SSL is a network protocol that allows for secure communication between two parties. This section provides some information on certificates used in SSL
Applicable CAST Products
See the sections below for information on Certificates:
- What is a Certificate?
- Types of Certificates
- Certificate Format
- Certificate Authority
- Self-Signed Certificate
- Certificate Chain
What is a Certificate?
- Information that is required to allow for 2 parties to have a secure connection. The underlying protocol is using Secure Sockets Layer (SSL).
- Certificates are generally issued by Certificate Authorities.
- The Certificate contains information about:
- the dates the certificate can be used
- the issuing authority
- public key information
- Fingerprints (to confirm validity)
For further information, please see: https://en.wikipedia.org/wiki/Public_key_certificate
Types of Certificates
- An initial request into a certificate authority can be done by a Certificate Signing Request (CSR). This normally is just a public key that is generated as part of the certificate request process. CSRs by themselves cannot be used
- An application is normally given a base certificate in order to validate network traffic to this application.
- Intermediate certificates link base certificates to a root certificate. Intermediate certificates may come from certificate authority or a specific organization.
- Root certificates are the end point in resolution and the certificate chain. They are issued by a certificate authority
A Certificate by itself can be in a *.CSR, *.crt, or *.pem format. These are basic formats which just contain the certificate itself.
These certificate formats often also require a private key when configuring for use by an application, so that you have a certificate and a key pair when configuring this for an application.
There are formats of keys which have both the key and certificate information combined. These are generally *.pfx, or *.p12 or *.p7 keys. These have an associated passphrase for security.
- An organization that monitors and issues certificates to enable the safe and secure connection.
- Issues root certificates and possibly intermediate certificates to allow for certificate resolution.
For further information, please see: https://en.wikipedia.org/wiki/Certificate_authority
- A certificate which did not come from a certificate authority, but is verified to be true by the user themselves.
- Generally, not safe and not to be used, but could be used for some limited testing
For further information, please see: https://en.wikipedia.org/wiki/Self-signed_certificate
- The process of validating a certificate requires that the base certificate, intermediate certificate(s), and root certificate all align to form a certificate chain (or chain of trust) for certificate resolution to ensure the validity of the certificate.
For further information, please see: https://en.wikipedia.org/wiki/Chain_of_trust