https://wiki.openssl.org/index.php?action=history&feed=atom&title=Talk%3ACertificate_LifecycleTalk:Certificate Lifecycle - Revision history2026-04-10T09:57:57ZRevision history for this page on the wikiMediaWiki 1.35.13https://wiki.openssl.org/index.php?title=Talk:Certificate_Lifecycle&diff=1023&oldid=prevPhilippe lhardy: digest of mailling list exchanges2013-05-25T06:41:54Z<p>digest of mailling list exchanges</p>
<p><b>New page</b></p><div>I don't believe this is correct: "Certificates are NOT free" Obtaining<br />
a certificate from a well known Certificate Authority typically<br />
requires that you pay a fee.<br />
<br />
StartCom issues free Class 1 Certificates. The cost is in revocation,<br />
and Startcom is unique in that they charge on the back side if<br />
revocation is required, rather than the front side like most CAs.<br />
<br />
For completeness, Class 1 is the lowest class, while Class 3 or 4 (or<br />
whatever N they choose - its arbitrary and meant to baffle the<br />
purchaser) is the highest class. I think "Extended Validation" or EV<br />
Certificates are usually about a Class 3.<br />
<br />
Jeff<br />
___<br />
<br />
I don't believe this is correct: A certificate knows from its creation<br />
what job it will do. There is no way a certificate issued for<br />
authenticating a server can be used in a browser to identify a user.<br />
Certificates have a purpose.<br />
<br />
If you enforce Basic Constraints, Key Usage (KU), and Extended Key<br />
Usage (EKU), most PKIs break. Confer: "Code Signing: Breaks for Device<br />
when enforcing Basic Constraints on WWDR CA,"<br />
http://openradar.appspot.com/radar?id=3011403. There's tens of<br />
thousands of other examples.<br />
<br />
Jeff<br />
___<br />
<br />
I don't believe this is correct: "A Certificate without a private key<br />
is like glasses without eyes" A certificate does not contain the<br />
private key. If you have a certificate and you lose your private key,<br />
then the certificate is unusable.<br />
<br />
After a signing key is retired, a CPS will often state the private key<br />
is destroyed to ensure no new signatures. The certificate (and its<br />
public key) are still needed for signature verification.<br />
<br />
Jeff<br />
<br />
___<br />
<br />
<br />
- "unusable to prove your current identity" - would be better.<br />
<br />
I do agree with all those remarks; but as usual when doing simplicifications for beginners ( see Category:Beginner ),<br />
many subtilities are left out.<br />
<br />
When you face questions like :<br />
Can i renew a certificate ? And user does not know he needs a private key do so.<br />
Why my browser refuses to install a Client Certifcate in my browser ? because it is a Certificate and not a PFX containing private key<br />
Why i can't connect to my server in https even after installing a Certificate ? Because you didn't install a private key...<br />
<br />
You quickly understand that in mind of users beginning with Certificate use, Certificate itself means everything needed to prove identity, ownship and anything.<br />
I fell important to recall that Private Key is the key point of Certificate usage.<br />
<br />
I will put all those comment in Discussion tab of Certificate LifeStyle...<br />
<br />
Philippe</div>Philippe lhardy