Sun Microsystems 820433510 Server User Manual


 
Most importantly, a certicate binds the owner's public key to the owner's identity. Like a
passport binds a photograph to personal information about its holder, a certicate binds a
public key to information about its owner.
In addition to the public key, a certicate typically includes information such as:
The name of the holder and other identication, such as the URL of the Web server using
the certicate, or an individual's email address.
The name of the CA that issued the certicate.
An expiration date.
Digital Certicates are governed by the technical specications of the X.509 format. To verify
the identity of a user in the certificate realm, the authentication service veries an X.509
certicate, using the common name eld of the X.509 certicate as the principal name.
About Certicate Chains
Web browsers are precongured with a set of root CA certicates that the browser
automatically trusts. Any certicates from elsewhere must come with a certicate chain to verify
their validity. A certicate chain is series of certicates issued by successive CA certicates,
eventually ending in a root CA certicate.
When a certicate is rst generated, it is a self-signed certicate. A self-signed certicate is one
for which the issuer (signer) is the same as the subject (the entity whose public key is being
authenticated by the certicate). When the owner sends a certicate signing request (CSR) to a
CA, then imports the response, the self-signed certicate is replaced by a chain of certicates. At
the bottom of the chain is the certicate (reply) issued by the CA authenticating the subject's
public key. The next certicate in the chain is one that authenticates the CA's public key.
Usually, this is a self-signed certicate (that is, a certicate from the CA authenticating its own
public key) and the last certicate in the chain.
In other cases, the CA can return a chain of certicates. In this case, the bottom certicate in the
chain is the same (a certicate signed by the CA, authenticating the public key of the key entry),
but the second certicate in the chain is a certicate signed by a dierent CA, authenticating the
public key of the CA to which you sent the CSR. Then, the next certicate in the chain is a
certicate authenticating the second CA's key, and so on, until a self-signed root certicate is
reached. Each certicate in the chain (after the rst) thus authenticates the public key of the
signer of the previous certicate in the chain.
About Secure Sockets Layer
Secure Sockets Layer (SSL) is the most popular standard for securing Internet communications
and transactions. Web applications use HTTPS (HTTP over SSL), which uses digital certicates
to ensure secure, condential communications between server and clients. In an SSL
connection, both the client and the server encrypt data before sending it, then decrypt it upon
receipt.
Introductionto Certicatesand SSL
Chapter9 • ConguringSecurity 109