HP OpenVMS Systems

Secure Web Server (based on Apache™)

C O N T E N T S

HP Secure Web Server Documentation

SSL User Guide

SSL Setup Information

Introduction to SSL

An SSL Primer

Using mod_ssl Directives

Understanding Certificates

Using the Certificate Tool

Using Certificates

Glossary

SSL Resource Guide

Chapter 5:

Understanding Certificates

This chapter explains the fundamentals of certificate contents. The next chapter shows you how to use HP Secure Web Server's OpenSSL Certificate Tool, a simple interface for working with certificates. The final chapter gives you the how-to information you'll need to put certificates in action on your server and in your organization.

__Topics________________

Distinguished names

A typical certificate

Types of certificates

The anatomy of a certificate

SSL certificates can be used to authenticate servers or clients. The contents of most certificates are organized according to the X.509 V3 certificate specification, as recommended by the International Telecommunications Union (ITU).

Distinguished names

A digital certificate binds a distinguished name (DN) to a public key.

Distinguished names provide an identity in a specific context. Distinguished names are defined by the X.509 standard [X509], which defines the fields, field names, and abbreviations used to refer to the fields.

A DN is actually a series of names that uniquely identifies the certificate subject. The subject of a server certificate is identified by country, state, city, organization, unit, and server name.

DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support LDAP (Lightweight Directory Access Protocol).

Distinguished Name Field	Abbreviation	Description	Example
Country	C	Name is located in this Country (ISO code)	US
State/Province	ST	Name is located in this State/Province	Illinois
City/Locality	L	Name is located in this City	Metropolis
Organization or Company	O	Name is associated with this organization	XYZ Corp.
Organizational Unit	OU	Name is associated with this organization unit, such as a department	Research Dept.
Common Name	CN	Name being certified	TEST.RES.XYZ.COM

mod_SSL Introduction

A typical certificate

Every X.509 certificate consists of two sections:

The data section includes the following information:
- The version number of the X.509 standard supported by the certificate.
- The certificate's serial number. Every certificate issued by a CA has a serial number that is unique to the certificates issued by that CA.
- Information about the user's public key, including the algorithm used and a representation of the key itself.
- The DN of the CA that issued the certificate.
- The period during which the certificate is valid (for example, between 1:00 p.m. on January 1, 2000 and 1:00 p.m. December 31, 2000).
- The DN of the certificate subject (for example, in a client SSL certificate this would be the user's DN), also called the subject name.
- Optional certificate extensions, which may provide additional data used by the client or server. For example, the certificate type extension indicates the type of certificate - that is, whether it is a client SSL certificate, a server SSL certificate, a certificate for signing email, and so on. Certificate extensions can also be used for a variety of other purposes.
The signature section includes:
- The cryptographic algorithm, or cipher, used by the issuing certificate authority (CA) to create its own digital signature.
- The CA's digital signature, obtained by hashing all of the data in the certificate together and encrypting it with the CA's private key.

Types of certificates

Working with SSL certificates in a web server environment involves three types of certificates.

Server certificates

These identify servers to clients via SSL-based server authentication. You can use server authentication with or without client authentication. However, server authentication is a requirement for an encrypted SSL session.

Example: E-commerce sites usually support certificate-based server authentication to encrypt personal information, so that credit card numbers, for example, cannot easily be intercepted.

With CSWS's Certificate Tool: You can create a certificate request (Option 3) and then self-sign (Option 4) it. Or, in a production environment, you have it signed by a trusted certificiate authority.

Client certificates

These identify clients to servers using SSL-based client authentication. Typically, the identity of the client is assumed to be the same as the identity of a human being, such as an employee in an enterprise.

Example: A corporate intranet might give a new employee a client SSL certificate that allows the company's servers to identify that employee and authorize access to the company's servers.

With CSWS's Certificate Tool: You can create a client certificate request (using the same option as for a server certificate request) and then sign the request (Option 6) using your own CA certificate.

CA certificates

These identify certificate authorities. They can be trusted root or intermediate certificates that client browser and web servers use CA certificates to determine what other certificates can be trusted.

Example: The CA certificates stored in your web browser (either Internet Explorer or Netscape Navigator) determine what other certificates that browser can authenticate without warning the user that a site has an untrusted certificate.

With CSWS's Certificate Tool: You can create a certificate authority (CA) certificate using Option 5.

Recommended reading:

Introduction to SSL concepts

Encryption and Digital Certificates

Managing certificates