What is a digital certificate?

Source: Internet
Author: User

You may be unfamiliar with the concept of "Digital Certificate". In fact, digital certificates are a series of data that marks the identity information of network users. They are used to identify the identities of communication parties in network communication, that is to say, we need to solve the problem of "who I am" on the Internet, just as in reality, each of us needs an ID card or driver's license to prove our identity, to indicate our identity or certain qualifications.
Digital certificates are issued by an authoritative and impartial third-party organization, namely the CA center, encryption technology with digital certificates as the core can encrypt and decrypt the information transmitted over the network, digital signatures and signature verification to ensure the confidentiality and integrity of information transmitted over the Internet, as well as the authenticity of the transaction entity identity and the non-repudiation of signature information, thus ensuring the security of network applications.

The digital certificate uses a public key cryptography system, that is, using a pair of matching keys for encryption and decryption. Each user has a private key (Private Key) that is only owned by the user, which is used for decryption and signature. Each user also has a Public Key (Public Key) that can be made public to the public, used to encrypt and verify the signature. When a confidential file is sent, the sender encrypts the data using the public key of the receiver, while the receiver decrypts the data using its own private key. In this way, the information can arrive at the destination safely and without error, even if it is intercepted by a third party, it cannot be decrypted because it does not have the corresponding private key. The encryption process is irreversible by means of numbers, that is, only private keys can be used for decryption. In the public key cryptography system, an RSA System is commonly used.

You can also use your own private key to process the information. Because the key is only owned by yourself, a file cannot be generated by others, and a digital signature is formed. Using a digital signature, you can confirm the following two points:
(1) ensure that the information is sent by the signatory's own signature, and the signatory cannot deny or be hard to deny;
(2) ensure that no modification has been made to the information since it was issued and that the issued document is a real document.

Digital certificates can be used: send security emails, access security sites, online securities, online bidding and procurement, Online Signing, online office, online payment, online tax, and other online security electronic transaction activities.

The format of digital certificates generally adopts the X.509 international standard. At present, the digital certificate certification center mainly issues Security Email certificates, personal and enterprise ID certificates, server certificates, and code signature certificates.

The digital certificate format follows the itutx.509 international standard. A standard X.509 digital certificate contains the following:

The version of the certificate;
The serial number of the Certificate. Each certificate has a unique serial number;
The signature algorithm used by the certificate, such as the RSA algorithm;
The name of the certificate issuer (CA). The naming rules are generally in the X.500 format;
The validity period of the Certificate. Currently, general certificates generally use the UTC time format. The time range is from January 1, 1950 to January 1, 2049;
Name of the certificate owner. The naming rules are generally in the X.500 format;
Public Key of the certificate owner;
The Certificate Authority (CA) digitally signs the certificate.


X.509 digital certificate structure (Third edition)

Version ...... the version ID of the certificate (for example, version 3)
The serial number ...... identifies the unique integer of the certificate.
Signature ........................ used for algorithm identification of the visa document
The Unique Identification name of the issuer ......
Validity Period ......
The Unique Identification name of the certificate owner.
Information about the subject's public key... the public key of the certificate owner (and the algorithm identifier)
Unique Identifier of the issuer ...... optional unique identifier of the issuer
Unique Identifier of the subject ...... unique identifier of the subject
Extensions... optional extensions

Field description:
① Version-indicates the version of the certificate (version 1, version 2, or version 3 ).
② Serial number-Unique Identifier of the certificate assigned by the certificate issuer.
③ Signature-signature algorithm identifier, which consists of object identifiers and related parameters. It is used to describe the digital signature algorithm used in this certificate. For example, the object identifiers of SHA-1 and RSA are used to indicate that the digital signature uses RSA to encrypt SHA-1.
④ Issuer-the identifiable name (DN) of the certificate issuer, which must be described.
⑤ Validity period-the period in which the certificate is valid. This field consists of "not before" and "not after", which are expressed by UTC time or general time (in rfc2459, there is a detailed time representation rule ).
⑥ Subject-the identifiable name of the certificate owner. This field must be non-empty unless you have an alias in the certificate Extension.
7. Subject public key information-Public Key of the subject (and algorithm identifier), which must be described.
Unique Identifier of the issuer-Unique Identifier of the issuer of the certificate. required only in version 2 and version 3. Optional.
Unique Identifier of the Principal-Unique Identifier of the certificate owner. required only for version 2 and 3. Optional.
Extensions-optional standard and dedicated extensions (used only in versions 2 and 3), including:
◆ Authority Key Identifier-Unique Identifier of the key contained in the certificate, used to distinguish multiple-pair keys of the same certificate owner.
◆ Key Usage-a bit string that specifies the functions or services that can be completed by the public key of the (limited) Certificate, such as Certificate Signature and data encryption.
◆ Extended Key Usage-composed of one or more Object Identifiers (oids), which can be used to describe the Special Purpose of the certificate key. For Internet policy restrictions and access descriptor restrictions [3], see rfc2459.
◆ CRL distribution point-specifies the distribution location of CRL.
◆ Private Key usage period-specify the validity period of the private key associated with the public key in the certificate. It also consists of not before and not after. If this item does not exist, the validity period of the public/private key is the same.
◆ Certificate policy-consists of object identifiers and delimiters. These object identifiers indicate that the certificate is issued and used according to the policy.
◆ Policy ing-indicates the equivalence relationship between one or more policy object identifiers between two CA domains, which only exists in the CA certificate.
◆ Subject alias-the alias of the certificate owner, such as the email address and IP address. The alias is bound with the DN.
◆ Issuer alias-indicates the issuer's alias, such as the email address and IP address, but the issuer's DN must appear in the issuer field of the certificate.
◆ Subject directory attributes-indicates a series of attributes of the certificate owner. You can use this item to pass access control information. S

What is a digital certificate?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.