PKI Certificate Tutorials - Herong's Tutorial Examples

∟Introduction of PKI Certificate

∟End Entity Certificate Example

This section provides an end entity certificate example and explanations of its data fileds.

Now, let's look at an end entity certificate that identifies the Web server stackoverflow.com/.

Here is the "stackoverflow.com" certificate in PEM format.

-----BEGIN CERTIFICATE-----
MIIDljCCAx2gAwIBAgISA+fVeTf3T+E+f5UOxMN1qBbbMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yNDA1MTEyMDE0MzNaFw0yNDA4MDkyMDE0MzJaMBwxGjAYBgNVBAMTEXN0
YWNrb3ZlcmZsb3cuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW6SLDfR9
YLyhQWzoSDVNP4fFSX9pAfby/yPryqv/LSDioddyvLqx0snCuRokgrTDzhsAvt3Q
LzftPVJvB/oYsqOCAicwggIjMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVEAvTKwc
03K7+2/KTRRXZGxnZbkwHwYDVR0jBBgwFoAUWvPtK/w2wjd5uVIw6lRvz1XLLqww
VQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTEuby5sZW5jci5v
cmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lMS5pLmxlbmNyLm9yZy8wMQYDVR0RBCow
KIITKi5zdGFja292ZXJmbG93LmNvbYIRc3RhY2tvdmVyZmxvdy5jb20wEwYDVR0g
BAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgA/F0tP1yJH
WJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAAAY9pgezTAAAEAwBHMEUCIQCo4PRz
yOJG8UcyoZ90QdsTA+ErnfIwmx6C+LAM2pZuLwIgBetOc8Ao/PbTgao7dtO7/dn9
YNtuufbYHxgsN2n6At0AdQDf4VbrqgWvtZwPhnGNqMAyTq5W2W6n9aVqAdHBO75S
XAAAAY9pge2nAAAEAwBGMEQCIEOtd5byNivMX6Hi9I5anKoNdbwTbPCYBJzlDaJH
c6RQAiB/N7YJrTvz9vKcTQAQouLfA6PuWlDuQ49TQLR1LMNhwzAKBggqhkjOPQQD
AwNnADBkAjATGfCfiNbp5YiC533YzqXFDD3knBoJ3X4yOzqQrSOYZIpF1BJYLIMx
Ij0PRKKw26ICMHharu7KExMBJovGYTeANXklAADLx6IC29F0+QZKKm3Rd5vaOka1
Xww7RxbUkWmPcg==
-----END CERTIFICATE-----

Here are data fields of the certificate printed out by the OpenSSL tool:

Data:
  Version: 3 (0x2)
  Serial Number:
    03:e7:d5:79:37:f7:4f:e1:3e:7f:95:0e:c4:c3:75:a8:16:db
  Signature Algorithm: ecdsa-with-SHA384
  Issuer: C=US, O=Let's Encrypt, CN=E1
  Validity
    Not Before: May 11 20:14:33 2024 GMT
    Not After : Aug  9 20:14:32 2024 GMT
  Subject: CN=stackoverflow.com
  Subject Public Key Info:
    Public Key Algorithm: id-ecPublicKey
    EC Public Key:
      pub:
        04:5b:a4:8b:0d:f4:7d:60:bc:a1:41:6c:e8:48:35:
        4d:3f:87:c5:49:7f:69:01:f6:f2:ff:23:eb:ca:ab:
        ff:2d:20:e2:a1:d7:72:bc:ba:b1:d2:c9:c2:b9:1a:
        24:82:b4:c3:ce:1b:00:be:dd:d0:2f:37:ed:3d:52:
        6f:07:fa:18:b2
      ASN1 OID: prime256v1
  X509v3 extensions:
    X509v3 Key Usage: critical
      Digital Signature
    X509v3 Extended Key Usage:
      TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
      CA:FALSE
    X509v3 Subject Key Identifier:
      54:40:2F:4C:AC:1C:D3:72:BB:FB:6F:CA:4D:14:57:64:6C:67:65:B9
    X509v3 Authority Key Identifier:
      keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
    Authority Information Access:
      OCSP - URI:http://e1.o.lencr.org
      CA Issuers - URI:http://e1.i.lencr.org/
    X509v3 Subject Alternative Name:
      DNS:*.stackoverflow.com, DNS:stackoverflow.com
    X509v3 Certificate Policies:
      Policy: 2.23.140.1.2.1
    1.3.6.1.4.1.11129.2.4.2:
      ...
    Signature Algorithm: ecdsa-with-SHA384
      30:64:02:30:13:19:f0:9f:88:d6:e9:e5:88:82:e7:7d:d8:ce:
      a5:c5:0c:3d:e4:9c:1a:09:dd:7e:32:3b:3a:90:ad:23:98:64:
      8a:45:d4:12:58:2c:83:31:22:3d:0f:44:a2:b0:db:a2:02:30:
      78:5a:ae:ee:ca:13:13:01:26:8b:c6:61:37:80:35:79:25:00:
      00:cb:c7:a2:02:db:d1:74:f9:06:4a:2a:6d:d1:77:9b:da:3a:
      46:b5:5f:0c:3b:47:16:d4:91:69:8f:72

Comparing with CA certificates, I see the following differences in this end entity certificate:

"Subject: CN=stackoverflow.com" - The CN attribute of the Subject Name of a Web server certificate should specify the server host name.

"X509v3 Extended Key Usage: ..." - This X.509 extension field of a Web server certificate should specify "TLS Web Server Authentication" and "TLS Web Client Authentication".

"X509v3 Basic Constraints: critical: ..." - This X.509 extension field of a Web server certificate should specify "CA:FALSE" to indicate this is not a CA certificate.

"X509v3 Subject Alternative Name: ..." - This X.509 extension field of a Web server certificate should specify one or more server host names.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

►Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

End Entity Certificate Example - Updated in 2024, by Herong Yang