Digital certificate
As mentioned before, in the present context, digital signatures are supported by public key certificates. Public key certificates are data structures that binds an entity to a public key and that are signed by a third party, they provide a proof of authenticity of the public key.
The ITU-T X.509 Recommendation is a standard describing (among others) such a data structure, and public key certificates structured as per the specifications provided in that standard are commonly referred to as “X.509 public key certificates”.
Furthermore, the IETF published the RFC 5280 ([R22]) which specifies a profile for X.509 public key certificates (and certificate revocation lists). For the remainder of this document, X.509 public key certificates are assumed to be profiled as per RFC 5280.
Certificates can be end-entity certificates or CA certificates:
End-entity certificates are certificates issued to entities that are not authorized to issue certificates, for instance a natural person;
CA certificates are certificates issued to entities authorized to issue certificates, also known as Certification Authorities (CA).
Certificates have a defined validity period during which the CA having issued the certificate guarantees the correctness of its content. During that validity period, they may however be revoked or suspended, for instance when the entity to which the certificate has been issued has lost control of the corresponding private key.
A certificate contains among other things information on:
The entity to which the certificate has been issued, also referred to as the Subject;
The public key which is bound to the Subject;
The entity having issued the certificate (the CA), also referred to as the Issuer;
The validity period of the certificate;
The location where information on the revocation status of the certificate can be found;
Restriction applying to the usage of the public key contained in the certificate;
A digital signature created by the issuer of the certificate;
…
Last updated