Contents Of A Certificate - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Appendix B. Introduction to Public-Key Cryptography
related to the fact that passwords are sent over the network routinely and frequently, both of which
make using multiple passwords problematic.
The solution to this problem is single sign-on, which allows a user to log in once with a single
password and get authenticated access to all network resources that user is authorized to use, without
sending any passwords over the network. Both SSL client certificates and S/MIME certificates can
play a significant role in a comprehensive single sign-on solution; SSL client authentication allows
a user to log into the local client's private-key database and get authenticated access to all SSL-
enabled servers that user is authorized to use. This approach simplifies access for users because
they do not need to enter passwords for each new server. It also simplifies network management since
administrators can control access by controlling lists of CAs rather than much longer lists of users and
passwords.
In addition to using certificates, a complete single-sign on solution must address interoperability
with enterprise systems, such as the operating system, that rely on passwords or other forms of
authentication.
B.4.5. Contents of a Certificate
The contents of certificates are organized according to the X.509 v3 certificate specification, which has
been recommended by the International Telecommunications Union (ITU), an international standards
body.
Users do not usually need to be concerned about the exact contents of a certificate. However, system
administrators working with certificates may need some familiarity with the information contained in
them.
B.4.5.1. Distinguished Names
An X.509 v3 certificate binds a distinguished name (DN) to a public key. A DN is a series of name-
value pairs, such as uid=doe, that uniquely identify an entity. This is also called the certificate subject
name.
This is an example DN of an employee for Example Corp.:
uid=doe, cn=John Doe,o=Example Corp.,c=US
In this DN, uid is the username, cn is the user's common name, o is the organization or company
name, and c is the country.
DNs may include a variety of other name-value pairs. They are used to identify both certificate
subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP).
The rules governing the construction of DNs can be complex; for comprehensive information about
DNs, see A String Representation of Distinguished Names at http://www.ietf.org/rfc/rfc1485.txt.
B.4.5.2. A Typical Certificate
Every X.509 certificate consists of two sections:
• The data section includes the following information:
• The version number of the X.509 standard supported by the certificate.
460