PKI Certificate Tutorials - Herong's Tutorial Examples

∟Introduction of PKI Certificate

∟What Is PKI Certificate

This section describes what is PKI certificate and what are basic data fields included in a PKI certificate.

What Is PKI Certificate? A PKI Certificate is a document, digitally signed by a PKI Certificate Authority (CA), that certifies the identity of a given entity, e.g. Website and email address, and its public key. In other words, a certificate is used to prove the ownership of a public key.

From a cryptographic point of view, a PKI certificate only needs 4 basic data fields:

• Issuer - The CA who issued the certificate.
• Subject - The entity who owns the public key included in the certificate.
• Public Key - The public key owned by the "Subject".
• Signature - The digital signature generated by CA's private key. It proves that the "Subject" owns the "Public Key".

However, a PKI certificate is required to contain other data fields to provide better protection. For example:

• Validity - A period of time during which the certificate is assumed to be valid. Outside this period, the certificate should be considered as invalid.
• Key Usage - A list of codes representing usage areas where the public key is restricted to. Using the public key in other areas is considered as invalid.
• Authority Key Identifier - A fingerprint of CA's public key. It helps to retrieve the CA certificate that continas the CA's public key, which is needed to verify the Signature of the certificate.

Here is an example of a PKI certificate encoded in the Privacy Enhanced Mail (PEM) format:

-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIQFg7fsvIGgVNJC1rMIEGqBDANBgkqhkiG9w0BAQsFADCB
lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNV
BAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg
RW1haWwgQ0EwHhcNMTgwOTEwMDAwMDAwWhcNMTkwOTEwMjM1OTU5WjAmMSQwIgYJ
KoZIhvcNAQkBFhVoZXJvbmdfeWFuZ0B5YWhvby5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCbWhOmdmJedtYBBk3g/x+bGqqDZfKSDGEX7R19ZDMj
639yBaHyEMhothIkn+nydf9C26J8AGeaKgKVDcAluYaMQbRz6fa8ioVH1dKIaksx
dmwMtkS2CJG7APfoKQRtw38IMRRt3uYyYn+pQYmAiZMFBmfkIXzuDeYDnvB/1Yln
jMo08ZynJO8GjzdSKRas3WX6CrlAf487IyA82vVnIobvbxL+E8hzR98dQ7l0sC62
lIA2eGHeWdrmU0yXqRLi1GkI89UWLWmX3F2klHc9Ue3pFvoIV03UgPFW/1zNiXhC
2Lywa/jyHC6HZvPk/VB4Efgmxyqg3IYOoNzZzRUHd0yvAgMBAAGjggHrMIIB5zAf
BgNVHSMEGDAWgBSCr2yM+MX+lmF86B89K3FIXsSLwDAdBgNVHQ4EFgQUNzIPHDap
ZnKhB4EwTAeGHkT1eIgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYD
VR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIF
IDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRw
czovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRw
Oi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlv
bmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUH
MAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhl
bnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLmNvbW9kb2NhLmNvbTAgBgNVHREEGTAXgRVoZXJvbmdfeWFuZ0B5YWhv
by5jb20wDQYJKoZIhvcNAQELBQADggEBAGhDBs1iq/qYLpVaH5tRCL/ntKH6xtGS
IkaFNU86R71S82yMAoP1uhp90e+nJaOpVkGl6NeEHDC6X1YOp7O6V37G+odoYCvX
ISZagR3x0RkIAyTPhTEkBFxxFhW8fEQzqUJEcN4NR92KUiJ20OBZW8p7dnm2l8M7
xGI1JNhbddIsaIrBKbGxmWPgbD9Vt24NTCw6qzcmJB6hhsJRsM+sycgkDptFROlx
b/2ykfnYqZ5rOjwn2ELZW/TbctgOd8nDGE3J1qrGCDENkOwdZWSUEeZC+ffwH1Vs
rqswdEyHMOYU0hdd763IQL34PZksdFl8OdXvCBCXfJsrzzOrwlk4xcs=
-----END CERTIFICATE-----

Here is the content of the above certificated decoded and printed out by the OpenSSL tool:

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      16:0e:df:b2:f2:06:81:53:49:0b:5a:cc:20:41:aa:04
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited,
      CN=COMODO RSA Client Authentication and Secure Email CA
    Validity
      Not Before: Sep 10 00:00:00 2018 GMT
      Not After : Sep 10 23:59:59 2019 GMT
    Subject: emailAddress=herong_yang@yahoo.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
      RSA Public Key: (2048 bit)
        Modulus (2048 bit):
          00:9b:5a:13:a6:76:62:5e:76:d6:01:06:4d:e0:ff:
          1f:9b:1a:aa:83:65:f2:92:0c:61:17:ed:1d:7d:64:
          33:23:eb:7f:72:05:a1:f2:10:c8:68:b6:12:24:9f:
          ...
        Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Authority Key Identifier:
          keyid:
            82:AF:6C:8C:F8:C5:FE:96:61:7C:E8:1F:3D:2B:71:48:5E:C4:8B:C0
        X509v3 Subject Key Identifier:
          37:32:0F:1C:36:A9:66:72:A1:07:81:30:4C:07:86:1E:44:F5:78:88
        X509v3 Key Usage: critical
          Digital Signature, Key Encipherment
        X509v3 Basic Constraints: critical
          CA:FALSE
        X509v3 Extended Key Usage:
          E-mail Protection, 1.3.6.1.4.1.6449.1.3.5.2
        Netscape Cert Type:
          S/MIME
        X509v3 Certificate Policies:
          Policy: 1.3.6.1.4.1.6449.1.2.1.1.1
            CPS: https://secure.comodo.net/CPS
        X509v3 CRL Distribution Points:
          URI:http://crl.comodoca.com/COMODORSAClient...EmailCA.crl
        Authority Information Access:
          CA Issuers - URI:http://crt.comodoca.com/COMODORSA...CA.crt
          OCSP - URI:http://ocsp.comodoca.com
        X509v3 Subject Alternative Name:
           email:herong_yang@yahoo.com
  Signature Algorithm: sha256WithRSAEncryption
      68:43:06:cd:62:ab:fa:98:2e:95:5a:1f:9b:51:08:bf:e7:b4:
      a1:fa:c6:d1:92:22:46:85:35:4f:3a:47:bd:52:f3:6c:8c:02:
      83:f5:ba:1a:7d:d1:ef:a7:25:a3:a9:56:41:a5:e8:d7:84:1c:
      ...

From the printout, we can easily locate certificate basic data fields mentioned earlier.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

►Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

What Is PKI Certificate - Updated in 2024, by Herong Yang