PKI concepts
Digital certificate
A digital certificate is an electronic form of identification that stores important information about an entity (such as a computer, program, or website). Certificates help secure digital transactions by enabling the end parties to validate each other's identity. Digital certificates are issued by a certificate authority (CA) and are composed of an encoded string of characters (usually stored in a file). For example:
-----BEGIN CERTIFICATE-----
MIIDsDCCApgCCQDJotuPPj9GCDANBgkqhkiG9w0BAQsAADCBqzELMAkGA1UEBh
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcBM1JvY2tsaW4xDDAKBg
BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSokwAYDVQQDDCFocG5zdz
...
MioDy0096DvSMPsnOaI+jnZ3AozN8y+nLgotXUsg36pO/Ncc51oQhyUdcAbgA1
rzSLgyTnpXZKumvlaoTk3pzrIf7m5V103GTbgHGSFCzgO6QWxVxu9d7ju1o59S
aOIT7JSsYI5LsLpVz9ZqS599rj/lLoH+rLNlRDVXpS+J51
-----END CERTIFICATE-----
The switch can import PEM encoded ITU-T X.509 v3 certificates. (Certificates can be converted to human-readable form using a software decoder.)
An X.509 digital certificate typically includes the following information:
- Signature algorithm: The cryptographic algorithm used to generate the digital signature.
Signature value: Digital signature of the certificate generated using the CA's private key.
- Version number: X.509 version number.
Serial number: Certificate serial number.
Issuer name: Name of the certificate authority (CA) that issued the certificate.
Validity period: Beginning and ending dates.
Subject name: Name of the entity to which the certificate is issued.
Subject public key and key algorithm.
Key usage extension: Purpose of the certificate.
Certificate authority
A certificate authority (CA) is an entity that can issue and sign digital certificates. A CA can be a well-known, trusted commercial company, or a private entity controlled by your organization. For a commercial CA, the CA validates the credentials of a user before issuing a certificate and signing it, guaranteeing a certificate holder's identity. For a private CA, self-signed certificates can be generated as needed for devices on your network without paying a commercial company.
Root certificate
A root certificate is a self-signed certificate that is deemed the root of trust for a certificate chain. This is the certificate that identifies a CA, and is used by the CA to sign any certificates that it issues. When two peers attempt to establish a secure connection, they use the CA's public key to verify that each other's certificates were indeed signed by a trusted certificate authority.
Each root CA certificate has a unique fingerprint, which is the hash value of the certificate content. The fingerprint of a root CA certificate can be used to authenticate the validity of the root CA.
In a certificate chain, the root CA generates a self-signed certificate, and each lower level CA holds a CA certificate (intermediate certificate) issued by the CA immediately above it. The hierarchy of these certificates forms a chain of trust.
Trust anchor
This is the certificate that acts as the base of trust for the validation of other certificates. A trust anchor can be a root or intermediate certificate issued by a CA.
OCSP
The online certificate status protocol (OCSP) is a real-time method for determining the revocation status of a certificate. When two peers attempt to establish a secure connection, they can query an OCSP responder to determine the status (valid or revoked) of each other's certificates. The OCSP responder for a certificate is typically provided by a server managed by the CA that issued the certificate.
Leaf certificate
This is the certificate used by a software entity, such as a syslog client, to identify itself to a peer when establishing a secure connection.