PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
PKI Certificate Related Terminology
This section provides descriptions on some commonly used PKI certificate related terminologies.
CA (Certificate Authority): A PKI role that issues the digital certificate binding subject's identity with subject's public key.
Certification Chain: Also called Certificate Chain. An ordered list of certificates where the subject entity of one certificate is identical to the issuing entity of the next certificate.
Certificate Chain: Also called Certification Chain. An ordered list of certificates where the subject entity of one certificate is identical to the issuing entity of the next certificate.
CN (Common Name): A key component of the DN (Distinguished Name) to identify the "subject" or "issuer" entity in a PKI certificate.
CRL (Certificate Revocation List): A list of certificates revoked by the CA.
CTL (Certificate Trust List): A CTL is a list of hashes of certificates or a list of file names. All the items in the list are authenticated and approved by a trusted signing entity. A CTL_CONTEXT structure is similar to certificate and CRL context structures. A CTL context can be persisted to the certificate store.
DN (Distinguished Name): A set text components: Common Name (CN), Organization (O), Organizational Unit (OU), Locality (L), State or Province (ST), and Country (C), to uniquely identify the "subject" or "issuer" entity in a PKI certificate.
Digital Signature: A mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit."
DNS (Domain Name System): A hierarchical system to provides names and maps them to IP addresses for computer servers on the Internet. For example: "dns.google.com" is the DNS name mapped to the IP addresss of "8.8.8.8".
HTTPS (Hypertext Transfer Protocol Secure): A communication protocol that uses the HTTP (Hypertext Transfer Protocol) and the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols to provide encrypted communication and secure identification of a Web server.
OID (Object IDentifier): A sequence of numbers that uniquely identifies an object, which is a reference to a specific "thing" assigned by a related authority. OIDs are organized in a hierarchical tree structure under 3 root nodes: 0 for ITU-T, 1 for ISO, and 2 for joint-iso-itu-t.
PEM (Privacy Enhanced Mail): A file format for PKI certificate files. It uses Base64 encoding to encode the certificate content and adds two boundary lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
PKCS7 (Public-Key Cryptography Standard #7): A file format commonly used to store a PKI certificate chain. When a PKCS7 file is encoded in PEM form, it contains two boundary lines "-----BEGIN PKCS7-----" and "-----END PKCS7-----".
PKCS12 (Public-Key Cryptography Standard #12): A file format commonly used to store a PKI certificate and its matching private/public key pair. A PKCS12 file is protected by a password.
PKI (Public Key Infrastructure): An information technology infrastructure that enables Internet users to securely and privately exchange information through the use of a public and a private key pair that is obtained and shared through a trusted authority.
PKIX (Public Key Infrastructure for X.509 Certificates): PKIX actually refers to an IETF working group established in 1995 with the goal of developing Internet standards to support X.509-based Public Key Infrastructures (PKIs).
RA (Registration Authority): A PKI role that verifies the identify of the subject.
SAN (Subject Alternative Name): An extension data field in PKI certificates that provide additional information to the Subject Name field.
S/MIME (Secure/Multipurpose Internet Mail Extensions): S/MIME is a standard to secure MIME data with public key signing and encryption. S/MIME was originally developed by RSA Data Security Inc. as PKCS#7 (Public-Key Cryptography Standards #7). The latest specification of S/MIME is RFC 5751: "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 - Message Specification"
SSL (Secure Sockets Layer): A protocol to provide communication security over a computer network using X.509 certificates.
TLS (Transport Layer Security): A protocol to provide communication security over a computer network using X.509 certificates.
VA (Validation Authority): A PKI role that verifies the digital certificate of the subject.
X.509: A standard format for public key certificates developed by ITU (International Telecommunication Union) in 1988.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File