You now understand how public key cryptography works. You also know that you need
to distribute your public key to other people in order for them to send messages
to you securely. In this section you will learn what a digital certificate is and
what comprise a digital certificate.
What Does A Public Key Look Like?
Be aware that a public key is only a series of digits; it does not make any sense
to human. Here is an example of a 512 bit RSA public key displayed in hex format:
3048 0241 00E4 EEDC 2635 5217 1FAB C7E7 9AD2 B7B0 F30E EC04 4A6E 6054 D3A1 10C5
B130 B4FB 8ACA 7928 7E00 870F 98ED FF78 2CDC B9FA 916A B76F 585B 5455 50CD E87A
FD0B FEA0 D102 0301 0001
Does it make any sense to you? Maybe not. In addition when you get a public key
like this, you also want to know whom this key belongs to, right? A digital certificate
(or certificate) binds the owner's public key, name, email and other necessary information
together and makes it more convenient and reliable to make your public key public.
There is a more important reason for using certificates: certificate trust. We will
talk about this later in section Certificate Trust Model.
Now let's take a look at what are included in a certificate.
X.509 v3 Certificate Format
A standard X.509 v3 certificate contains the following standard fields:
- Certificate version
- Serial number of the certificate
- The distinguished name of the certificate issuer
- The distinguished name of the certificate owner
- The validity period of the certificate
- The public key
- The digital signature of the issuer
- Signature algorithm used
- Zero or more certificate extensions
Note: An example distinguished name looks
like this: CN=Michael Davis, Efirstname.lastname@example.org, OU=Sales, O=MXC Software, C=US.
Certificates that are used to digitally sign other certificates are called CA certificates.
All other certificates are called end entity certificates. A CA certificate
issued by yet another CA is called intermediate CA certificate. A CA certificate
issued by the CA itself is called root CA certificate.
A CA-issued certificate is issued by a CA. A self-signed certificate is issued to
a user by the user himself. iSafeguard™ support both, i.e. you may use certificates
you generated yourself or certificates from CAs.
In iSafeguard™ certificates are stored in four certificate stores. The following
table summarizes the certificate types we described above.
End entity certificates with private keys
End entity certificates without private keys
Intermediate CA certificates
Root CA certificates
We will discuss the trust rules of all these certificate types in section
Certificate Trust Model.