Flux rss
They need your help
Electronic signatures

Certificates

The Vigenère cipher
Bookmark Bookmark & Share
I certificati Os certificados Zertifikate Les certificats Certificados

Introduction to the concept of certificates

Asymmetric encryption algorithms are based on the sharing of a public key among various users. In general, this key is shared via an electronic directory (usually in LDAP format) or a website.

However, this mode of sharing has a major shortcoming: nothing guarantees the key belongs to the user it is associated with. A hacker can corrupt the public key appearing in the directory by replacing it with his public key. As a result, the hacker will be able to decrypt all messages that have been encrypted with the key appearing in the directory.

A certificate makes it possible to associate a public key with an entity (a person, machine, etc.) to guarantee its validity. The certificate can be seen as the public key's ID card, issued by a body called a Certification Authority (often abbreviated CA).

The certification authority is responsible for issuing certificates, assigning them a validity date (similar to the expiration date on food products), and revoking certificates before this date in the event that the key (or its owner) is compromised.

Structure of certificates

Certificates are small files that are divided into two parts:

  • The part containing information
  • The part containing the certification authority's signature

The structure of certificates is standardized by the ITU's X.509 standard (more precisely X.509v3), which defines the information contained in the certificate:

  • The version of X.509 the certificate corresponds to;
  • The certificate's serial number;
  • The encryption algorithm used to sign the certificate;
  • The name (DN, for Distinguished Name) of the issuing certification authority;
  • The certificate's starting validity date;
  • The certificate's ending validity date;
  • The public key's subject;
  • The public key of the certificate's owner;
  • The certificate issuer's signature (thumbprint).

All of this information (information + requesting party's public key) is signed by the certification authority, meaning that a hash function creates a fingerprint of this information, and then this hash is encrypted with the certification authority's private key; the public key having been widely distributed ahead of time to make it possible for users to verify certification authority's signature with its public key.

Creating certificates

When a user wants to communicate with another person, he simply needs to obtain the recipient's certificate. This certificate contains the recipient's name and public key and is signed by the certification authority. It is therefore possible to verify the message's validity by applying, firstly, the hash function to the information contained in the certificate, and by decrypting, secondly, the certification authority's signature with its public key and comparing the two results.

Verifying the validity of certificates

Certificate signatures

There are various types of certificates depending on their signature level:

  • Self-signed certificates are certificates for internal use. Signed by a local server, this type of certificate makes it possible to guarantee confidential exchanges within an organization, for the purposes of an intranet, for example. Self-signed certificates can be used to authenticate users.
  • Certificates signed by a certification body are necessary when secure exchanges need to be ensured with anonymous users, for example in the case of a secure website that can be accessed by the general public. The third-party certifier guarantees the user that the certificate does indeed belong to the organization it is said to belong to.

Types of use

Certificates are mainly used in three types of contexts:

  • Client certificates, stored on the user's workstation or embedded in a container such as a chip card, make it possible to identify a user and associate him with rights. In most cases, they are transmitted to the server when a connection is made, and the server assigns rights in function of the user's accreditation. They are real digital ID cards that use an asymmetric key pair ranging from 512 to 1024 bits long.
  • Server certificates, installed on a web server, make it possible to connect a service with the service's owner. In the case of a website, they make it possible to guarantee that the web page's URL and particularly its domain really belong to such or such a company. They also make it possible to protect transactions with users thanks to the SSL protocol.
  • VPN certificates are a type of certificate installed in network equipment that make it possible to encrypt communication flows from start to finish between two points (for example, two company sites). In this type of scenario, the users have a client certificate, the servers apply a server certificate and the communication equipment uses a special certificate (generally an IPSec certificate.


Last update on Thursday October 16, 2008 02:43:17 PM.This document entitled « Certificates » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.
Internet Explorer certificate errors Hello, I just got my laptop fixed and now many of the sites that I always go to are saying that there are certificate errors or that the security certificate is expired or not yet valid, etc... why is this happening or is there a setting that can... en.kioskea.net/forum/affich-59839-internet-explorer-certificate-errors
Need a certificate of authenticity for win.xp Hello, have win. xp cd. but it is asking for the certificate of authenticity and i don't have one. please someone help.. en.kioskea.net/forum/affich-92404-need-a-certificate-of-authenticity-for-win-xp
ISO 9000, ISO 9001 and ISO 9004 Introduction to ISO Certification Certification is a way to attest, by the intermediary of a third-party certifier, to a company's ability to provide a service, product or system in accordance with client requirements and regulation requirements.... en.kioskea.net/contents/qualite/iso-9001.php3
Windows Error Codes and How to Fix themWindows Error Codes and How to Fix them Below is a list of the most common error codes that you an face while using Windows and its basic components. Some solutions have been provided for you to try to solve them. You should also note that... en.kioskea.net/faq/sujet-113-windows-error-codes-and-how-to-fix-them
Script Error- How to perform a debugging?Script Error- How to perform a debugging? Problem Solution Problem When loading a web page on internet explorer, you receive an error message script telling: An error has occurred. An error script has occurred on this page.... en.kioskea.net/faq/sujet-1507-script-error-how-to-perform-a-debugging
Results for Certificates
Microsoft Messenger Cannot Sign You inHello, I'm receiving a message that states, "Either date and time settings are incorrect, or the Digital Certificate File is not valid or installed on your computer. If date and time are correct, see your Network Administrator to Verify that your... en.kioskea.net/forum/affich-78361-microsoft-messenger-cannot-sign-you-in
Windows unable to find certificate in D-linkHello, I have removed all other wireless names from my labtop, but still I am getting the same message. Is this has to do with network key or its still the windows problem en.kioskea.net/forum/affich-91046-windows-unable-to-find-certificate-in-d-link
D-Link 524 (Solved)Hello, I have a D-Link 524 (DI-524). I have Centrino laptop and every now and then my laptop (especially if there is no activity) will get disconnected and connect back, and after I enable WAP-PSK instead of WEP, it's doing that every 1-2 minutes. Oh,... en.kioskea.net/forum/affich-38-d-link-524
Results for Certificates
Download Antrasoft Secure MessengerThis program basically allows you to generate security certificates in a digital way and also allows you to manage your own little 'circle of trust' among members of your staff, your friends or family and business partners. Features: This... en.kioskea.net/telecharger/telecharger-2485-antrasoft-secure-messenger
Download Anniversary BiosAnniversary Bios is a software which allows you to design customized wedding or anniversary certificates. With this software, you can create an unlimited number of certificates and personalize their prints to fit your needs. It can also be used to... en.kioskea.net/telecharger/telecharger-4626-anniversary-bios
Results for Certificates
PGP - Pretty Good PrivacyIntroduction to PGP PGP (Pretty Good Privacy) is a cryptosystem (encryption system) that was invented by Philip Zimmermann, a computer analyst. From 1984 to 1991, Philip Zimmermann worked on a program that made it possible to run RSA on personal... en.kioskea.net/contents/crypto/pgp.php3
Mini HowTo DocumentsMini HOW-TO Documents The mini HowTo documents are a set of documentations written by different people on very specific topics concerning Linux. Below you will find a (non exhaustive) list of HowTo documents written or translated into... en.kioskea.net/contents/linux/howto.php3
E-mail scams - Fund transfer scams Scams A "scam" is a fraudulent practice of African origin that involves extorting funds from internet users by enticing them with a sum of money and promising them a share of it. The use of scams originated in Nigeria, which has also given them the... en.kioskea.net/contents/attaques/scam.php3
Results for Certificates