PKI concepts
Digital certificate
A digital certificate is an electronic form of identification that stores important information about an entity (such as a computer, program, or website). Certificates help secure digital transactions by enabling the end parties to validate each other's identity. Digital certificates are issued by a certificate authority (CA) and are composed of an encoded string of characters (usually stored in a file). For example:
-----BEGIN CERTIFICATE-----
MIIDsDCCApgCCQDJotuPPj9GCDANBgkqhkiG9w0BAQsAADCBqzELMAkGA1UEBh
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcBM1JvY2tsaW4xDDAKBg
BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSokwAYDVQQDDCFocG5zdz
OTQucm9zZS5yZGxhYnMuaHBlY29ycC5uZXQxJDAiBgkhqkiG9w0BCQEWFWZyZW
YW4uaHVhbmdAaHBlLmNvbTAeFw0xODAxMTIyMzM2NTdawF0yMDExMDEyMzM2NT
MIGHMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBBNVBAcMB1JvY2tsaW
DDAKBgNVBAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zXZZpbGxlMQ4wDAYDVQQDDA
NDAwWDEkMCIGCSqGSIb3DQEJARYVZnJlZW1hbi5odFWuZ0BocGUuY29tMIIBIj
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoM3vG/m4vTn8eg4AF/IrcthO1N
Nso6+QUF1+PRlylx5jO4u47wPqbkSvh5ooNnZts5OkUYVp5+xoHVy3uJIwPpbK
QvFbsiuBWSO973fOqS062y3fVND+YV0QuEOmbUbwA5vjccTCv5YSkfMXTj547W
y96hb4JabnKNYL8AubekvggvPPnWWqqk+1KutzghcGX9aCH1mr4buXFVZgKUGk
pVCccAM7H4tLtrESR+U+1vD6s5PJrEzdtpOqGntZxaiUISz4CbTjp7vovZiGVW
3S1eaT0kmGjkDdr+3dmgr1lHUrQ0Bq8DHTMww4X+XOcZf4Y6siG46O2DCQIDAQ
MA0GCSqGSIb3DQEBCwUAA4IBAQA59gOGA9kFYTklXw11zAW+BH5MoxML8B6vaA
n+1Itl5WjFNGW8mk4LC8MUunXQrtfJzmvx7AyU9QzPb/PtEWrQ9+GuzU1vsp1A
raB62AzTqtubEeMwS0jRWLg5ipAenwqmSf87TaLYeBWNYgZ4VDkBTeSHBLO9Zp
MioDy0096DvSMPsnOaI+jnZ3AozN8y+nLgotXUsg36pO/Ncc51oQhyUdcAbgA1
rzSLgyTnpXZKumvlaoTk3pzrIf7m5V103GTbgHGSFCzgO6QWxVxu9d7ju1o59S
aOIT7JSsYI5LsLpVz9ZqS599rj/lLoH+rLNlRDVXpS+J51
-----END CERTIFICATE-----
The switch can import PEM encoded ITU-T X.509 v3 certificates. (Certificates can be converted to human-readable form using a software decoder.)
An X.509 digital certificate typically includes the following information:
- Signature algorithm: The cryptographic algorithm used to generate the digital signature.
Signature value: Digital signature of the certificate generated using the CA's private key.
- Version number: X.509 version number.
Serial number: Certificate serial number.
Issuer name: Name of the certificate authority (CA) that issued the certificate.
Validity period: Beginning and ending dates.
Subject name: Name of the entity to which the certificate is issued.
Subject public key and key algorithm.
Key usage extension: Purpose of the certificate.
Certificate authority
A certificate authority (CA) is an entity that can issue and sign digital certificates. A CA can be a well-known, trusted commercial company, or a private entity controlled by your organization. For a commercial CA, the CA validates the credentials of a user before issuing a certificate and signing it, guaranteeing a certificate holder's identity. For a private CA, self-signed certificates can be generated as needed for devices on your network without paying a commercial company.
Root certificate
A root certificate is a self-signed certificate that is deemed the root of trust for a certificate chain. This is the certificate that identifies a CA, and is used by the CA to sign any certificates that it issues. When two peers attempt to establish a secure connection, they use the CA's public key to verify that each other's certificates were indeed signed by a trusted certificate authority.
Each root CA certificate has a unique fingerprint, which is the hash value of the certificate content. The fingerprint of a root CA certificate can be used to authenticate the validity of the root CA.
In a certificate chain, the root CA generates a self-signed certificate, and each lower level CA holds a CA certificate (intermediate certificate) issued by the CA immediately above it. The hierarchy of these certificates forms a chain of trust.
Trust anchor
This is the certificate that acts as the base of trust for the validation of other certificates. A trust anchor can be a root or intermediate certificate issued by a CA..
OCSP
The online certificate status protocol (OSCP) is a real-time method for determining the revocation status of a certificate. When two peers attempt to establish a secure connection, they can query an OSCP responder to determine the status (valid or revoked) of each other's certificates. The OSCP responder for a certificate is typically provided by a server managed by the CA that issued the certificate.
Leaf certificate
This is the certificate used by a software entity, such as a syslog client, to identify itself to a peer when establishing a secure connection.