PKI concepts
Digital certificate
A digital certificate is an electronic form of identification that stores important information about an entity (such as a computer, program, or website). Certificates help secure digital transactions by enabling the end parties to validate each other's identity. Digital certificates are issued by a certificate authority (CA) and are composed of an encoded string of characters (usually stored in a file). For example:
-----BEGIN CERTIFICATE----- MIIDsDCCApgCCQDJotuPPj9GCDANBgkqhkiG9w0BAQsAADCBqzELMAkGA1UEBh VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcBM1JvY2tsaW4xDDAKBg BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSokwAYDVQQDDCFocG5zdz ... MioDy0096DvSMPsnOaI+jnZ3AozN8y+nLgotXUsg36pO/Ncc51oQhyUdcAbgA1 rzSLgyTnpXZKumvlaoTk3pzrIf7m5V103GTbgHGSFCzgO6QWxVxu9d7ju1o59S aOIT7JSsYI5LsLpVz9ZqS599rj/lLoH+rLNlRDVXpS+J51 -----END CERTIFICATE-----
The switch can import PEM encoded ITU-T X.509 v3 certificates. (Certificates can be converted to human-readable form using a software decoder.)
An X.509 digital certificate typically includes the following information:
- Signature algorithm: The cryptographic algorithm used to generate the digital signature.
- Signature value: Digital signature of the certificate generated using the CA's private key.
- Version number: X.509 version number.
- Serial number: Certificate serial number.
- Issuer name: Name of the certificate authority (CA) that issued the certificate.
- Validity period: Beginning and ending dates.
- Subject name: Name of the entity to which the certificate is issued.
- Subject public key and key algorithm.
- Key usage extension: Purpose of the certificate.
Certificate authority
A certificate authority (CA) is an entity that can issue and sign digital certificates. A CA can be a well-known, trusted commercial company, or a private entity controlled by your organization. For a commercial CA, the CA validates the credentials of a user before issuing a certificate and signing it, guaranteeing a certificate holder's identity. For a private CA, self-signed certificates can be generated as needed for devices on your network without paying a commercial company.
Root certificate
A root certificate is a self-signed certificate that is deemed the root of trust for a certificate chain. This is the certificate that identifies a CA, and is used by the CA to sign any certificates that it issues. When two peers attempt to establish a secure connection, they use the CA's public key to verify that each other's certificates were indeed signed by a trusted certificate authority.
Each root CA certificate has a unique fingerprint, which is the hash value of the certificate content. The fingerprint of a root CA certificate can be used to authenticate the validity of the root CA.
In a certificate chain, the root CA generates a self-signed certificate, and each lower level CA holds a CA certificate (intermediate certificate) issued by the CA immediately above it. The hierarchy of these certificates forms a chain of trust.
Leaf certificate
This is the certificate used by a software entity, such as a syslog client, to identify itself to a peer when establishing a secure connection.
Intermediate certificate
An intermediate certificate is a CA which has been issued by the root certificate or by another intermediate certificate. Intermediate CAs can issue leaf certificates and sit in between the root and leaf certificates. The use of an intermediate CA allows administrators to segregate their PKI groups.
Trust anchor
This is the certificate that acts as the base of trust for the validation of other certificates. A trust anchor can be a root or intermediate certificate issued by a CA.
OCSP
The online certificate status protocol (OCSP) is a real-time method for determining the revocation status of a certificate. When two peers attempt to establish a secure connection, they can query an OCSP responder to determine the status (valid or revoked) of each other's certificates. The OCSP responder for a certificate is typically provided by a server managed by the CA that issued the certificate.