In this small entry we will try to introduce ourselves in the world of digital certificates, a process that can be complex but once its operation is understood it becomes much easier to understand and its use becomes indispensable in the encryption of communications. All electronic communication to be considered minimally secure must be encrypted and in this sense have much to say digital certificates, let’s start.
A digital certificate or electronic certificate is a computer file electronically signed by a certification service provider, considered by other entities as an authority for this type of content, which links some signature verification data to a signer, so that it can only Sign this signer, and confirm your identity. It has a data structure that contains information about the entity (for example a public key, an identity or a set of privileges). The signature of the data structure groups the information it contains so that it can not be modified without this modification being detected.1
A public key certificate is a relationship between the public key of an identity and one or more attributes of that identity. The certificate guarantees that the public key belongs to that associated identity and therefore that it has the private key. These public key certificates are commonly known as digital certificates or simply certificates, and are only useful when there is a Certifying Authority (CA) that validates them, since they alone can not guarantee that their identity is the one that is advertised in the certificate. and it should not be accepted as valid.
For the exchange of these certificates the standard X.509 is used, it was published for the first time in 1988. There are different versions, starting with v1 and arriving at the current v3 they were adding extensions with additional fields. The elements of the x509 v3 format published in 1996 are the following:
- Version. The version field contains the version number of the encrypted certificate. The acceptable values are 1, 2 and 3.
- Serial number of the certificate. This field is an integer assigned by the certifying authority. Each certificate issued by a CA must have a unique serial number.
- Identifier of the signature algorithm. This field identifies the algorithm used to sign the certificate (such as the RSA or the DSA).
- Name of the issuer. This field identifies the CA that has signed and issued the certificate.
- Period of validity. This field indicates the period of time during which the certificate is valid and the CA is required to maintain information on the status of the certificate. The field consists of an initial date, the date on which the certificate begins to be valid and the date after which the certificate ceases to be valid.
- Name of the subject. This field identifies the identity whose public key is certified in the following field. The name must be unique for each entity certified by a given CA, although it can issue more than one certificate with the same name if it is for the same entity.
- Public key information of the subject. This field contains the public key, its parameters and the identifier of the algorithm with which the key is used.
- Unique identifier of the issuer. This is an optional field that allows you to reuse sender names.
- Unique identifier of the subject. This is an optional field that allows you to reuse subject names.
- X.509 v3 extensions provide a way to add additional information to the certificate
In following entries we will see how to handle certificates with OpenSSL.