Implementation Guide › Changing Communication Encryption Methods › SSL, Authentication, and Certificates › What a Certificate Contains
What a Certificate Contains
Programs send X.509 certificates to prove that their identity is bound to a public key. This lets other programs encrypt messages knowing that only the subject of the certificate can decrypt those messages.
The contents of an X.509 certificate are as follows:
- Certificate data—The most important certificate data fields are as follows:
- The public identifier of the certificate subject (for example, a web address)
- The period (start and end dates) for which the certificate is valid
- Name of the Certificate Authority (CA) certifying the certificate—The reader of the certificate can be sure that if the signature is valid, the CA validates that the public key is associated with the subject. This means that if readers of the certificate trust the CA, they can trust that data encrypted with the public key can only be read by the subject.
- The subject's public key—The reader of the certificate uses the public key to encrypt data to send to the certificate subject.
- A digital signature—The digital signature is a hashed encapsulation of all the other data in the certificate, encrypted with the CA's private key. (Note the contrast to the encryption case, in which the sender encrypts data with a public key.) Anyone with access to the CA's public key can read the signature and check that this matches the other data in the certificate. If any of the text in the certificate has been changed, the signature will no longer match the certificate text.
Associated with the certificate, but kept separate and secure, is the subject's private key. The subject uses the private key to decrypt messages that programs have encrypted with the public key.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|