- 1. Public key certificate
- 1. Definition:
- 2. The certificate includes
- 3. the processes for proving
- 4. The different fields for using
- 5. Types of certificate
- 1. TLS/SSL server certificate (TLS: formerly known as SSL)
- 2. TLS/SSL client certificate
- 3. Email certificate
- 4. Code signing certificate
- 5. Qualified certificate (Qualified digital certificate)
- 6. Root certificate
- 7. Intermediate certificate
- 8. End-entity or leaf certificate
- 9. Self-signed certificate
- 2. Root certificate
- 3. Qualified digital certificate
- 4. Certificate authority (certification authority) (A.K.A CA)
1. Public key certificate
public key certificate (aka: a
digital certificate or
identity certificate) is an electronic document used to prove the
ownership of a public key.
2. The certificate includes
- information about the
- information about the
identity of its owner(called the
digital signature of an entitythat has verified the certificate’s contents (called the
3. the processes for proving
- the signature is
examining the certificate trusts the issuer.
use that key to communicate securely with the certificate's subject.
4. The different fields for using
code signing, and
e-signature systems, a certificate’s subject is typically
a person or organization.
Transport Layer Security (TLS)a certificate’s subject is typically
a computer or other device, though TLS certificates may identify
organizations or individuals in addition to their core role in identifying devices.
In a typical public-key infrastructure (PKI)scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers to issue certificates for them.
In a web of trust scheme,
individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.
5. Types of certificate
1. TLS/SSL server certificate (TLS: formerly known as SSL)
1. server: is required to present a
certificate as part of the
initial connection setup.
2. client: connecting to that server will perform the
certification path validation algorithm
The subject of the certificate matches the hostname to which the client is trying to connect.
The certificate is signed by a trusted certificate authority.
primary hostname (domain name of the website) is listed as the
Common Name in the
Subject field of the certificate. A certificate may be valid for multiple hostnames (multiple websites). Such certificates are commonly called
Subject Alternative Name (SAN) certificates or
Unified Communications Certificates (UCC certificates).
contain the field
Subject Alternative Name, though many CAs will also put them into the
Subject Common Name field for
backward compatibility. If some of the hostnames contain an asterisk (*), a certificate may also be called a
A TLS server may be configured with a
self-signed certificate. When that is the case, clients will
generally be unable to verify the certificate, and
will terminate the connection unless certificate checking is disabled.
2. TLS/SSL client certificate
Client certificates are
less common than server certificates, and are used to
authenticate the client connecting to a TLS service, for instance to
provide access control.
most servicesprovide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than a hostname.
authentication is usually managed by the service provider, client certificates are
not usually issued by a public CA that provides server certificates.
Instead, the operator of a service that requires client certificates will generally operate
their own internal CA to issue them. Client certificates are supported by many web browsers, but
cookiesto authenticate users, instead of client certificates.
Client certificates are more common in RPC systems, where they are used to authenticate devices to ensure that only authorized devices can make certain RPC calls.
3. Email certificate
S/MIME protocol for secure email,
senders need to discover
which public key to use for any
given recipient. They get this information from an email certificate. Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.
4. Code signing certificate
Certificates can also be used to
validate signatures on programs to ensure they were
not tampered with during delivery. Authenticode is one example of a code signing scheme.
5. Qualified certificate (Qualified digital certificate)
A certificate identifying an individual, typically for
electronic signature purposes. These are most commonly used in Europe, where the eIDAS regulation standardizes them and requires their recognition.
6. Root certificate
self-signed certificate used to sign other certificates. Also sometimes called a
7. Intermediate certificate
A certificate used to sign other certificates. An intermediate certificate must be signed by another intermediate certificate, or a root certificate
8. End-entity or leaf certificate
Any certificate that cannot be used to sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.
9. Self-signed certificate
A certificate with a subject that
matches its issuer, and a signature that can be verified by
its own public key. Most types of certificate can be self-signed. Self-signed certificates are also often called
snake oil certificates to emphasize their untrustworthiness.
2. Root certificate
root certificate is a
public key certificate that identifies a root certificate authority (CA)
2. How to use
- Root certificates are
self-signedand form the basis of an X.509-based public key infrastructure (PKI). Either it has matched
Authority Key Identifier with Subject Key Identifier,
in some cases there is
no Authority Key identifier, then Issuer string should match with Subject string (RFC5280).
For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.
3. The tree structure of the certificate
A certificate authority can issue multiple certificates in the form of a
root certificateis the
top-most certificate of the tree, the
private keywhich is used to “sign” other certificates.
Allcertificates signed by the
root certificate, with the “CA” field set to true, inherit the trustworthiness of the root certificate—a signature by a root certificate is somewhat analogous to “notarizing” an identity in the physical world. Such a certificate is called an
subordinate CA certificate. Certificates further down the tree also depend on the
trustworthiness of the intermediates.
The root certificate is usually made
some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in operating systems by their manufacturers. Microsoft distributes root certificates belonging to members of the Microsoft Root Certificate Program to Windows desktops and Windows Phone 8. Apple distributes root certificates belonging to members of its own root program.
3. Qualified digital certificate
A qualified digital certificate is a
public key certificate issued by a
qualified trust service provider that ensures the
data integrity of an electronic signature and
its accompanying message and/or attached data.
a certificate authority or certification authority (CA) is an
entity that issues digital certificates. A digital certificate certifies the
ownership of a public key by the named subject of the certificate. This allows
others (relying parties) to
rely upon signatures or
on assertions made about the private key that corresponds to the certified public key. A CA acts as a
trusted third party—trusted both by the
subject (owner) of the certificate and by the
party relying upon the certificate. The format of these certificates is specified by the X.509 standard.
2. How to use
Sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web.
Common use is in issuing identity cards by national governments for use in electronically signing documents.