HP Secure Web Server Documentation
SSL User Guide
SSL Setup Information
Introduction to SSL
An SSL Primer
Using mod_ssl
Directives
Understanding
Certificates
Using the Certificate Tool
Using Certificates
Glossary
SSL Resource Guide
|
|
Chapter 5:Understanding Certificates
This chapter explains the fundamentals of certificate contents. The
next chapter shows you how to use HP Secure Web
Server's OpenSSL Certificate Tool, a
simple interface for working with certificates. The final chapter gives you the how-to
information you'll need to put certificates in action on your server and in your
organization.
__Topics________________
Distinguished names
A typical
certificate
Types of
certificates
The anatomy of a certificate
SSL certificates can be used to authenticate servers or
clients. The contents of most certificates are organized according to the X.509 V3
certificate specification, as recommended by the International Telecommunications Union
(ITU).
Distinguished names
A digital certificate binds a distinguished name (DN)
to a public key. 
Distinguished names provide an identity in a specific context.
Distinguished names are defined by the X.509 standard [X509], which defines
the fields, field names, and abbreviations used to refer to the fields.
A DN is actually a series of names that uniquely
identifies the certificate subject. The subject of a server certificate is
identified by country, state, city, organization, unit, and server name.
DNs may include a variety of other name-value pairs. They
are used to identify both certificate subjects and entries in directories that support
LDAP (Lightweight Directory Access Protocol).
| Distinguished
Name Field |
Abbreviation
|
Description
|
Example |
| Country |
C |
Name is
located in this Country (ISO code) |
US |
| State/Province |
ST |
Name is
located in this State/Province |
Illinois |
| City/Locality |
L |
Name is
located in this City |
Metropolis |
| Organization
or Company |
O |
Name is
associated with this
organization |
XYZ Corp. |
| Organizational
Unit |
OU |
Name is
associated with this
organization unit, such as a department |
Research
Dept. |
| Common Name |
CN |
Name being
certified |
TEST.RES.XYZ.COM
|
 mod_SSL Introduction
A typical certificate
Every X.509 certificate consists of two sections:
- The data section includes the following
information:
- The version number of the
X.509 standard supported by the certificate.
- The certificate's serial number.
Every certificate issued by a CA has a serial number that is unique to the certificates
issued by that CA.
- Information about the user's public
key, including the algorithm used and a representation of the key itself.
- The DN of the CA that
issued the certificate.
- The period during which the certificate is
valid (for example, between 1:00 p.m. on January 1, 2000 and 1:00 p.m. December 31, 2000).
- The DN of the certificate subject (for
example, in a client SSL certificate this would be the user's DN), also called the subject
name.
- Optional certificate extensions,
which may provide additional data used by the client or server. For example, the
certificate type extension indicates the type of certificate - that is, whether it is a
client SSL certificate, a server SSL certificate, a certificate for signing email, and so
on. Certificate extensions can also be used for a variety of other purposes.
- The signature section includes:
- The cryptographic algorithm, or cipher,
used by the issuing certificate authority (CA) to
create its own digital signature.
- The CA's digital signature, obtained by
hashing all of the data in the certificate together and encrypting it with the CA's
private key.
|
|
|
Types of certificates
Working with SSL certificates in a web server environment involves three types of
certificates.
Server certificates
These identify servers to clients via SSL-based server authentication. You can use
server authentication with or without client authentication. However, server
authentication is a requirement for an encrypted SSL session.
Example: E-commerce sites usually support
certificate-based server authentication to encrypt personal information, so that credit
card numbers, for example, cannot easily be intercepted.
With CSWS's Certificate Tool: You can create a certificate
request (Option 3) and then self-sign (Option 4) it. Or, in a production environment, you
have it signed by a trusted certificiate authority.
Client certificates
These identify clients to servers using SSL-based client authentication. Typically, the
identity of the client is assumed to be the same as the identity of a human being, such as
an employee in an enterprise.
Example: A corporate intranet might give a new
employee a client SSL certificate that allows the company's servers to identify that
employee and authorize access to the company's servers.
With CSWS's Certificate Tool: You can create a client
certificate request (using the same option as for a server certificate request) and then
sign the request (Option 6) using your own CA
certificate.
CA certificates
These identify certificate authorities. They can be trusted root or intermediate
certificates that client browser and web servers use CA certificates to determine what
other certificates can be trusted.
Example: The CA certificates stored in your
web browser (either Internet Explorer or Netscape Navigator) determine what other
certificates that browser can authenticate without warning the user that a site has an
untrusted certificate.
With CSWS's Certificate Tool: You can create a certificate
authority (CA) certificate using Option 5.
Recommended
reading:
Introduction to SSL concepts
Encryption and Digital Certificates
Managing certificates |
