Common Data Security Architecture (CDSA) White Paper
Certificate Library Services (CL) API
Certificate Library Services (CL) API
What is a Certificate?
A certificate is a mechanism for establishing identity. Think of an X.509 certificate as a packet that can be given safely to others. X.509 derives from a data storage concept for directory services, called X.500, a mechanism that allows individuals to access others’ data.
The most important characteristic about a certificate is that it can be digitally signed by a Certificate Authority (CA). An Internet infrastructure is emerging to handle that responsibility.
When a certificate is “signed”, the contents of the certificate (such as public key, start validity date, and so forth) are hashed. Then, the hash is signed with the CA’s private key.
The encrypted hash is then also placed in the certificate as the “signature” of the certificate.
When someone verifies the authenticity of a certificate, he or she may need to establish a certificate chain to verify, then decrypt the signature with the public key at the end of the certificate chain, rehash the certificate, and compare the hash to the decrypted hash. He or she may also check the certificate’s start and end validity dates to verify the certificate is still valid.
Outline of a Generic Certificate
All certificates have the following basic fields:
•Version ID (Version 1, 2, or 3)
•Serial Number (arbitrary, but should be unique for each Certificate Authority)
•Signature Algorithm ID (for example, RSA with MD5)
•Issuer Distinguished Name (that is, the Certificate Authority (CA) who issues the certificate)
•Start Validity Date
•End Validity Date
•Subject Distinguished Name (that is, the owner or recipient of the certificate)
•Public Key Algorithm ID (for example, RSA encryption)
•Signature
•Extensions (optional)
34 | Chapter 1 |