Certificate server
Encyclopedia
Certificate servers validate, or certify, keys as part of a Public key infrastructure
. Keys are strings of text generated from a series of encryption algorithms that allow you to secure communication for a group of users. Many Web servers, such as Microsoft's
Internet Information Services (IIS) or Apache's
mod_ssl create keys that after having been validated, can be applied to other servers such as News server
s or Web servers. The purpose of this process is to create a way for people to communicate and be reasonably sure that others are not eavesdropping or assuming a false identity.
servers and protocols makes them susceptible to identity theft. Digital certificates help minimize this security risk by authenticating users before they transmit information. A digital certificate is a password-protected, encrypted data file containing message encryption, user identification and message text. It is used to authenticate a program or a sender's public key, or to initiate SSL sessions. It must be signed by a certificate authority
(CA) to be valid.
and X.509 v2 Certificate revocation list
as a part of the Internet PKI. According to the RFC, "The goal of this specification is to develop a profile to facilitate the use of X.509 certificates within Internet applications for those communities wishing to make use of X.509 technology. Such applications may include WWW, electronic mail, user authentication, and IPsec." The structure of X.509 and the resulting PKI allow the owner of a public key to be certain that a private key is owned by the correct person, via the use of public key certificates digitally signed by a certificate authority.
Management of Certificate Services is done via a Microsoft Management Console
snap-in, and a web based application. These programs can be used to view revoked, issued, pending, and failed requests for certificates.
. Common for all is that they provide the services to issue, revoke and manage digital certificates.
Some well known open source implementations are:
protocol.
The server based implementation of the Apache HTTP Server
is "mod_ssl", a derivation of Apache-SSL based on the functionality of OpenSSL
. Mod_ssl features support for SSLv2, SSLv3, and TLSv1
, with X.509
client/server based authentication and certificate revocation
. This is accomplished via three packages: the mod_ssl package, an extended API, and an SSL/TLS implementation toolkit such as OpenSSL.
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
. Keys are strings of text generated from a series of encryption algorithms that allow you to secure communication for a group of users. Many Web servers, such as Microsoft's
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Internet Information Services (IIS) or Apache's
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
mod_ssl create keys that after having been validated, can be applied to other servers such as News server
News server
A news server is a set of computer software used to handle Usenet articles. It may also refer to a computer itself which is primarily or solely used for handling Usenet. A reader server provides an interface to read and post articles, generally with the assistance of a news client. A transit...
s or Web servers. The purpose of this process is to create a way for people to communicate and be reasonably sure that others are not eavesdropping or assuming a false identity.
Usage
The nature of e-mail and newsgroupNewsgroup
A usenet newsgroup is a repository usually within the Usenet system, for messages posted from many users in different locations. The term may be confusing to some, because it is usually a discussion group. Newsgroups are technically distinct from, but functionally similar to, discussion forums on...
servers and protocols makes them susceptible to identity theft. Digital certificates help minimize this security risk by authenticating users before they transmit information. A digital certificate is a password-protected, encrypted data file containing message encryption, user identification and message text. It is used to authenticate a program or a sender's public key, or to initiate SSL sessions. It must be signed by a certificate authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
(CA) to be valid.
X.509 Description
The Internet Engineering Task Force RFC 2459, entitled "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", describes the protocols for the X.509 v3 certificateX.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
and X.509 v2 Certificate revocation list
Certificate revocation list
In the operation of some cryptosystems, usually public key infrastructures , a certificate revocation list is a list of certificates that have been revoked, and therefore should not be relied upon.-Revocation States:There are two different states of revocation defined in RFC 3280:* Revoked: A...
as a part of the Internet PKI. According to the RFC, "The goal of this specification is to develop a profile to facilitate the use of X.509 certificates within Internet applications for those communities wishing to make use of X.509 technology. Such applications may include WWW, electronic mail, user authentication, and IPsec." The structure of X.509 and the resulting PKI allow the owner of a public key to be certain that a private key is owned by the correct person, via the use of public key certificates digitally signed by a certificate authority.
Implementation using Microsoft IIS
Microsoft's Certificate Services on IIS allows a server to issue or revoke digital certificates. The specific implementation requires a dedicated certificate server in one of four configurations as Certificate authorities.- Enterprise root CA
- Enterprise subordinate CA
- Stand-alone root CA
- Stand-alone subordinate CA
Management of Certificate Services is done via a Microsoft Management Console
Microsoft Management Console
Microsoft Management Console is a component of Windows 2000 and its successors that provides system administrators and advanced users an interface for configuring and monitoring the system.- Snap-ins and consoles :...
snap-in, and a web based application. These programs can be used to view revoked, issued, pending, and failed requests for certificates.
Open source implementations
There exist several open source implementations of certificate servers, commonly referred to as a CA or Certificate AuthorityCertificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
. Common for all is that they provide the services to issue, revoke and manage digital certificates.
Some well known open source implementations are:
- EJBCAEJBCAEnterprise Java Bean Certificate Authority, or ', is a free software public key infrastructure certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase...
- OpenCAOpenCAOpenCA, officially the OpenCA PKI Research Labs and formerly the OpenCA Project, is a PKI collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography.OpenCA is based on many...
- OpenSSLOpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
, it is really an SSL/TLS library, but comes with tools to use it as a simple certificate authority.
Implementation using Apache + mod_ssl
Apache can use a certificate server to get certificates used to provide secure communications with the SSL/TLSTransport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
protocol.
The server based implementation of the Apache HTTP Server
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
is "mod_ssl", a derivation of Apache-SSL based on the functionality of OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
. Mod_ssl features support for SSLv2, SSLv3, and TLSv1
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
, with X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
client/server based authentication and certificate revocation
Certificate revocation list
In the operation of some cryptosystems, usually public key infrastructures , a certificate revocation list is a list of certificates that have been revoked, and therefore should not be relied upon.-Revocation States:There are two different states of revocation defined in RFC 3280:* Revoked: A...
. This is accomplished via three packages: the mod_ssl package, an extended API, and an SSL/TLS implementation toolkit such as OpenSSL.
See also
- Certificate authorityCertificate authorityIn cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
- Certificate-based encryptionCertificate-based encryptionCertificate-based encryption is a system in which a certificate authority uses ID-based cryptography to produce a certificate. This system gives the users both implicit and explicit certification, the certificate can be used as a conventional certificate , but also implicitly for the purpose of...
- Public key infrastructurePublic key infrastructurePublic Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
- Public key certificatePublic key certificateIn cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
- X.509X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...