PKI Certificate Related Terminology

This section provides descriptions on some commonly used PKI certificate related terminologies.

CA (Certificate Authority): A PKI role that issues the digital certificate binding subject's identity with subject's public key.

Certification Chain: Also called Certificate Chain. An ordered list of certificates where the subject entity of one certificate is identical to the issuing entity of the next certificate.

Certificate Chain: Also called Certification Chain. An ordered list of certificates where the subject entity of one certificate is identical to the issuing entity of the next certificate.

CN (Common Name): A key component of the DN (Distinguished Name) to identify the "subject" or "issuer" entity in a PKI certificate.

CRL (Certificate Revocation List): A list of certificates revoked by the CA.

CTL (Certificate Trust List): A CTL is a list of hashes of certificates or a list of file names. All the items in the list are authenticated and approved by a trusted signing entity. A CTL_CONTEXT structure is similar to certificate and CRL context structures. A CTL context can be persisted to the certificate store.

DN (Distinguished Name): A set text components: Common Name (CN), Organization (O), Organizational Unit (OU), Locality (L), State or Province (ST), and Country (C), to uniquely identify the "subject" or "issuer" entity in a PKI certificate.

Digital Signature: A mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit."

DNS (Domain Name System): A hierarchical system to provides names and maps them to IP addresses for computer servers on the Internet. For example: "dns.google.com" is the DNS name mapped to the IP addresss of "8.8.8.8".

HTTPS (Hypertext Transfer Protocol Secure): A communication protocol that uses the HTTP (Hypertext Transfer Protocol) and the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols to provide encrypted communication and secure identification of a Web server.

OID (Object IDentifier): A sequence of numbers that uniquely identifies an object, which is a reference to a specific "thing" assigned by a related authority. OIDs are organized in a hierarchical tree structure under 3 root nodes: 0 for ITU-T, 1 for ISO, and 2 for joint-iso-itu-t.

PEM (Privacy Enhanced Mail): A file format for PKI certificate files. It uses Base64 encoding to encode the certificate content and adds two boundary lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

PKCS7 (Public-Key Cryptography Standard #7): A file format commonly used to store a PKI certificate chain. When a PKCS7 file is encoded in PEM form, it contains two boundary lines "-----BEGIN PKCS7-----" and "-----END PKCS7-----".

PKCS12 (Public-Key Cryptography Standard #12): A file format commonly used to store a PKI certificate and its matching private/public key pair. A PKCS12 file is protected by a password.

PKI (Public Key Infrastructure): An information technology infrastructure that enables Internet users to securely and privately exchange information through the use of a public and a private key pair that is obtained and shared through a trusted authority.

PKIX (Public Key Infrastructure for X.509 Certificates): PKIX actually refers to an IETF working group established in 1995 with the goal of developing Internet standards to support X.509-based Public Key Infrastructures (PKIs).

RA (Registration Authority): A PKI role that verifies the identify of the subject.

SAN (Subject Alternative Name): An extension data field in PKI certificates that provide additional information to the Subject Name field.

S/MIME (Secure/Multipurpose Internet Mail Extensions): S/MIME is a standard to secure MIME data with public key signing and encryption. S/MIME was originally developed by RSA Data Security Inc. as PKCS#7 (Public-Key Cryptography Standards #7). The latest specification of S/MIME is RFC 5751: "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 - Message Specification"

SSL (Secure Sockets Layer): A protocol to provide communication security over a computer network using X.509 certificates.

TLS (Transport Layer Security): A protocol to provide communication security over a computer network using X.509 certificates.

VA (Validation Authority): A PKI role that verifies the digital certificate of the subject.

X.509: A standard format for public key certificates developed by ITU (International Telecommunication Union) in 1988.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB