HP OpenVMS Systems

Secure Web Server (based on Apache™)
Content starts here


HP Secure Web Server Documentation

SSL User Guide

SSL Setup Information

Introduction to SSL

An SSL Primer

Using mod_ssl Directives

  • Understanding Certificates

    Using the Certificate Tool

    Using Certificates


    SSL Resource Guide

  • Chapter 5:

    Understanding Certificates

    This chapter explains the fundamentals of certificate contents. The next chapter shows you how to use HP Secure Web Server's OpenSSL Certificate Tool, a simple interface for working with certificates. The final chapter gives you the how-to information you'll need to put certificates in action on your server and in your organization.


    Distinguished names

    A typical certificate

    Types of certificates

    The anatomy of a certificate

    SSL certificates can be used to authenticate servers or clients. The contents of most certificates are organized according to the X.509 V3 certificate specification, as recommended by the International Telecommunications Union (ITU).

    Distinguished names

    A digital certificate binds a distinguished name (DN) to a public key.

    Distinguished names provide an identity in a specific context. Distinguished names are defined by the X.509 standard [X509], which defines the fields, field names, and abbreviations used to refer to the fields.

    A DN is actually a series of names that uniquely identifies the certificate subject. The subject of a server certificate is identified by country, state, city, organization, unit, and server name.

    DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support LDAP (Lightweight Directory Access Protocol).

    Distinguished Name Field Abbreviation Description Example
    Country C Name is located in this Country (ISO code) US
    State/Province ST Name is located in this State/Province Illinois
    City/Locality L Name is located in this City Metropolis
    Organization or Company O Name is associated with this
    XYZ Corp.
    Organizational Unit OU Name is associated with this
    organization unit, such as a department
    Research Dept.
    Common Name CN Name being certified TEST.RES.XYZ.COM

    WWW mod_SSL Introduction

    A typical certificate

    Every X.509 certificate consists of two sections:

    • The data section includes the following information:
      • The version number of the X.509 standard supported by the certificate.
      • The certificate's serial number. Every certificate issued by a CA has a serial number that is unique to the certificates issued by that CA.
      • Information about the user's public key, including the algorithm used and a representation of the key itself.
      • The DN of the CA that issued the certificate.
      • The period during which the certificate is valid (for example, between 1:00 p.m. on January 1, 2000 and 1:00 p.m. December 31, 2000).
      • The DN of the certificate subject (for example, in a client SSL certificate this would be the user's DN), also called the subject name.
      • Optional certificate extensions, which may provide additional data used by the client or server. For example, the certificate type extension indicates the type of certificate - that is, whether it is a client SSL certificate, a server SSL certificate, a certificate for signing email, and so on. Certificate extensions can also be used for a variety of other purposes.
    • The signature section includes:
      • The cryptographic algorithm, or cipher, used by the issuing certificate authority (CA) to create its own digital signature.
      • The CA's digital signature, obtained by hashing all of the data in the certificate together and encrypting it with the CA's private key.

    Types of certificates

    Working with SSL certificates in a web server environment involves three types of certificates.

    Server certificates

    These identify servers to clients via SSL-based server authentication. You can use server authentication with or without client authentication. However, server authentication is a requirement for an encrypted SSL session.

    Example: E-commerce sites usually support certificate-based server authentication to encrypt personal information, so that credit card numbers, for example, cannot easily be intercepted.

    With CSWS's Certificate Tool: You can create a certificate request (Option 3) and then self-sign (Option 4) it. Or, in a production environment, you have it signed by a trusted certificiate authority.

    Client certificates

    These identify clients to servers using SSL-based client authentication. Typically, the identity of the client is assumed to be the same as the identity of a human being, such as an employee in an enterprise.

    Example: A corporate intranet might give a new employee a client SSL certificate that allows the company's servers to identify that employee and authorize access to the company's servers.

    With CSWS's Certificate Tool: You can create a client certificate request (using the same option as for a server certificate request) and then sign the request (Option 6) using your own CA certificate.

    CA certificates

    These identify certificate authorities. They can be trusted root or intermediate certificates that client browser and web servers use CA certificates to determine what other certificates can be trusted.

    Example: The CA certificates stored in your web browser (either Internet Explorer or Netscape Navigator) determine what other certificates that browser can authenticate without warning the user that a site has an untrusted certificate.

    With CSWS's Certificate Tool: You can create a certificate authority (CA) certificate using Option 5.

    WWW Recommended reading:

    Introduction to SSL concepts

    Encryption and Digital Certificates

    Managing certificates