Meaning and Function of Certificates

Introduction

Certificates, also known as public-key certificates (PKC), contain personal information such as user name, organization, email, the user's public key, and the digital signature of a certification authority or certifying authority (CA). You can think of a certificate as a personal identity card, with the public key serving as the card number, identifying which individual it represents. A CA is like a police station that issues the card. It can be an international organization, government entity, for-profit company, or general individual.

Certificate generation

  1. User A generates a private-public key pair locally using an asymmetric encryption algorithm.

  2. User A submits the locally generated public key and certificate information file to a CA for digital signing and certificate generation.

  3. The CA generates a private-public key pair locally, which is the ca.key mentioned in a later example. The CA uses its private key to digitally sign User A's public key and issues the certificate.

  4. User B obtains the CA's public key, which is publicly available, and uses it to verify the legitimacy of the digital signature in User A's certificate. If the verification is successful, it is confirmed that the public key in User A's certificate belongs to User A.

  5. To send data to User A, User B only needs to encrypt the data using the public key in User A's certificate and send it. User A then decrypts the data with its own private key.

So far, we have covered the generation of User A's certificate and the data communication process between User A and User B. However, it only involves one-way authentication of TLS certificate – User A is like the server side, User B is like the client side, and this process can be considered as the client's verification of the server's certificate. A similar process is followed for the server's verification of the client's certificate.

Certificate function

As indicated by the above certificate generation process, certificates are a means to verify the legitimacy of the peer device. Only when it is legitimate can the transmitted data be secured without the risk of being leaked.

Certificate standard

Certificates adopt the common format X.509. All certificates comply with the ITU-T X.509 international standard. The structure of X.509 certificates is described and encoded using Abstract Syntax Notation One (ASN1).

A certificate typically consists of the following fields:

  • Version Number: the version number of the specification. The current version is 3, corresponding to the value 0x2.

  • Serial Number: the unique serial number maintained by the CA and assigned to each certificate for tracking and revocation. The maximum size is 20 bytes.

  • Signature Algorithm: the algorithm used for digital signatures.

  • Validity: the validity period of the certificate, including start and end dates.

  • Subject: the identifier information of the certificate holder, namely the personal information mentioned above.

  • Subject Public Key Info: protected information related to the public key, including the public key algorithm and subject unique identifier.

Certificate format

Privacy Enhanced Mail (PEM) is a common format for X.509 certificates. PEM files are usually seen with the extensions .crt or .cer (for certificates), .key (for private keys), and .csr (for certificate signing request).

The PEM file is a text file that usually contains headers, footers, and the content blocks encoded in Base64.