X.509
X.509 is an ITU-T standard for a public key infrastructure for creating digital certificates . The standard was last updated as ISO / IEC 9594-8 in May 2017. The standard specifies the following data types: Public-Key Certificate , Attribute Certificate , Certificate Revocation List (CRL) and Attribute Certificate Revocation List (ACRL). In electronic communication, X.509 certificates are used with the TLS versions of various transmission protocols , such as B. when accessing web pages with the HTTPS protocol, or for signing and encrypting e-mails according to the S / MIME standard.
history
X.509 was first released in 1988. The development of X.509 began in connection with the X.500 standard, which was never fully implemented. X.509 uses a strict hierarchical system of trusted certificate authorities ( English certificate authority , CA ) ahead may issue the certificates. This principle is in contrast to the Web-of-Trust model, which represents a graph and not just a tree and where everyone can "sign" a certificate and thus verify its authenticity (see e.g. OpenPGP ).
Version 3 of X.509 (X.509v3) includes the flexibility to be expanded with profiles. The IETF developed the most important profile, PKIX Certificate and CRL Profile , or “PKIX” for short, as part of RFC 3280 , currently RFC 5280 . The term “X.509 certificate” mostly refers to it.
Certificates
A digital certificate issued by a certification authority is always linked to a "Distinguished Name" or an "Alternative Name" such as an email address or a DNS entry in the X.509 system .
Almost all web browsers contain a preconfigured list of trusted certification authorities whose X.509 certificates the browser trusts. In colloquial terms, SSL certificates are often used .
X.509 also contains a standard by means of which certificates can be invalidated again by the certification authority if their security is no longer given (e.g. after the private key for signing e-mails has become public ). The CA can this invalid certificates in CRL ( certificate revocation list , just CRL ) lead. The automatic check of whether a certificate is now part of a revocation list is not activated by default in all programs that accept X.509 certificates.
Structure of an X.509 v3 certificate
- certificate
- version
- serial number
- Algorithm ID
- Exhibitors
- validity
- from
- to
- Certificate holder
- Certificate holder key information
- Public key algorithm
- Public key of the certificate holder
- Unique ID of the issuer (optional)
- Unique ID of the owner (optional)
- Extensions
- ...
- Certificate signature algorithm
- Certificate signature
Issuer and certificate holder are each characterized by a number of attributes:
- Common name (
CN
) - Organization (
O
) - Organizational unit (
OU
) - Country / Region (
C
) -
State (
ST
) - Place (
L
)
Issuer and owner ID were introduced in version 2, extensions in version 3.
Extensions
Extensions have become a very important part of a certificate. Extensions have the following substructure:
- Extension ID
- Flag (critical / uncritical)
- value
Each extension has a specific ID. The flags are used to gradually introduce a new extension. New extensions are marked as uncritical at the beginning. An implementation that encounters an unknown non-critical extension can ignore it. However, if an extension is set to critical after sufficient testing, a certificate with an unknown critical extension must be considered invalid. Examples of extensions are
- KeyUsage: Indicates the application for which this certificate was issued. A CA certificate, for example, must have keyCertSign and CRLsign entered here.
- BasicConstraints: Transitivity trust is impossible without this extension. Basic constraints are:
- CA: Indicates whether the certificate belongs to a certification authority. In a certificate chain, every certificate except that of the last instance (of the user / server) must be marked as a CA.
- PathLen: Indicates the maximum length of the certificate chain.
Filename extensions for certificates
Common file name extensions for X.509 certificates are:
-
.CER
- DER or Base64 encoded certificate -
.CRT
- DER or Base64 encoded certificate -
.CSR
- Base64-coded certification request of the public key (plus further metadata of the owner) to a CA, enclosed by "----- BEGIN CERTIFICATE REQUEST -----" and "----- END CERTIFICATE REQUEST ---- - " -
.DER
- DER -coded certificate -
.P12
- PKCS # 12, can contain public certificates and private keys (password-protected). -
.P7B
- Please refer.p7c
-
.P7C
- PKCS # 7-signed data structure without data content, only with certificate (s) or certificate revocation list (s) -
.PEM
- Base64 -coded certificate, enclosed by "----- BEGIN CERTIFICATE -----" and "----- END CERTIFICATE -----" -
.PFX
- Please refer.p12
PKCS # 7 is a standard for signing and encrypting data. Since the certificate is needed to verify the signed data, it can be placed in the “SignedData” structure. A .p7c
file is the special case of a file that does not contain any data to be signed, but only the "SignedData" structure.
PKCS # 12 evolved from the PFX (Personal Information eXchange) standard and is used to exchange public and private keys in a common file.
An -file can contain certificates and / or private keys, which are enclosed by corresponding BEGIN / END lines.
.PEM
Example of an X.509 certificate
Text representation of a digital certificate based on X.509v3 (version 3). (The structure is based on ASN.1 .):
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=AT, ST=Steiermark, L=Graz, O=TrustMe Ltd, OU=Certificate Authority, CN=CA/[email protected] Validity Not Before: Oct 29 17:39:10 2000 GMT Not After : Oct 29 17:39:10 2001 GMT Subject: C=AT, ST=Vienna, L=Vienna, O=Home, OU=Web Lab, CN=anywhere.com/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:40:4c:6e:14:1b:61:36:84:24:b2:61:c0:b5: d7:e4:7a:a5:4b:94:ef:d9:5e:43:7f:c1:64:80:fd: 9f:50:41:6b:70:73:80:48:90:f3:58:bf:f0:4c:b9: 90:32:81:59:18:16:3f:19:f4:5f:11:68:36:85:f6: 1c:a9:af:fa:a9:a8:7b:44:85:79:b5:f1:20:d3:25: 7d:1c:de:68:15:0c:b6:bc:59:46:0a:d8:99:4e:07: 50:0a:5d:83:61:d4:db:c9:7d:c3:2e:eb:0a:8f:62: 8f:7e:00:e1:37:67:3f:36:d5:04:38:44:44:77:e9: f0:b4:95:f5:f9:34:9f:f8:43 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:[email protected] Netscape Comment: mod_ssl generated test server certificate Netscape Cert Type: SSL Server Signature Algorithm: md5WithRSAEncryption 12:ed:f7:b3:5e:a0:93:3f:a0:1d:60:cb:47:19:7d:15:59:9b: 3b:2c:a8:a3:6a:03:43:d0:85:d3:86:86:2f:e3:aa:79:39:e7: 82:20:ed:f4:11:85:a3:41:5e:5c:8d:36:a2:71:b6:6a:08:f9: cc:1e:da:c4:78:05:75:8f:9b:10:f0:15:f0:9e:67:a0:4e:a1: 4d:3f:16:4c:9b:19:56:6a:f2:af:89:54:52:4a:06:34:42:0d: d5:40:25:6b:b0:c0:a2:03:18:cd:d1:07:20:b6:e5:c5:1e:21: 44:e7:c5:09:d2:d5:94:9d:6c:13:07:2f:3b:7c:4c:64:90:bf: ff:8e
literature
- X.509 Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks
- Patrick Huber: Structure and function of public key infrastructures. GRIN Verlag, Munich 2018, ISBN 978-3-668-80088-5 .
Web links
- RFC 2459 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile, obsolete through RFC 3280 )
- RFC 3280 (Internet X.509 Public Key Infrastructure, Certificate and CRL Profile, Update RFC 4325 , Update RFC 4630 , obsolete through RFC 5280 )
- RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile)
Individual evidence
- ↑ 14: 00-17: 00: ISO / IEC 9594-8: 2017. Retrieved July 3, 2019 .