Describe the contents of a typical certificate.
|
|
Contents of a Certificate
The contents of certificates supported by Netscape and many other software
companies are organized according to the X.509 v3 certificate specification,
which has been recommended by the International Telecommunications Union
(ITU), an international standards body, since 1988.
Users don't usually need to be concerned about the exact contents of a certificate.
However, system administrators working with certificates may need some familiarity
with the information provided here.
Every X.509 certificate consists of two sections:
- a data section
- a signature section
The Data Section
The data section includes the following information:
- The version number of the X.509 standard supported by the certificate.
- The certificate's serial number. Every certificate issued by a certificate
authority (CA) has a serial number that is unique among the certificates
issued by that CA.
- Information about the user's public key, including the algorithm used and
a representation of the key itself.
- The Distinguished Name (DN) of the CA that issued the certificate.
- The period during which the certificate is valid (for example, between
1:00 p.m. on November 15, 1996 and 1:00 p.m. November 15, 1997)
- The DN of the certificate subject (for example, in a client SSL certificate
this would be the user's DN), also called the subject name.
- Optional certificate extensions, which may provide additional data used
by the client or server. For example, the certificate type extension indicates
the type of certificate--that is, whether it is a client SSL certificate,
a server SSL certificate, a certificate for signing email, and so on. Certificate
extensions can also be used for a variety of other purposes.
The Signature Section
The signature section includes the following information:
- The cryptographic algorithm, or cipher, used by the issuing CA to create
its own digital signature.
- The CA's digital signature, obtained by hashing all of the data in the
certificate together and encrypting it with the CA's private key.
|