X.509 is a standard defining the format of public key certificates. An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the hostname/domain, organization, or individual contained within the certificate. The X.509 certificate is either signed by a publicly trusted Certificate Authority (Like DigiCert, Sectigo, GlobalSign, etc.) or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party or validate documents digitally signed by the corresponding private key. When a certificate is self-signed, it will not be trusted for public-facing applications and is mainly used to encrypt and authenticate data within an organization’s network.
Every certificate has two keys, a private key and a public key, and the two are known as an exchange key pair. In brief, the private key is known only to the owner of the certificate while the public key is readable from the certificate. Either key can be used to encrypt or decrypt a digest, hash, or other keys, but only as contrary operations. For example, if the client encrypts with the public key, only the site can decrypt the message using the private key. Similarly, if the site encrypts with the private key, the client can decrypt with the public key. This provides assurance to the client that the messages are being exchanged only with the possessor of the private key because only messages encrypted with the private key can be decrypted with the public key. The site is assured that it is exchanging messages with a client that has encrypted using the public key.
X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS. SSL and TLS are both network protocols that allow data to be transferred privately and securely between a web server and a web browser.
With SSL/TLS being the majority use case of X.509 certificate use cases, we’ll clarify the difference between SSL and TLS.
Secure Sockets Layer (SSL) is the predecessor to TLS
SSL is a cryptographic protocol designed to secure network communications. Netscape introduced SSLv2.0 in 1995, and after vulnerabilities were discovered, SSLv3.0 was created. In 1999 TLS v1.0 was introduced after SSLv3 was considered insecure due to the POODLE attack. The POODLE attack exploiting SSLv3 in 1999 created the introduction of TLS v1.0. Some applications, such as browsers, are compatible with some of the SSL protocol versions, although SSL has been phased out in favor of the better TLS security.
Transport Layer Security (TLS) is the CURRENT encryption standard
Like SSL, TLS is a cryptographic protocol used by websites to secure communications between their servers and web browsers. TLS replaced the older SSL protocol as the encryption standard protocol. This change was made mostly to avoid legal issues with the Netscape company, creator of SSL, so that the protocol could be developed as an open standard, free for all. TLS v1.3 is the current default standard protocol.
SSL/TLS Certificates are X.509 certificates
SSL/TLS Certificates are X.509 certificates with Extended Key Usage: Server Authentication (22.214.171.124.126.96.36.199.1). Other common usage types of X.509 certificates are Client Authentication (188.8.131.52.184.108.40.206.2), Code Signing (220.127.116.11.18.104.22.168.3), and a handful of others are used for various encryption and authentication schemes.
X.509 is a standard that defines the structure of the certificate. It defines the data fields that should be included in the SSL certificate. X.509 uses a formal language called Abstract Syntax Notation One (ASN.1) to express the certificate's data structure.
There are different formats of X.509 certificates such as PEM, DER, PKCS#7 and PKCS#12. PEM and PKCS#7 formats use Base64 ASCII encoding while DER and PKCS#12 use binary encoding. The certificate files have different extensions based on the format and encoding they use.
The following figure illustrates the X.509 Certificate's encoding formats and file extensions.
Most CAs (Certificate Authority) provide certificates in PEM format in Base64 ASCII encoded files. The certificate file types can be .pem, .crt, .cer, or .key. The .pem file can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer file. The private key can be in a .key file.
PEM files use ASCII encoding, so you can open them in any text editor such as notepad, MS word etc. Each certificate in the PEM file is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. The CSR is contained between the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- statements.
The PKCS#7 format is a Cryptographic Message Syntax Standard. The PKCS#7 certificate uses Base64 ASCII encoding with file extension .p7b or .p7c. Only certificates can be stored in this format, not private keys. The P7B certificates are contained between the "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements.
The DER certificates are in binary form, contained in .der or .cer files. These certificates are mainly used in Java-based web servers.
The PKCS#12 certificates are in binary form, contained in .pfx or .p12 files.
The PKCS#12 can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. These certificates are mainly used on the Windows platform.
As SSL/TLS certificates enable encryption, they are integral to Hyper Text Transfer Protocol Secure(HTTPS), a protocol that encrypts all communication exchanged between a website and your browser.
© 2021 Digcode.com