Difference between revisions of "Certificate Lifecycle"

From OpenSSLWiki
Jump to: navigation, search
(Cert if i cat e.)
 
(Corrected English and grammar)
Line 1: Line 1:
X509 Certificates are convenient normalized way to use Public/Private schemes to prove identity of a software component or -by delegation- of a person.
+
X509 Certificates are a convenient and standardised way to use PKI (Public Key Infrastructure) schemes to prove the identity of a software component or (by proxy) a person.
 +
 
 +
Some examples of where certificates are used include:
 +
* in ANY HTTPS connection to ensure that the server you connect to is actually operated by the person or organisation that owns the domain;
 +
* in HTTPS client authentication for a server to identify of a user;
 +
* in software components to sign code and prove that code was created by a trusted entity;
 +
* to digitally sign e-mails or files;
 +
* in various secure protocols to provide authentication of parties (e.g LDAPS).
  
Certificates are used in ANY https:// connection to ensure url of server you see connects to a server that is the one you expect.
 
They are used in client authentication too for a Service to indicate what user you are.
 
They are used in Software components to sign Code and prove that code was created by a trusted entity.
 
They might be used to cipher mails or files.
 
They are used in various secure protocols to provide authentication of parties ( LDAPS... ).
 
  
 
Certificates have a life like many other objects.
 
Certificates have a life like many other objects.
 +
* Before giving birth to a certificate you need to create its DNA... a public/private key pair.
 +
* Once this DNA is created you need some Certificate Authority to certify that you are the owner of this DNA.
  
- Before giving birth to a certificate you need to create its DNA... which is Public / Private Key Pair.
 
 
- Once this DNA is created you need some Authority to certify this is THIS certificate ADN
 
  
By giving a proof you own DNA Private part of the public DNA part to Authority by providing a 'Certificate Request' Authority will decide to create a Certificate for you.
+
By providing proof of identify; proof of ownership that you own the private DNA part; and the public DNA part contained in a 'Certificate Signing Request', a Certificate Authority will create a certificate for you.
  
This Certificate will contain Public Key part and many other informations that describe Certificate ownership, purpose, and time to live and the most important part : he contains the proof from Authority that the Authority reviewed those informations and certify them. That's actualy why a Certificate is a certificate.
+
This certificate will contain the public key and other information that describe the certificate ownership, purpose, and time to live. It also contains the most important part: proof that the Certificate Authority reviewed that information and certified it.
  
"All Certificates are equals but some are more than others !"
+
"All certificates are equal but some are more equal than others!"
Certificate are unequals since they can be from a well known family (Well known Authorities) or from more confidential ones (Dedicated ones).
+
Certificates are unequal since they can be from a well known family (well known Certificate Authorities) or from private ones.
A Certificate has only the value of Trust that its Authority has. If the Authority is untrusted, so the certificate is.
+
A certificate only has the value of trust that its Certificate Authority has. If the Certificate Authority is untrusted, so is the certificate.
=> Issuer , Certificate Authority
+
The '''Issuer''' field of a certificate identifies the Certificate Authority
  
"Certificates can buy their graves early."
+
"Certificates can go to their graves early."
Yes a Certificate from its early birth knows exactly when he will die. It is perhaps sad, but nobody told that life of certificate should be a piece of cake.
+
A certificate from its birth knows exactly when it will die. A certificate can be revoked before this deadline if it is compromised.
And worse a Certificate can be revoked when it was compromised, then it can even die before his deadline.
+
The '''Validity''' field of a certificate identifies the start and expiry date of a certificate.
=> Validity  
 
  
"Ausweiss please"
+
"ID please"
By detaining the private key of a certificate you can prove you own the certificate and then that information written on that Certificate applies to you.
+
Through the private key you can prove you own the certificate and therefore that the information written on that certificate applies to you.
Distinguished Name is the name of the owner of private key.
+
The '''Subject''' field of a certificate is the name of the owner of a private key.
=> DN
 
  
"A Certificate without private Key is just like glasses without eyes"
+
"A Certificate without a private key is like glasses without eyes"
A Certificate does not contains Private Key, if you have a Certificate and you can find your private key, then it is just like if you have nothing.
+
A certificate does not contain the private key. If you have a certificate and you lose your private key, then the certificate is unusable.
Opposite is not true, since With private key you often have public key, and you can request a new certificate, but you will need to regenerate a new Certificate, and due to the public nature of a Certificate you can often find it copied somewhere, from your Authority by example.
 
  
"Copy me if you want !"
+
"Copy me if you want!"
A Certificate can be copied and distributed, it is fully public. Certificates don't contains Private Keys so they are usefull only to prove identity
+
A certificate can be copied and distributed, it is fully public. Certificates do not contain private keys so they are useful only to prove the identity of the party that owns the private key.
of parties who owns the private key.
 
WARNING : wording "Client Certificates" might be misleading here, since in this specific case a "Client Certifcate" is more than a certificate, it is a file that contains the private key too.
 
  
 
"Certificates are NOT free"
 
"Certificates are NOT free"
Obtaining a Certificate from a well known Certificate Authority requires that you pay a fee.  
+
Obtaining a certificate from a well known Certificate Authority typically requires that you pay a fee.  
  
And a Certificate knows from his creation what job he will do, there is no way a Certificate issued for Authenticating a Server can be used in browser to identify a user.
+
A certificate knows from its creation what job it will do. There is no way a certificate issued for authenticating a server can be used in a browser to identify a user. Certificates have a purpose.  
Certificates have a purpose.  
 
  
 
[[Category:Beginner]]
 
[[Category:Beginner]]

Revision as of 21:31, 24 May 2013

X509 Certificates are a convenient and standardised way to use PKI (Public Key Infrastructure) schemes to prove the identity of a software component or (by proxy) a person.

Some examples of where certificates are used include:

  • in ANY HTTPS connection to ensure that the server you connect to is actually operated by the person or organisation that owns the domain;
  • in HTTPS client authentication for a server to identify of a user;
  • in software components to sign code and prove that code was created by a trusted entity;
  • to digitally sign e-mails or files;
  • in various secure protocols to provide authentication of parties (e.g LDAPS).


Certificates have a life like many other objects.

  • Before giving birth to a certificate you need to create its DNA... a public/private key pair.
  • Once this DNA is created you need some Certificate Authority to certify that you are the owner of this DNA.


By providing proof of identify; proof of ownership that you own the private DNA part; and the public DNA part contained in a 'Certificate Signing Request', a Certificate Authority will create a certificate for you.

This certificate will contain the public key and other information that describe the certificate ownership, purpose, and time to live. It also contains the most important part: proof that the Certificate Authority reviewed that information and certified it.

"All certificates are equal but some are more equal than others!" Certificates are unequal since they can be from a well known family (well known Certificate Authorities) or from private ones. A certificate only has the value of trust that its Certificate Authority has. If the Certificate Authority is untrusted, so is the certificate. The Issuer field of a certificate identifies the Certificate Authority

"Certificates can go to their graves early." A certificate from its birth knows exactly when it will die. A certificate can be revoked before this deadline if it is compromised. The Validity field of a certificate identifies the start and expiry date of a certificate.

"ID please" Through the private key you can prove you own the certificate and therefore that the information written on that certificate applies to you. The Subject field of a certificate is the name of the owner of a private key.

"A Certificate without a private key is like glasses without eyes" A certificate does not contain the private key. If you have a certificate and you lose your private key, then the certificate is unusable.

"Copy me if you want!" A certificate can be copied and distributed, it is fully public. Certificates do not contain private keys so they are useful only to prove the identity of the party that owns the private key.

"Certificates are NOT free" Obtaining a certificate from a well known Certificate Authority typically requires that you pay a fee.

A certificate knows from its creation what job it will do. There is no way a certificate issued for authenticating a server can be used in a browser to identify a user. Certificates have a purpose.