PKI digital certificate system and structure
http://www.enkichen.com/2016/04/12/certification-and-pki/
In the previous "Basics of digital certificates" introduces some basic knowledge of the role of digital certificates and digital certificate, but it did not mention the management of digital certificates, such as the application of digital certificates, digital certificates and other file formats knowledge. Here collating and summarizing the relevant knowledge for everyone.
PKI (Public Key Infrastructure) which translates to a public key infrastructure, can be understood to provide encryption and digital signatures and other cryptographic services as well as the necessary key and certificate management system as a network application for the use of public key technology. It is a provider of security services infrastructure, PKI technology is the core technology of information security, but also the key underlying technologies and e-commerce.
PKI is neither an agreement nor a software, which is a standard developed under this standard of security technology in order to achieve the purpose of basic services collectively referred to as PKI.
PKI composition
PKI is a standard that includes some basic components, different components to provide different services, mainly by what several components:
- Certification Authority CA (certificate issuer) : CA mechanism, also known as certificate charter (Certificate Authority) center, PKI is the "core", namely application and digital certificate issuing authority, CA must have the authority of features, it is responsible for managing PKI certificates for all users under the structure (including a variety of applications), and the public and other users of information tied to the user, the user's online identity verification, CA is also responsible for the registration and blacklist blacklist user certificates release.
- X.500 directory server (save the certificate) : X.500 directory server to "publish" the user's certificate and blacklist information, users can query their own or someone else's certificate and download the blacklist by the standard LDAP protocol.
- Security WWW server with high strength encryption algorithm (SSL) (that is configured for HTTPS the Apache) : Secure socket Layer (SSL) protocol originally developed by Netscape enterprise development, has become the network used to identify sites and web browsing identity, as well as in Globalizing standard encrypted communication between the user browser and the web server.
- The Web (Secure Communications Platform) : the Web terminal has a Web Client and Web Server are two end portions, are installed in the client and server side, to ensure the confidentiality of the client and the server through the SSL protocol data cryptographic algorithm having a high strength, integrity ,Authentication.
- Since development of secure applications : from the development of secure applications refers to the industry since the development of a variety of specific applications, such as banking, securities, and other applications.
CA agency
CA agency, also known as certificate charter (Certificate Authority) center, is a responsible authority for issuing and managing digital certificates, as a third-party e-commerce transactions trusted assume the legitimacy of public inspection in the public key system Responsibility. CA Center issued a digital certificate for each user using the public key to achieve distribute a public key and prove its legitimacy. A digital certificate is a file that contains information about the owner of the public key and the public key of a signed by a certificate authority figures, the role of the user is listed in the certificate to prove lawful possession the public key listed in the certificate. CA's digital signature mechanism allows an attacker can not be forged and tampered with the certificate. In the SET trading, CA only issue certificates for cardholders, merchants, but also issue certificates to eligible depository bank, the gateway. It is responsible for generation, distribution and management of digital certificates required for all individuals involved in online transactions, and therefore is the core of secure electronic transactions. CA Certification Center as a core part of the PKI, CA PKI achieved some very important functions:
- Receiving a digital certificate to verify the end-user application
- Application to determine whether to accept the end-user digital certificate - a certificate of approval
- Issued to the applicant, refused to issue digital certificates - issued the certificate
- Receiving, end-user digital certificate update request processing - updating the certificate
- Receiving a query end-user digital certificates revoked
- Produce and publish Certificate Revocation List (CRL)
- Archiving digital certificate
- Key Archive
- Historical data archiving
X.509 standard
X.509 is a very common certificate format. All certificates are in line with ITU-T X.509 international standard; therefore (in theory) to create an application for the certificate may be used for any other application in line with the X.509 standard. In a certificate, a public key and its owner must prove that the name is the same. For X.509 certificate, the certification are always designated by the CA or CA's people, a standard X.509 certificate is a collection of fields, these fields contain information about the user or device and their corresponding public key. X.509 standard defines what information should be included in the certificate, and describes how this information is encoded (i.e., data format), all X.509 certificate contains the following data.
- Version: states that the certificate which uses a version of the X.509 standard (version 1, version 2 or version 3), certain information affecting the certificate version number of the current version 3
- : Serial number unique identifier is a unique integer identifier of this certificate of the certificate, issued by a certificate distributed by
- Signature Algorithm Identifier: the algorithm used to identify the signed certificate, the relevant parameters by the object identifier plus, is used for explanation of this certificate digital signature algorithm used. For example, SHA-1 and the object identifier on the RSA digital signature is used to illustrate the use of the RSA encryption SHA-1 hash heteroaryl
- Digital signature certification body: This is done using the publisher's private key to generate a signature to ensure that the certificate has not been issued after the turn essays
- CB: certificate issuer's distinguished name (DN), is the only entity issuing the certificate of the CA's X.500 name. Using this certificate means a certificate issued by an entity of trust. (Note: In some cases, such as root or top-level CA certificates, the publisher issued its own certificate)
- Valid: certificate start date and time and end date and time; specified in the certificate is valid two time
- Theme Information: Certificate Holder unique identifier (or DN-distinguished name) The name on the Internet should be unique
- Public information: includes the certificate holder's public key algorithm (which belongs to indicate that the key cryptosystems) identifiers and other relevant key parameters
- Issuer unique identifier: identifier - the certificate's unique identifier, there is required only in version 2 and version 3, would be optional
X.509 certificate extension
Optional standard and proprietary extensions (only used in version 2 and 3), part of the extension elements have such a structure:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
extnID: OID represents an extension element
critical: whether this represents a very important element extension
extnValue: indicates the value of this extension element, string type.
|
Extension include:
- Issuer Key Identifier: certificate contains the unique identifier of the key used to distinguish the owner of the same certificate key pairs.
- Key usage: a bit string, a public key specified (defined) can be accomplished certificate features or services, such as: certificate signature, data encryption. If a certificate KeyUsage extend labeled as "extremely important" and set to "keyCertSign", it will be rejected when the certificate is presented during SSL communication, because the certificate extension indicates that the associated private key should only be used to sign written certificate, it should not be used for SSL.
- CRL distribution point: specify the location of the CRL distribution
- Use of the private key: specify the duration of the certificate private key associated with the use of a public key, and it also has Not Before Not After composition. If this does not exist, the use of public and private key are the same.
- Certificate policy: the object identifiers and qualifiers, these object identifiers use policies and instructions issued by the relevant certificates.
- Policy Mapping: indicates that one or more of equivalence relations policy object identifiers between the two CA domain only exists in the CA certificates
- Subject alternative name: points out Alias certificate holders, such as email address, IP address, etc., and DN alias is bound together.
- Issuer Alias: pointed alias certificate issuer, such as email address, IP address, etc., but DN issuer must appear in the issuer of the certificate field.
- Subject directory attributes: point out a series of attribute certificate owner. You can use this one to pass access control information.
Baidu SSL digital certificates:
Digital certificate format
Digital certificate or embodied in a series of related encrypted data files. Common formats are:
- In line with PKI ITU-T X509 standard, traditional standard (.DER .PEM .CER .CRT)
- In line with PKCS # 7 Cryptographic Message Syntax Standard (.P7B .P7C .SPC .P7R)
- In line with standard PKCS # 10 certificate request (.p10)
- 符合PKCS#12 个人信息交换标准(.pfx *.p12)
当然,这只是常用的几种标准,其中,X509证书还分两种编码形式:
- X.509 DER(Distinguished Encoding Rules)编码,后缀为:.DER .CER .CRT
- X.509 BASE64编码,后缀为:.PEM .CER .CRT
X509是数字证书的基本规范,而P7和P12则是两个实现规范,P7用于数字信封,P12则是带有私钥的证书实现规范。采用的标准不同,生成的数字证书,包含内容也可能不同。下面就证书包含/可能包含的内容做个汇总,一般证书特性有:
- 存储格式:二进制还是ASCII
- 是否包含公钥、私钥
- 包含一个还是多个证书
- 是否支持密码保护(针对当前证书)
其中:
- DER、CER、CRT以二进制形式存放证书,只有公钥,不包含私钥
- CSR证书请求
- PEM以Base64编码形式存放证书,以”—–BEGIN CERTIFICATE—–” 和 “—–END CERTIFICATE—–”封装,只有公钥
- PFX、P12也是以二进制形式存放证书,包含公钥、私钥,包含保护密码。PFX和P12存储格式完全相同只是扩展名不同
- P10证书请求
- P7R是CA对证书请求回复,一般做数字信封
- P7B/P7C证书链,可包含一个或多个证书
理解关键点:凡是包含私钥的,一律必须添加密码保护(加密私钥),因为按照习惯,公钥是可以公开的,私钥必须保护,所以明码证书以及未加保护的证书都不可能包含私钥,只有公钥,不用加密。
上文描述中,DER均表示证书且有签名,实际使用中,还有DER编码的私钥不用签名,实际上只是个“中间件”。另外:证书请求一般采用CSR扩展名,但是其格式有可能是PEM也可能是DER格式,但都代表证书请求,只有经过CA签发后才能得到真正的证书。
参考资料
Basics of digital certificates
X.509 standard
X.509 digital certificate structure Introduction
digital certificates and CA literacy introduce
openSSL command, PKI, CA, SSL certificates principle
- This link: http://enkichen.com/2016/04/12/certification-and-pki/
- Disclaimer: This blog article unless otherwise specified, are used CC BY-NC-SA 3.0 license. Please indicate the source!