Obtaining & Revocation of Digital Certificate (X.509 Certificate) | How to obtain digital certificate | Why digital certificate is revoke?

 

Obtaining Digital Certificate (X.509 Certificate)

Any user can verify a certificate if he/she has the public key of the CA that issued the certificate. Since certificates are unforgeable, they are simply stored in the directory. The directory entry for each CA includes two types of certificates:

Forward certificates: Certificates of X generated by other CAs.

Reverse certificates: Certificates generated by X that are the certificates of other CAs.

 

Figure: Forward and Reverse Certificate

Users subscribed to same CA can obtain certificate from the directory. Suppose, A has obtained a certificate from certification authority (CA) X1 and B has obtained a certificate from certification authority (CA) X2. A user may directly send the certificate to the other user. If A does not know the public key of X2, then B's certificate, issued by X2, is useless to A because A can read B's certificate, but A cannot verify the signature. However, multiple CAs are there and users subscribed to different CAs may want to communicate with each other. (This paragraph related to below figure)

 

Figure: Obtaining Digital Certificate

But if the two CAs have securely exchanged their own public keys, the following procedure will enable A to obtain B's public key:

A obtains the certificate of X₂ signed by X₁ from the directory. A securely knows X₁'s public key, so A can obtain X₂'s public key from its certificate and verify X₁'s signature on the certificate. A then obtains the certificate of B signed by X₂. A now has a copy of X₂'s public key, so A can verify the signature and securely obtain B's public key. (This paragraph related to below figure). In this case, A has used a chain of certificates to obtain B's public key. In the notation of X.509, this chain is expressed as: X1<<X2>> X2 <<B>>

Figure: Chain of Certificate

Revocation of Digital Certificate (X.509 Certificate)

Certificate revocation is the act of invalidating a certificate before its scheduled expiration date. Certificates that are revoked are stored on a list by the CA, called the Certificate Revocation List (CRL). However, certificates need to be revoked if,

1.    The user’s private key has been compromised.

2.    The user’s certificate has been compromised.

3.    The user is no longer certified by the CA.

The certificate revocation format is shown in the figure.

Each CA (Certificate Authority) must maintain a list consisting of all revoked but not expired certificates issued by that CA, including both those issued to users and to other CAs. Each certificate revocation list (CRL) posted to the directory is signed by the issuer and includes

1.    The issuer’s name,

2.    The date the list was created,

3.    The date the next CRL is scheduled to be issued, and

4.    An entry for each revoked certificate.

Every user must check the CRL before using other user’s public key.

Figure: Certificate Revocation Format

What happens when you revoke a certificate?

Ideally, browsers and other clients should be able to detect that the certificate is revoked in timely manner, show the security warning, that certificate is no longer trusted, and prevent user from further consuming such a website. See below this figure.

To learn more about Obtain and Revocation of Digital Certificate Format, Click here

   Watch more videos click here.