Digital Certificate — Certificate fields, formats, CSR, Revocation & OCSP

Part 2 of four-part series about digital certificate
X.509 encoding formats
.crt file opened in a text editor
.crt file opened in a windows utility — GIF shows various sections of the certificate
A high-level overview of the certificate signing request
  1. The applicant generates a pair of public and private keys.
  2. The applicant sends their identity details (name, email, organization, location, etc.) and public key as part of the CSR to a registration authority.
  3. The RA (registration authority) acts as a broker — it may verify the user requests and forward them to an intermediate CA as appropriate.
  4. CA may conduct more stringent checks (depending on the type of certificate needed) to verify the user’s identity and intent of usage. If CA finds everything ok, it can sign the certificate with its digital signature and grant the certificate to the applicant.
  • Public Key — Public Key shared with everyone as part of the certificate
  • Email Address — of contact at the subject’s organization
  • Common Name (CN) —represents the server name protected by the SSL certificate e.g., mail.domain.com, *.domain.com, www.domain.com, buy.domain.net, etc.
  • Subject Alternative Name (SAN) — for requesting multi-domain certificates or enlisting sub-domains in the certificate, e.g., www. domain1.com, www. domain2.com, www. domain3.net, etc.
  • Organization (O)
  • Organizational Unit (OU) — Name of the department or organization unit making the request
  • City, State, Country
Required fields in a typical certificate
  1. The serial number is the Unique ID that helps CA identify the certificate.
  2. Signature algorithm and the hash function used by CA to sign the certificate
  3. Issuer identifies the CA issuing the certificate — details like CN, O, OU, C, etc.
  4. Valid from/to means the start/end date for which certificate is accurate, and the application can trust it.
  5. Subject is the end-entity for which the certificate is issued. Generally, CN (Common Name) goes here, but it can have more details.
  6. Public Key and Key Exchange Algorithm of certificate
Extension fields in a typical certificate
  • Publish period — when list published (date/time)
  • Distribution point — where (locations) published
  • Validity period — the period in which CRL is considered authoritative. It is a bit longer than the publish period, e.g., the publishing period can be every 24 hours, but the validity period can be 25 hours.
  • Signature — digitally signed by CA
Webserver sends both certificate and OCSP response in one request
OCSP vs OCSP Stapling

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Deepak Singh

Deepak Singh

Sales Eng., Consultant, Solutions Architect, Analyst, Hobbyist Coder. 2 Masters — MBA Georgia Tech, MS Analytics. Interested in technology, business & strategy