You may already be hearing about X.509 certificates. If you have, this document can explain to you what they do for you. If you haven't heard people talking about X.509 certificates, you may want to read this document to learn more about the Internet security tools they facilitate. There are several parts to this document:
An identity certificate is a digitally signed statement from one entity, saying that the public key of some other entity has some particular value.
In case you don't understand that sentence, here are a few definitions:
Certificates rely on public key encryption technologies. To understand certificates, you don't need to know much beyond the facts that (a) private and public keys are paired, (b) private keys are used to sign, and (c) public keys are used to verify signatures.
One other term that comes up a lot is Certification Authority (CA). These are entities (e.g., businesses) that are trusted to sign (issue) certificates for other people (entities). They usually have some kind of legal responsibilities for their vouching for the binding between a public key and its owner. There are many such Certification Authorities, such as VeriSign, GTE, and so on.
Probably the most widely visible application of X.509 certificates today is in web browsers (such as Netscape Navigator) that support the SSL protocol. SSL (Secure Socket Layer) is a security protocol that provides privacy and authentication for your network traffic. These browsers can only use this protocol with web servers that support it.
Other technologies that rely on X.509 certificates include:
There are two basic techniques used to get certificates: (1) you can make one yourself (using the right tools), or (2) you can ask someone else (a CA) to issue you one. The main inputs to the certificate creation process are:
If you're asking a CA to issue you a certificate, you provide your public key and some information about you. You'll use a tool (such as Netscape Navigator 3.0) to digitally sign this information, and send it to the CA. (That CA might be a company like Verisign that provides trusted third-party CA services. It might be your Internet Service Provider, or some other organization.) The CA will then generate the certificate and return it.
If you're generating the certificate yourself, you'll take that same information, add a little more (dates during which the certificate is valid, a serial number), and just create the certificate using some tool (such as javakey). Not everyone will accept self-signed certificates; one part of the value provided by a CA is to serve as a neutral and trusted introduction service, based in part on their verification requirements, which are openly published in their Certification Service Practices (CSP).
X.509 defines what information can go into a certificate, and describes how to write it down (the data format). All X.509 certificates have the following data, in addition to the signature:
CN=Java Duke, OU=JavaSoft, O=Sun Microsystems Inc, C=US
(These refer to the subject's common name, organizational unit,
organization, and country)
Those base features are part of X.509 v1, the first version. X.509 v2 added features including certificate revocation lists (CRLs) used by CAs to say that particular certificates should no longer be trusted. X.509 v3 (in 1996) added the notion of extensions, of which keyUsage (limits the use of the keys for particular purposes such as "signing-only") and AltNames (allows other Names, e.g. DNS names, Email addresses, IP addresses) are very popular.
All the data in a certificate is encoded using two related standards called ASN.1/DER. Abstract Syntax Notation 1 describes data. The Definite Encoding Rules describe a single way to store and transfer that data. People have been known to describe this combination simultaneously as "powerful and flexible" and as "cryptic and awkward". There seems to be no groundswell of opinion suggesting that something other than ASN.1/DER be used; the existing infrastructure works, and can be readily evolved.
Using javakey, it is possible to display, import, and export certificates stored as files, and to generate new certificates.
Please send comments to: java-security@java.sun.com