Certificates
Last updated
Was this helpful?
Last updated
Was this helpful?
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.
In a typical (PKI) scheme, the certificate issuer is a (CA), usually a company that charges customers to issue certificates for them. By contrast, in a scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.
The most common format for public key certificates is defined by . Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as as defined in RFC 5280.
Version Number: Version of x509 format.
Serial Number: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
Subject: The entity a certificate belongs to: a machine, an individual, or an organization.
Common Name: Domains affected by the certificate. Can be 1 or more and can contain wildcards.
Country (C): Country
Distinguished name (DN): The whole subject: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Locality (L): Local place
Organization (O): Organization name
Organizational Unit (OU): Division of an organisation (like "Human Resources").
State or Province (ST, S or P): List of state or province names
Issuer: The entity that verified the information and signed the certificate.
Common Name (CN): Name of the certificate authority
Country (C): Country of the certificate authority
Distinguished name (DN): Distinguished name of the certificate authority
Locality (L): Local place where the organisation can be found.
Organization (O): Organisation name
Organizational Unit (OU): Division of an organisation (like "Human Resources").
Not Before: The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid problems.
Not After: The time and date past which the certificate is no longer valid.
Public Key: A public key belonging to the certificate subject. (This is one of the main parts as this is what is signed by the CA)
Public Key Algorithm: Algorithm used to generate the public key. Like RSA.
Public Key Curve: The curve used by the elliptic curve public key algorithm (if apply). Like nistp521.
Public Key Exponent: Exponent used to derive the public key (if apply). Like 65537.
Public Key Size: The size of the public key space in bits. Like 2048.
Signature Algorithm: The algorithm used to sign the public key certificate.
Signature: A signature of the certificate body by the issuer's private key.
x509v3 extensions
Key Usage: The valid cryptographic uses of the certificate's public key. Common values include digital signature validation, key encipherment, and certificate signing.
In a Web certificate this will appear as a X509v3 extension and will have the value Digital Signature
Extended Key Usage: The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing.
In a Web certificate this will appear as a X509v3 extension and will have the value TLS Web Server Authentication
Subject Alternative Name: Allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common name.
Basic Constraint: This extension describes whether the certificate is a CA certificate or an end entity certificate. A CA certificate is something that signs certificates of others and a end entity certificate is the certificate used in a web page for example (the last par of the chain).
Subject Key Identifier (SKI): This extension declares a unique identifier for the public key in the certificate. It is required on all CA certificates. CAs propagate their own SKI to the Issuer Key Identifier (AKI) extension on issued certificates. It's the hash of the subject public key.
Authority Key Identifier: It contains a key identifier which is derived from the public key in the issuer certificate. It's the hash of the issuer public key.
Authority Information Access (AIA): This extension contains at most two types of information :
Information about how to get the issuer of this certificate (CA issuer access method)
Address of the OCSP responder from where revocation of this certificate can be checked (OCSP access method).
CRL Distribution Points: This extension identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate.
CT Precertificate SCTs: Logs of Certificate transparency regarding the certificate
Certificate Transparency aims to remedy certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users. Specifically, Certificate Transparency has three main goals:
Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates. Anyone can submit certificates to a log, although certificate authorities will likely be the foremost submitters. Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged. The number of log servers doesn’t have to be large (say, much less than a thousand worldwide), and each could be operated independently by a CA, an ISP, or any other interested party.
There are different formats that can be used to store a certificate.
It is the most common format used for certificates
Most servers (Ex: Apache) expects the certificates and private key to be in a separate files - Usually they are Base64 encoded ASCII files - Extensions used for PEM certificates are .cer, .crt, .pem, .key files - Apache and similar server uses PEM format certificates
The DER format is the binary form of the certificate
All types of certificates & private keys can be encoded in DER format
DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements
DER formatted certificates most often use the ‘.cer’ and '.der' extensions
DER is typically used in Java Platforms
The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
The most common platforms that support P7B files are Microsoft Windows and Java Tomcat
The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file
These files usually have extensions such as .pfx and .p12
They are typically used on Windows machines to import and export certificates and private keys
Convert x509 to PEM
Convert DER to PEM
Convert PEM to P7B
Note: The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. **A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
Convert PKCS7 to PEM
Convert pfx to PEM
Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
Convert PFX to PKCS#8 Note: This requires 2 commands
1- Convert PFX to PEM
2- Convert PEM to PKCS8
Convert P7B to PFX Note: This requires 2 commands
1- Convert P7B to CER
2- Convert CER and Private Key to PFX
OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder. This protocol determines revocation status of a given digital public-key certificate without having to download the entire CRL. CRL is the traditional method of checking certificate validity. A CRL provides a list of certificate serial numbers that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries. From .
You can query the logs of Certificate Transparency of any domain in .