Certificate File

[ythy]

Certificate X.509 Standard and DER/PEM Formats

• X.509 standard for certificate content
• DER encoding for certificate binary file format
• PEM #218 encoding for certificate text file format
• exchanging certificates in DER and PEM formats between 'OpenSSL' and 'keytool'

Conclusions:

• X.509 is an international that defines the contents of digital certificates
• DER (Distinguished Encoding Rules) is a data object encoding schema that can be used to encode certificate objects into binary files.
• PEM #218 (Privacy Enhanced Mail) is an encrypted email encoding schema that can be borrowed to encode certificate DER files into text files.
• A certificate PEM file is really a certificate DER file encoded with Base64 algorithm.
• "keytool" supports both PEM and DER certificate formats.
• "OpenSSL" supports both PEM and DER certificate formats.

[ythy]

What is a certificate

A digitally signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key.

What does a certificate typically contain

• The subject's public key value.
• The subject's identifier information, such as the name and e-mail address.
• The validity period (the length of time that the certificate is considered valid).
• Issuer identifier information.
• The digital signature of the issuer, which attests to the validity of the binding between the subject's public key and the subject's identifier information.

  What are Certificates used for

• Authentication, which verifies the identity of someone or something.
• Privacy, which ensures that information is only available to the intended audience.
• Encryption, which disguises information so that unauthorized readers are unable to decipher it.
• Digital signatures, which provide nonrepudiation and message integrity.

  What are the two types of Keys

  Public and Private

  What are the 4 formats of certificates

• Personal Information Exchange (PKCS # 12) The Personal Information Exchange format (PFX, also called PKCS # 12) supports secure storage of certificates, private keys, and all certificates in a certification path. The PKCS # 12 format is the only file format that can be used to export a certificate and its private key.
• Cryptographic Message Syntax Standard (PKCS # 7) The PKCS # 7 format supports storage of certificates and all certificates in the certification path.
• DER-encoded binary X.509 The Distinguished Encoding Rules (DER) format supports storage of a single certificate. This format does not support storage of the private key or certification path.
• Base64-encoded X.509 The Base64 format supports storage of a single certificate. This format does not support storage of the private key or certification path

[ythy]

X.509

X.509 is an standard for PKI (Public Key Infrastructure) in cryptography, which, amongst many other things, defines specific formats for PKC (Public Key Certificates) and the algorithm that verifies a given certificate path is valid under a give PKI (called the certification path validation algorithm).

A X.509 version 3 digital certificate has three main variables – the certificate, the certificate signature algorithm and the certificate signature.

[ythy]

CSR

This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.

The request can be base64 encoded as shown below and is enclosed between —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—–.

—–BEGIN NEW CERTIFICATE REQUEST—– 
MIIERDCCAywCAQAwZDELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUthcm5hdGFrYTES
MBAGA1UEBxMJQmFuZ2Fsb3JlMQswCQYDVQQKEwJNUzEMMAoGA1UECxMDQ1NTMRIw
EAYDVQQDEwlhbmdlbC0yazMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC8se11hL7I+nqePXGWaT9FNS9LisDbzG8Cb4IKIrLOlvtF7emO4mUxOzmBtXr+
nbpJkwZoY3/u9/0j6jpI8Uwh/VuWhWe16pIU0T0FODKGXhBre4E7aVsE0HyC/DRL
tpkV2cQZPBmO5ZcXchLkh8H63aiBuqLH4kOZht3JGGllqa5GjPjShGYLAm7SqIJJ
jbLFnKNW8ztdUn8cZhQfDlzpykqTAPY5XBo064D6fspKziGqgMiqMAW7ZKhAHWkF
Yrzp/YJCXHkajU+s79tdLk9X6+tn4qHEnOVILW0UWgw77QPvaNNFF0gmDYyUZje6
W2uaTjlcsQzgqbECSJVmT+cxAgMBAAGgggGZMBoGCisGAQQBgjcNAgMxDBYKNS4y
LjM3OTAuMjB7BgorBgEEAYI3AgEOMW0wazAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZI
hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIH9BgorBgEEAYI3
DQICMYHuMIHrAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBo
AGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2
AGkAZABlAHIDgYkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAADANBgkqhkiG9w0BAQUFAAOCAQEANR/QwFBkvXx7WVlnGWpsZNjMyNoBuwsP
Wmjwu2FQ90+TSGexY0NI6cS1Xc9E0NlFuONcxJjaLclcW4Ptz1IpEUzK6t1CYV5q
zJnyt7Fb2d6qY4Is6wrWo9IGOA0G814oxk8oMbBIXsjTZaE6JRW2NUts3lHSlgEY
E1POkVex84jbmmIhJlqyBlSLH3d6rRYy8WaXMkaUTSBlp6vb3ealIsu5YTKtE1YW
9BYv1MHhVVIXoGts10y9s/NRrdVqDnVjgdYR+bjZaxbIca5loyYaMRCUBzFFIC7F
W80lqPN3EcpySUoZbdDBM8R5M6sGWIbiagwToVMkx1KNpNA3lxYh5g== 
—–END NEW CERTIFICATE REQUEST—–