PKI Certificate Tutorials - Herong's Tutorial Examples - v1.10, by Herong Yang
What Is PKI Certificate
This section describes what is PKI certificate and what are basic data fields included in a PKI certificate.
What Is PKI Certificate? A PKI Certificate is a document, digitally signed by a PKI Certificate Authority (CA), that certifies the identity of a given entity, e.g. Website and email address, and its public key. In other words, a certificate is used to prove the ownership of a public key.
From a cryptographic point of view, a PKI certificate only needs 4 basic data fields:
However, a PKI certificate is required to contain other data fields to provide better protection. For example:
Here is an example of a PKI certificate encoded in the Privacy Enhanced Mail (PEM) format:
-----BEGIN CERTIFICATE----- MIIFNTCCBB2gAwIBAgIQFg7fsvIGgVNJC1rMIEGqBDANBgkqhkiG9w0BAQsFADCB lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNV BAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg RW1haWwgQ0EwHhcNMTgwOTEwMDAwMDAwWhcNMTkwOTEwMjM1OTU5WjAmMSQwIgYJ KoZIhvcNAQkBFhVoZXJvbmdfeWFuZ0B5YWhvby5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCbWhOmdmJedtYBBk3g/x+bGqqDZfKSDGEX7R19ZDMj 639yBaHyEMhothIkn+nydf9C26J8AGeaKgKVDcAluYaMQbRz6fa8ioVH1dKIaksx dmwMtkS2CJG7APfoKQRtw38IMRRt3uYyYn+pQYmAiZMFBmfkIXzuDeYDnvB/1Yln jMo08ZynJO8GjzdSKRas3WX6CrlAf487IyA82vVnIobvbxL+E8hzR98dQ7l0sC62 lIA2eGHeWdrmU0yXqRLi1GkI89UWLWmX3F2klHc9Ue3pFvoIV03UgPFW/1zNiXhC 2Lywa/jyHC6HZvPk/VB4Efgmxyqg3IYOoNzZzRUHd0yvAgMBAAGjggHrMIIB5zAf BgNVHSMEGDAWgBSCr2yM+MX+lmF86B89K3FIXsSLwDAdBgNVHQ4EFgQUNzIPHDap ZnKhB4EwTAeGHkT1eIgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYD VR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIF IDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRw czovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRw Oi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlv bmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUH MAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhl bnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLmNvbW9kb2NhLmNvbTAgBgNVHREEGTAXgRVoZXJvbmdfeWFuZ0B5YWhv by5jb20wDQYJKoZIhvcNAQELBQADggEBAGhDBs1iq/qYLpVaH5tRCL/ntKH6xtGS IkaFNU86R71S82yMAoP1uhp90e+nJaOpVkGl6NeEHDC6X1YOp7O6V37G+odoYCvX ISZagR3x0RkIAyTPhTEkBFxxFhW8fEQzqUJEcN4NR92KUiJ20OBZW8p7dnm2l8M7 xGI1JNhbddIsaIrBKbGxmWPgbD9Vt24NTCw6qzcmJB6hhsJRsM+sycgkDptFROlx b/2ykfnYqZ5rOjwn2ELZW/TbctgOd8nDGE3J1qrGCDENkOwdZWSUEeZC+ffwH1Vs rqswdEyHMOYU0hdd763IQL34PZksdFl8OdXvCBCXfJsrzzOrwlk4xcs= -----END CERTIFICATE-----
Here is the content of the above certificated decoded and printed out by the OpenSSL tool:
Certificate: Data: Version: 3 (0x2) Serial Number: 16:0e:df:b2:f2:06:81:53:49:0b:5a:cc:20:41:aa:04 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Client Authentication and Secure Email CA Validity Not Before: Sep 10 00:00:00 2018 GMT Not After : Sep 10 23:59:59 2019 GMT Subject: emailAddress=herong_yang@yahoo.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:9b:5a:13:a6:76:62:5e:76:d6:01:06:4d:e0:ff: 1f:9b:1a:aa:83:65:f2:92:0c:61:17:ed:1d:7d:64: 33:23:eb:7f:72:05:a1:f2:10:c8:68:b6:12:24:9f: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid: 82:AF:6C:8C:F8:C5:FE:96:61:7C:E8:1F:3D:2B:71:48:5E:C4:8B:C0 X509v3 Subject Key Identifier: 37:32:0F:1C:36:A9:66:72:A1:07:81:30:4C:07:86:1E:44:F5:78:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: E-mail Protection, 1.3.6.1.4.1.6449.1.3.5.2 Netscape Cert Type: S/MIME X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.1.1.1 CPS: https://secure.comodo.net/CPS X509v3 CRL Distribution Points: URI:http://crl.comodoca.com/COMODORSAClient...EmailCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSA...CA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: email:herong_yang@yahoo.com Signature Algorithm: sha256WithRSAEncryption 68:43:06:cd:62:ab:fa:98:2e:95:5a:1f:9b:51:08:bf:e7:b4: a1:fa:c6:d1:92:22:46:85:35:4f:3a:47:bd:52:f3:6c:8c:02: 83:f5:ba:1a:7d:d1:ef:a7:25:a3:a9:56:41:a5:e8:d7:84:1c: ...
From the printout, we can easily locate certificate basic data fields mentioned earlier.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
►Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File