Obtaining Digital Certificate (X.509
Certificate)
Any user
can verify a certificate if he/she has the public key of the CA that issued the
certificate. Since certificates are unforgeable, they are simply stored in the
directory. The directory entry for each CA includes two types of certificates:
Forward
certificates: Certificates of X generated by other CAs.
Reverse
certificates: Certificates generated by X that are the
certificates of other CAs.
Figure: Forward and Reverse Certificate |
Users
subscribed to same CA can obtain certificate from the directory. Suppose, A has
obtained a certificate from certification authority (CA) X1 and B has obtained
a certificate from certification authority (CA) X2. A user may directly send
the certificate to the other user. If A does not know the public key of X2,
then B's certificate, issued by X2, is useless to A because A can read B's
certificate, but A cannot verify the signature. However, multiple CAs are there
and users subscribed to different CAs may want to communicate with each other.
(This paragraph related to below figure)
Figure: Obtaining Digital Certificate |
But if the two CAs have securely exchanged their own
public keys, the following procedure will enable A to obtain B's public key:
A obtains the certificate of X2 signed by X1 from the directory. A securely knows X1's public key, so A can obtain X2's public key from its certificate and verify X1's signature on the certificate. A then obtains the certificate of B signed by X2. A now has a copy of X2's public key, so A can verify the signature and securely obtain B's public key. (This paragraph related to below figure). In this case, A has used a chain of certificates to obtain B's public key. In the notation of X.509, this chain is expressed as: X1<<X2>> X2 <<B>>
Figure: Chain of Certificate |
Revocation of Digital Certificate (X.509
Certificate)
Certificate revocation is the act of invalidating a
certificate before its scheduled expiration date. Certificates that are revoked
are stored on a list by the CA, called the Certificate Revocation List (CRL). However,
certificates need to be revoked if,
1. The user’s private key has been compromised.
2. The user’s certificate has been compromised.
3.
The user
is no longer certified by the CA.
The certificate revocation format is shown in the
figure.
Each CA (Certificate Authority) must maintain a list
consisting of all revoked but not expired certificates issued by that CA,
including both those issued to users and to other CAs. Each certificate
revocation list (CRL) posted to the directory is signed by the issuer and
includes
1. The issuer’s name,
2. The date the list was created,
3. The date the next CRL is scheduled to be issued, and
4.
An entry
for each revoked certificate.
Every user must check the CRL before using other user’s public key.
Figure: Certificate Revocation Format |
What happens when you revoke a certificate?
Ideally, browsers and other clients should be able to
detect that the certificate is revoked in timely manner, show the security warning,
that certificate is no longer trusted, and prevent user from further consuming
such a website. See below this figure.
To learn more about Obtain and Revocation of Digital Certificate Format, Click here
Watch more videos click here.
No comments:
Post a Comment