging public keys so users can verify certificates issued by other CAs. CAs maintain Certificate Revocation Lists (CRLs) to revoke certificates before expiration if needed, such as if a user's private key is compromised.

Uploaded by

Shiva prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
89 views5 pages

Certificates Part2 PDF

The X.509 standard defines the format for digital certificates. A certificate contains the certificate version, serial number, signature algorithm, issuer name, validity period, subject name, subject's public key, and signature. Certificates are issued by Certification Authorities (CAs) and include the CA's signature. Multiple CAs can exist in a hierarchy, with CAs exchanging public keys so users can verify certificates issued by other CAs. CAs maintain Certificate Revocation Lists (CRLs) to revoke certificates before expiration if needed, such as if a user's private key is compromised.

Uploaded by

Shiva prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

X.

509 Certificate Format


„ The general format for a certificate is:
„ Version V
„ Serial number SN
„ Signature algorithm identifier AI
„ Issuer Name CA
„ Period of Validity TA
„ Subject Name A
„ Subject’s Public-key Information Ap
„ Issuer Unique Identifier (added in Version 2)

„ Subject Unique Identifier (added in Version 2)

„ Extensions (added in Version 3)

„ Signature

11

X.509 Standard Notation


„ User certificates generated by a CA use the
following standard notation:
CA<<A>> = CA {V, SN, AI, CA, TA, A, Ap }

where
Y<<X>> = the certificate of user X issued
by the certification authority Y
Y {I} = the signing of I by Y consisting of
I with an encrypted hash code
appended.
12
X.509: Obtaining A User Certificate
„ User certificates generated by a CA have the
following characteristics:
„ Any user with access to the public key of the

CA can recover the user public key that was


certified.
„ No party other than the CA can modify the
certificate without being detected.

„ Since they are unforgeable, they can be placed in


a directory without the need for the directory to
make special efforts to protect them.

13

X.509: CA Trust Issues


„ If all users subscribe to the same CA, then there
is a common trust of that CA.
„ All user certificates can be placed in the

directory for access by all users.


„ Any user can transmit his/her certificate

directly to other users.

„ Once B is in possession of A’s certificate, B has


confidence that:
„ Messages it encrypts will be secure.

„ Messages signed with A’s private key are


unforgeable.
14
X.509: Multiple CAs
„ Large User Community
„ Not Practical to Support All Users

„ More Practical to Have Multiple CAs

„ Each CA Provides Its Public Key to A Smaller

User Group

15

X.509 Multiple CAs: Problem


„ Consider this Scenario …
„ User A obtained A’s certificate from CA X1.

„ User B obtained B’s certificate from CA X2.

„ If A does not know X2’s public key, B’s

certificate is useless.
„ A can read B’s certificate

„ A cannot verify the signature

16
X.509 Multiple CAs: Solution
„ Solution: CAs X1 and X2 exchange public keys

„ Now…
„ A gets X2’s certificate signed by X1

„ A gets B’s certificate signed by X2

„ Now, A has trusted copy of X2’s public key

„ Verifies the signature

„ Obtains B’s public key

17

X.509: CA Hierarchy Example

18
X.509: Certificate Revocation
„ Certificates have a period of validity, a lifetime.
„ Normally, a new one is issued just prior to the

expiration of the old one.

„ In some cases, a certificate may need to be


revoked prior to its expiration:
„ User’s secret key is assumed to be

compromised.
„ User is no longer certified by this CA.

„ CA certificate is assumed to be compromised.

19

X.509: Certificate Revocation List (CRL)


„ Each CA maintains a list of all revoked not-expired
certificates.
„ issued by that CA to users
„ issued to other CAs
„ Certificate Revocation List (CRL) posted to the
directory is signed by the issues and includes:
„ issuer’s name
„ list creation date
„ next CRL creation date
„ revoked certificate entries (serial number and revocation
date)

20

You might also like