About PKI Certificates Dartmouth College PKI Lab
X. 509 Certificate Defined A type that binds an entity's distinguished name to a public key with a digital signature. This type is defined in the Internet X. 509 Public Key Infrastructure (PKIX) Certificate and CRL Profile. This type also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer's signature algorithm identifier, a validity period, and extensions also defined in that document.
X. 509 Certificate Defined 2 Data associated with a private key and containing a public key that provides information about: • Identities of the issuer and subject • Certificate validity dates and CRL location • Certificate intended uses • Serial number • Other certificate information
X. 509 Certificate Format • • • version serial. Number signature issuer validity subject. Public. Key. Info issuer. Unique. Identifier subject. Unique. Identifier Extensions Certificate information is contained in ASN. 1 structures.
Certificate Encodings • DER is a binary encoding of the X. 509 ASN. 1 structures. • PEM is the base 64 encoded version of DER. (For situations where binary format won’t work. ) • Text is a human-readable version of the ASN. 1 structures.
PEM Example -----BEGIN CERTIFICATE----MIIEb. DCCA 1 Sg. Aw. IBAg. ICBAEw. DQYJKo. ZIhvc. NAQEFBQAwdz. ETMBEGCgm. SJom. T 8 ixk ARk. WA 2 Vkd. TEZMBc. GCgm. SJom. T 8 ixk. ARk. WCWRhcn. Rtb 3 V 0 a. DELMAk. GA 1 UEBh. MCVVMx Gj. AYBg. NVBAo. TEURhcn. Rtb 3 V 0 a. CBDb 2 xs. ZWdl. MRww. Gg. YDVQQDEx. NEYXJ 0 b. W 91 d. Ggg Q 2 Vyd. EF 1 d. Ggx. MB 4 XDTAz. MTAy. NDE 1 MDg 1 OFo. XDTAz. MTAy. NDE 5 MDg 1 OFowga. Ix. Ez. AR Bgo. Jkia. Jk/Is. ZAEZFg. Nl. ZHUx. GTAXBgo. Jkia. Jk/Is. ZAEZFglk. YXJ 0 b. W 91 d. Ggx. Cz. AJ Bg. NVBAYTAl. VTMRow. GAYDVQQKEx. FEYXJ 0 b. W 91 d. Ggg. Q 29 sb. GVn. ZTEZMBc. GA 1 UEAx. MQ TWFyay. BKLi. BGcm. Fua 2 xpbj. Es. MCo. GCSq. GSIb 3 DQEJARYd. TWFyay 5 KLk. Zy. YW 5 rb. Glu QERhcn. Rtb 3 V 0 a. C 5 l. ZHUwg. Z 8 w. DQYJKo. ZIhvc. NAQEBBQADg. Y 0 AMIGJAo. GBAK 2 Xsb+0 +ENq. Ewgu 15 Sthv 47 i. KJ 89 O 1 ci 0 TLdb. VYo. FV 92 w. Dyk. X 68+m 2 Z 0 NSBi. M+m. Qqj. Dk 8 c 6 USn. Avw. DZUt. MVK 5 CU 9 kf 9/hi. CXm. Vxb. FLgsqbp. VEPzc 83 SGQ 3 f. S 70 Pu. Feu 00 Md. TRI 6 +thtw. TF/n 7 Zf. GFc 2 XGTKXMnwq. Ch 8 cb. OP 7 H 5 NAg. MBAAGjgg. FYMIIBVDARBglghkg. B hvh. CAQEEBAMCBa. Aw. Dg. YDVR 0 PAQH/BAQDAg. Xg. MIGi. Bg. NVHSAEg. Zowg. Zcwg. ZQGCis. G AQQBQQIBAQEwg. YUw. PQYIKw. YBBQUHAg. Iw. MTAYFh. FEYXJ 0 b. W 91 d. Ggg. Q 29 sb. GVn. ZTAD Ag. EBGh. VEYXJ 0 b. W 91 d. Ggg. Q 29 sb. GVn. ZSBDUFMw. RAYIKw. YBBQUHAg. EWOGh 0 d. HA 6 Ly 93 d 3 cu. ZGFyd. G 1 vd. XRo. Lm. Vkd. S 9+c. Gtpb. GFi. L 0 Rhcn. Rtb 3 V 0 a. ENQU 180 U 2 Vw. MDMuc. GRm MCg. GA 1 Ud. EQQh. MB+BHU 1 hcmsu. Si 5 Gcm. Fua 2 xpbk. BEYXJ 0 b. W 91 d. Ggu. ZWR 1 MB 8 GA 1 Ud Iw. QYMBa. AFD/A 1 sen. Tw. B+7 wa. ZZ 2 y 8 lh 5 No 3 c. SMD 8 GCCs. GAQUFBw. EBBDMw. MTAv. Bggr Bg. EFBQcw. AYYja. HR 0 c. Dov. L 2 Nvb. Gxl. Z 2 Vj. YS 5 k. YXJ 0 b. W 91 d. Ggu. ZWR 1 L 29 jc 3 Aw. DQYJ Ko. ZIhvc. NAQEFBQADgg. EBAB 5+Lv. OPr. Ct 6 s 6 Hvba 5 a 7 WENTLxhh 7 r 2 KUZIDH 7 Y 1 PJ 8 c. UN 5 Ef. KAUo. T 00 walc. TIq. Cfex. Lp. WJMk 38 o. F 4 g. TMwk 3 sab. NEjf. Qwmdms. JSh 2 R 6 e. BDL d 658 t 94 Dp. Gx. Xw 2 U 3 rz. Dz. FDc 4 loz. K 9 c. Bn 9 GRt 4 w 3 py 31 Bz 2 DDzc 4 mjsc. Eid 44 AV 3 V h. Lh. I 0 Zql. Wrq. WWut. W 1 Dugqol 8 A 6 APVGMjh. Zs. YS 5 f. FUe 88 Ldv. Zgnb 9 Up. Dc. OAPUoe. N 5 Rvl/aib. Nwey. CBFU/Mq. II 0 Yxf 1 wrc+wg 0 R 2 gy+Wa. Vqy. K 05 ddwxw. VJ 94 a. Zm. AHGL 6 z. O 7 Fj. PU 9 Xw. LGBQf. Hbnbtf. RZUech+ZQhj. Llp. Xy. Yx. RQ 1 Kg. M= -----END CERTIFICATE-----
Text Example Certificate: Data: Version: v 3 Serial Number: 0 x 401 Signature Algorithm: SHA 1 with. RSA - 1. 2. 840. 113549. 1. 1. 5 Issuer: CN=Dartmouth Cert. Auth 1, O=Dartmouth College, C=US, DC=dartmouth, DC=edu Validity: Not Before: Friday, October 24, 2003 11: 08: 58 AM EDT America/ New_York Not After: Friday, October 24, 2003 3: 08: 58 PM EDT America/ New_York Subject: E=Mark. J. Franklin@Dartmouth. edu, CN =Mark J. Franklin, O=Dartmouth College, C=US, DC=dartmouth, DC=edu Subject Public Key Info: Algorithm: RSA - 1. 2. 840. 113549. 1. 1. 1 Public Key: Exponent: 65537 Public Key Modulus: (1024 bits) : AD: 97: B 1: BF: B 4: F 8: 43: 6 A: 13: 08: 2 E: D 7: 94: AD: 86: FE: 3 B: 88: A 2: 7 C: F 4: ED: 5 C: 8 B: 44: CB: 75: B 5: 58: A 0: 55: 7 D: DB: 00: F 2: 91: 7 E: BC: FA: 6 D: 99: D 0: D 4: 81: 88: CF: A 6: 42: A 8: C 3: 93: C 7: 3 A: 51: 29: C 0: BF: 00: D 9: 52: D 3: 15: 2 B: 90: 94: F 6: 47: FD: FE: 18: 82: 5 E: 65: 71: 6 C: 52: E 0: B 2: A 6: E 9: 54: 43: F 3: 73: CD: D 2: 19: 0 D: DF: 4 B: BD: 0 F: B 8: 57: AE: D 3: 43: 1 D: 4 D: 12: 3 A: FA: D 8: 6 D: C 1: 31: 7 F: 9 F: B 6: 5 F: 18: 57: 36: 5 C: 64: CA: 5 C: C 9: F 0: A 8: 28: 7 C: 71: B 3: 8 F: EC: 7 E: 4 D Extensions: Identifier: Netscape Certificate Type - 2. 16. 840. 1. 113730. 1. 1 Critical: no Certificate Usage: SSL Client Secure Email Identifier: Key Usage: - 2. 5. 29. 15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment
Certificate Viewer Example
Certificate Revocation List (CRL) Defined A type that contains information about certificates whose validity an issuer has prematurely revoked. The information consists of an issuer name, the time of issue, the next scheduled time of issue, a list of certificate serial numbers and their associated revocation times, and extensions. The CRL is signed by the issuer.
Certificate Revocation List (CRL) Defined 2 A secured list of no longer trusted certificates provided by a Certificate Authority so applications can reject otherwise valid certificates that are compromised or otherwise invalid before their validity period expires. • Issued periodically or as needed. • Checked by applications at certificate verification time. • OCSP protocol provides an alternative which can be an online service.
CRL Format • • version signature issuer this. Update next. Update revoked. Certificates crl. Entry. Extensions crl. Extensions
CRL Example
CRL Example 2
Certificate Viewers • Windows (invoked from IE, desktop, other applications) • Mozilla/Thunderbird (invoked from Preferences in Mozilla or Account Options in Thunderbird) • Other applications Demos of Certificate Viewers (add hyperlinks as available) Windows Mozilla
Скачать презентацию About PKI Certificates Dartmouth College PKI Lab
0207260a15e03179ba593461109dbfe1.ppt