go to  ForumEasy.com   
JavaPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Java Cryptography Extension (JCE) » X.509 Certificate & PKIX
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: X.509 Certificate & PKIX
X509
member
offline   
 
posts: 28
joined: 05/01/2007
from: MS
  posted on: 05/01/2007 07:54:20 PM    Edit  |   Quote  |   Report 
X.509 Certificate & PKIX
What is a Certificate?
A certificate is a digitally signed statement from on entity (the issuer), saying that the public key (and some other information) of another entity (the subject) has some specific value.

What is X.509?
In cryptography, X.509 is a standard specifying formats for public-key certificates and a certification path validation algorithm.

What is PKIX?
PKIX for Public Key Infrastructure (X.509).

What is X.509 Certificate?
X.509 certificate usually refers to the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, commonly referred to as PKIX.

 Profile | Reply Points Earned: 0
X509
member
offline   
 
posts: 28
joined: 05/01/2007
from: MS
  posted on: 05/01/2007 07:56:24 PM    Edit  |   Quote  |   Report 
Structure of a X.509 certificate

The structure of a X.509 v3 digital certificate is as follows:

Certificate 
  Version 
  Serial Number 
  Algorithm ID 
  Issuer 
  Validity 
    Not Before 
    Not After 
  Subject 
  Subject Public Key Info 
    Public Key Algorithm 
    Subject Public Key 
  Issuer Unique Identifier (Optional, since V2) 
  Subject Unique Identifier (Optional, since V2) 
  Extensions (Optional, since V3) 
    KeyUsage (e.g. keyCertSign)
    AlternativeNames (e.g. DNS anmes, Email address)
    ... 
Certificate Signature Algorithm 
Certificate Signature 


 Profile | Reply Points Earned: 0
X509
member
offline   
 
posts: 28
joined: 05/01/2007
from: MS
  posted on: 05/01/2007 07:57:29 PM    Edit  |   Quote  |   Report 
Example of a X.509 certificate

Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 7829 (0x1e95)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
               OU=Certification Services Division,
               CN=Thawte Server CA/emailAddress=server-certs@thawte.com
       Validity
           Not Before: Jul  9 16:04:02 1998 GMT
           Not After : Jul  9 16:04:02 1999 GMT
       Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
                OU=example, CN=www.example.org/emailAddress=xyz@example.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
                   33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
                   66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
                   70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
                   16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
                   c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
                   8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
                   d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
                   e8:35:1c:9e:27:52:7e:41:8f
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
       92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
       ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
       d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
       0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
       5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
       8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
       68:9f


 Profile | Reply Points Earned: 0
X509
member
offline   
 
posts: 28
joined: 05/01/2007
from: MS
  posted on: 05/01/2007 07:59:02 PM    Edit  |   Quote  |   Report 
Certificate File Extensions

Common filename extensions for X.509-certificates are:

  • .CER - Canonical encoding rules (CER) encoded certificate
  • .DER - Distinguished Encoding Rules (DER) encoded certificate
  • .PEM - Privacy Enhanced Mail (PEM) base64 encoded certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", may contain private key(s)
  • .P7C - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
  • .P12 - PKCS#12, evolved from the PFX , may contain certificate(s) (public) and private keys (password protected)

  •  Profile | Reply Points Earned: 0
    X509
    member
    offline   
     
    posts: 28
    joined: 05/01/2007
    from: MS
      posted on: 05/01/2007 08:00:57 PM    Edit  |   Quote  |   Report 
    How to verify/validate/trust a certificate?

    Simply two ways:

    1) by checking the authenticity of the signature of the issuer: Use issuer's public key to hash the signature into two sets of hashes (take TSL for example, one from MD5 and one from SHA-1) and compare them. If there is a match, the signature is authentic, otherwise it's not. In order to get the issuer's public key, you most likely need another certificate which is issued to the first certificate's issuer. Then the question is back to how to verify/validate/trust the issuer's certificate. The answer is to use another certificate. You see it's a chain and eventually you are deemed to reach the top of the chain, the Certificate Authority (CA) certificate, which is self-signed certificate. How to trust a CA certificate, the answer is 2).

    2) by heart: In GOD We Trust.

     Profile | Reply Points Earned: 0
    X509
    member
    offline   
     
    posts: 28
    joined: 05/01/2007
    from: MS
      posted on: 05/01/2007 08:01:55 PM    Edit  |   Quote  |   Report 
    Is it possible to retrieve the private key from a certificate?

    No for most cases, but maybe yes if the certificate is in form of .PEM, .pfx or .P12.

     Profile | Reply Points Earned: 0
    X509
    member
    offline   
     
    posts: 28
    joined: 05/01/2007
    from: MS
      posted on: 03/04/2008 02:44:17 PM    Edit  |   Quote  |   Report 
    Another Example of a X.509 certificate
    Certificate: 
        Data: 
            Version: 3 (0x2) 
            Serial Number: 1 (0x1) 
            Signature Algorithm: md5WithRSAEncryption 
            Issuer: C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, 
                       CN=SOPAC Root CA/Email=administrator@sopac.org 
            Validity 
                Not Before: Nov 20 05:47:44 2001 GMT 
                Not After : Nov 20 05:47:44 2002 GMT 
            Subject: C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT,
                         CN=www.sopac.org/Email=administrator@sopac.org 
            Subject Public Key Info: 
                Public Key Algorithm: rsaEncryption  
                RSA Public Key: (1024 bit) 
                    Modulus (1024 bit): 
                        00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a: 
                        9b:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36: 
                        b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4: 
                        7a:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86: 
                        08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd: 
                        94:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25: 
                        da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e: 
                        42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a: 
                        6c:14:e2:ae:62:e7:6b:30:e9 
                    Exponent: 65537 (0x10001) 
             X509v3 extensions: 
                 X509v3 Basic Constraints: 
                     CA:FALSE 
                 Netscape Comment: 
                     OpenSSL Generated Certificate
                 X509v3 Subject Key Identifier:
                     FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F 
                 X509v3 Authority Key Identifier:
                     keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6 
                     DirName:/C=FJ/ST=Fiji/L=Suva/O=SOPAC/OU=ICT/CN=SOPAC Root CA/
                                    Email=administrator@sopac.org 
                     serial:00
        Signature Algorithm: md5WithRSAEncryption
            34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd: 
            aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57: 
            2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96: 
            34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62: 
            e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5: 
            0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06: 
            ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af:
            bc:5a 
    -----BEGIN CERTIFICATE----- 
    MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox 
    DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww 
    CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B 
    CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy 
    MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD 
    VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD 
    Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv 
    cGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB 
    0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI 
    2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2 
    JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ 
    YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
    DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl 
    uh/anje+40U+m67lpqGBj6SBjDCBiTELMAkGA1UEBhMCRkoxDTALBgNVBAgTBEZp 
    amkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQwwCgYDVQQLEwNJQ1Qx 
    FjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0 
    cmF0b3JAc29wYWMub3JnggEAMA0GCSqGSIb3DQEBBAUAA4GBADSN+2ULhVviRAnw 
    VTE7KSv0/apf27gRGsarM2dZwQTeNN8IVy7GYNz31OLxc5dXI1ACY/x4ljSzysQb 
    xUzIFmm7nEp+ABlIYuJRqzr6/YjN4J3vZ1Da/ksTxQyM/K1ute5A4/00EJ+tNL3b 
    Bu0JPfKmgSJjFtyuMwxw/Qpsr7xa
    -----END CERTIFICATE-----
    

    As you may have noticed, the certificate contains essential elements:
  • the issuer
  • the owner/subject
  • the public key of the owner
  • the dates of validity of this certificate
  • the signature of the certificate to ensure this certificate hasn't been tampered with.

    The certificate does not contain the private key as it should never be transmitted in any form whatsoever.


  •  Profile | Reply Points Earned: 0
    X509
    member
    offline   
     
    posts: 28
    joined: 05/01/2007
    from: MS
      posted on: 03/04/2008 03:10:20 PM    Edit  |   Quote  |   Report 
    What is a certificate used for?
    Onec you have a certificate, you can retrieve the public key from the certificate. Once you have the public key of the owner, you can do the followings:

  • send an encrypted message (using the public key) to the owner, the owner can decode it only by his private key;
  • reversely, decode an message from the owner which is encrypted by owner's private key. By successfully doing this, you can verify the originality of the message.

  •  Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.