Having heard lot of times about the X.509, thought to do some study on what it is. Here are some notes from attempts to understand the concepts
X.509 is and ITU-T standard for PKI (Public Key infrastructure) and PMI (Privilege Management Infrastructure). It defines formats for public key certificates, certification revoke lists, attribute certificates, and certification path verification algorithm
This standard assumes strict hierarchical system of Certificate Authorities (CAs) for issuing certificates. In X.509 system, a CA issues a certificate binding a public key to a distinguished name or a email address or a DNS entry.
The main parts of a certificate are: Version, Serial number, Algorithm ID, Issuer, Validity, Subject, Subject Public Key Info, Issuer Unique Identifier, Subject Unique Identifier, Extensions, Certificate Signature algorithm, Certificate Signature.
The below is how the X.505 PKI works
- When an entity say www.test.com wants to have a certificate, it requests a CA such as Verisign to issue a certificate
- CA checks the background of the company who is owner of www.test.com, and after this, the certificate is issued.
- www.test.com then places the certificate into the web page
- when a user downloads the www.test.com pages, the browser checks if the certificate is issued in the name of test and the webpage is test.
- It also checks whether the Digital Signature of the certificate. The digital signature of a certificate is generated by using the private key of the certificate and the computed hash of the certificate. This is added to the certificate which is later used to verify. The digital signature is decoded to get the hash value using the public key of the certificate at the certificate user end. The hash if changed, then it means that the certificate is tampered.
- As part of the OS installation, a certain CA certificates would have been installed in the computer/device. when a certificate is downloaded, the local certificate is used to verify whether the certificate is trusted by the CA.
Common file extensions for the X.509 certificates are: .pem (privacy-enhanced electronic email, which is a Base64 encoded DER file, having -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, .cer, .der, .crt OR .p7b, .p7c which is SignedData structure without data, but only certificates and CRLs optionally. .p12 (PKCS#12) may contain certificate, public and private keys OR .pfx, predecessor of PKCS#12.
X.509 is and ITU-T standard for PKI (Public Key infrastructure) and PMI (Privilege Management Infrastructure). It defines formats for public key certificates, certification revoke lists, attribute certificates, and certification path verification algorithm
This standard assumes strict hierarchical system of Certificate Authorities (CAs) for issuing certificates. In X.509 system, a CA issues a certificate binding a public key to a distinguished name or a email address or a DNS entry.
The main parts of a certificate are: Version, Serial number, Algorithm ID, Issuer, Validity, Subject, Subject Public Key Info, Issuer Unique Identifier, Subject Unique Identifier, Extensions, Certificate Signature algorithm, Certificate Signature.
The below is how the X.505 PKI works
- When an entity say www.test.com wants to have a certificate, it requests a CA such as Verisign to issue a certificate
- CA checks the background of the company who is owner of www.test.com, and after this, the certificate is issued.
- www.test.com then places the certificate into the web page
- when a user downloads the www.test.com pages, the browser checks if the certificate is issued in the name of test and the webpage is test.
- It also checks whether the Digital Signature of the certificate. The digital signature of a certificate is generated by using the private key of the certificate and the computed hash of the certificate. This is added to the certificate which is later used to verify. The digital signature is decoded to get the hash value using the public key of the certificate at the certificate user end. The hash if changed, then it means that the certificate is tampered.
- As part of the OS installation, a certain CA certificates would have been installed in the computer/device. when a certificate is downloaded, the local certificate is used to verify whether the certificate is trusted by the CA.
Common file extensions for the X.509 certificates are: .pem (privacy-enhanced electronic email, which is a Base64 encoded DER file, having -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, .cer, .der, .crt OR .p7b, .p7c which is SignedData structure without data, but only certificates and CRLs optionally. .p12 (PKCS#12) may contain certificate, public and private keys OR .pfx, predecessor of PKCS#12.
No comments:
Post a Comment