Christian's Docs
Christian's Docs
Welcome to my Docs!
DONE
Kerberos Authentication Protocol
HTTP Security Checklist
Brotli for NGINX
In progress ...
TLS and Ciphers Suites
PKI and X.509v3 Certificates
HTTP compression and BREACH-attacks
OAuth2 and OIDC
SAML 2.0
iOS Encryption & Data Protection
Archive
Don't touch PHP again
Portfolio
Github
Linkedin
Medium
Twitter
Powered by GitBook

PKI and X.509v3 Certificates

This page is based on RFC 5280

Basic PKI

  • Certificate Authority (CA)

  • Registration Authority (RA)

Certificate Data

  • Issuer

  • Subject

  • Validity

  • X509v3 Extensions

X.509v3 Extensions

  • Key Usage

  • Authority Information Access

  • Certificate Policies

  • Basic Constraints

  • CRL Distribution Points

  • Subject Alternative Name (SAN)

Distinguished Name (DN)

An unordered set of AVAs

Attribute Value Assertion (AVA)

  • Common Name (CN)

  • Organization (O)

  • Organizational Unit (OU)

  • Country/Region (C)

Revocation

  • Certificate Revocation List (CRL)

  • Online Certificate Status Protocol (OCSP)

Sample Certificate

Taken from the Red Hat Docs

Data:
  Version:  v3
  Serial Number: 0x1
  Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
  Issuer: CN=Certificate Manager,OU=netscape,O=ExampleCorp,L=MV,ST=CA,C=US
  Validity:
    Not Before: Friday, February 21, 2005 12:00:00 AM PST America/Los_Angeles
    Not  After: Monday, February 21, 2007 12:00:00 AM PST America/Los_Angeles
  Subject: CN=Certificate Manager,OU=netscape,O=ExampleCorp,L=MV,ST=CA,C=US
  Subject Public Key Info:
    Algorithm: RSA - 1.2.840.113549.1.1.1
    Public Key:
      Exponent: 65537
      Public Key Modulus: (2048 bits) :
        E4:71:2A:CE:E4:24:DC:C4:AB:DF:A3:2E:80:42:0B:D9:
        CF:90:BE:88:4A:5C:C5:B3:73:BF:49:4D:77:31:8A:88:
        15:A7:56:5F:E4:93:68:83:00:BB:4F:C0:47:03:67:F1:
        30:79:43:08:1C:28:A8:97:70:40:CA:64:FA:9E:42:DF:
        35:3D:0E:75:C6:B9:F2:47:0B:D5:CE:24:DD:0A:F7:84:
        4E:FA:16:29:3B:91:D3:EE:24:E9:AF:F6:A1:49:E1:96:
        70:DE:6F:B2:BE:3A:07:1A:0B:FD:FE:2F:75:FD:F9:FC:
        63:69:36:B6:5B:09:C6:84:92:17:9C:3E:64:C3:C4:C9
  Extensions:
    Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1
      Critical: no
      Certificate Usage:
        SSL CA
        Secure Email CA
        ObjectSigning CA
    Identifier: Basic Constraints - 2.5.29.19
      Critical: yes
      Is CA: yes
      Path Length Constraint: UNLIMITED
    Identifier: Subject Key Identifier - 2.5.29.14
      Critical: no
      Key Identifier:
        3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79:
        9C:37:85:84
    Identifier: Authority Key Identifier - 2.5.29.35
      Critical: no
      Key Identifier:
        3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79:
        9C:37:85:84
    Identifier: Key Usage: - 2.5.29.15
      Critical: yes
      Key Usage:
        Digital Signature
        Key CertSign
        Crl Sign
  Signature:
    Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
    Signature:
      AA:96:65:3D:10:FA:C7:0B:74:38:2D:93:54:32:C0:5B:
      2F:18:93:E9:7C:32:E6:A4:4F:4E:38:93:61:83:3A:6A:
      A2:11:91:C2:D2:A3:48:07:6C:07:54:A8:B8:42:0E:B4:
      E4:AE:42:B4:B5:36:24:46:4F:83:61:64:13:69:03:DF:
      41:88:0B:CB:39:57:8C:6B:9F:52:7E:26:F9:24:5E:E7:
      BC:FB:FD:93:13:AF:24:3A:8F:DB:E3:DC:C9:F9:1F:67:
      A8:BD:0B:95:84:9D:EB:FC:02:95:A0:49:2C:05:D4:B0:
      35:EA:A6:80:30:20:FF:B1:85:C8:4B:74:D9:DC:BB:50
In progress ... - Previous
TLS and Ciphers Suites
Next - In progress ...
HTTP compression and BREACH-attacks
Last updated 9 months ago
Contents
Basic PKI
Certificate Data
X.509v3 Extensions
Distinguished Name (DN)
Attribute Value Assertion (AVA)
Revocation
Sample Certificate