Table of Contents
Advertisement
public key. The X.509 standard defines what information goes into the certifi-
cate, and describes how to encode it (the data format). All X.509 certificates
have the following data:
The certificate holder's public key the public key of the certificate holder, to-
gether with an algorithm identifier that specifies which cryptosystem the
key belongs to and any associated key parameters.
The serial number of the certificate the entity (application or person) that cre-
ated the certificate is responsible for assigning it a unique serial number
to distinguish it from other certificates it issues. This information is used
in numerous ways; for example when a certificate is revoked, its serial
number is placed on a Certificate Revocation List (CRL).
The certificate holder's unique identifier this name is intended to be unique
across the Internet. A DN consists of multiple subsections and may look
something like this: CN=John Smith,
EMAIL=globesurfer@option.com, OU=R&D, O=Option, C=SE (These re-
fer to the subject's Common Name, Organizational Unit, Organization,
and Country.)
The certificate's validity period the certificate's start date/time and expira-
tion date/time; indicates when the certificate will expire.
The unique name of the certificate issuer the unique name of the entity that
signed the certificate. This is normally a CA. Using the certificate implies
trusting the entity that signed this certificate. (Note that in some cases,
such as root or top-level CA certificates, the issuer signs its own certifi-
cate.)
The digital signature of the issuer the signature using the private key of the
entity that issued the certificate.
The signature algorithm identifier identifies the algorithm used by the CA to
sign the certificate.
6.9.3 Obtaining an X.509 Certificate
To obtain an X.509 certificate, you must ask a CA to issue one for you. You
provide your public key, proof that you possess the corresponding private key,
and some specific information about yourself. You then digitally sign the infor-
mation and send the whole package – the certificate request – to the CA. The
CA then performs some due diligence in verifying that the information you
provided is correct and, if so, generates the certificate and returns it.
You might think of an X.509 certificate as a standard paper certificate with a
public key taped to it. It has your name and some information about you on it,
plus the signature of the person who issued it to you.
To obtain an X.509 certificate:
1. Click Certificates on the Advanced screen of the management console. The
Certificates screen will appear (see figure 6.21).
158
Advertisement
Table of Contents
