Misplaced Pages

Public key certificate: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 06:11, 23 July 2018 edit120.17.176.244 (talk)No edit summaryTags: Mobile edit Mobile web edit← Previous edit Latest revision as of 22:43, 24 December 2024 edit undoGoldMiner24 (talk | contribs)Extended confirmed users, New page reviewers, Rollbackers6,215 editsm Rollback edit(s) by 2600:1700:A1A0:81E0:9CE9:D31F:C9CB:110E (talk): Unexplained content removal (RW 16.1)Tags: RW Rollback 
(369 intermediate revisions by more than 100 users not shown)
Line 1: Line 1:
{{Short description|Electronic document used to prove the ownership of a public key|noreplace}}

In ], a '''public key certificate''', also known as a '''digital certificate''' or '''identity certificate''', is an ] used to prove the validity of a ].<ref name=":0" /><ref>{{Cite journal |last1=Alrawais |first1=Arwa |last2=Alhothaily |first2=Abdulrahman |last3=Cheng |first3=Xiuzhen|author3-link= Xiuzhen Cheng |last4=Hu |first4=Chunqiang |last5=Yu |first5=Jiguo |date=2018-06-01 |title=SecureGuard: A Certificate Validation System in Public Key Infrastructure |url=https://ieeexplore.ieee.org/document/8290970 |journal=IEEE Transactions on Vehicular Technology |volume=67 |issue=6 |pages=5399–5408 |doi=10.1109/TVT.2018.2805700 |s2cid=49270949 |issn=0018-9545 |access-date=2022-08-26 |archive-date=2022-08-26 |archive-url=https://web.archive.org/web/20220826181642/https://ieeexplore.ieee.org/document/8290970/ |url-status=live }}</ref> The certificate includes the public key and information about it, information about the identity of its owner (called the subject), and the ] of an entity that has verified the certificate's contents (called the issuer). If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In ], ], and ] systems, a certificate's subject is typically a person or organization. However, in ] (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name ] (SSL), is notable for being a part of ], a ] for securely browsing the ].

In a typical ] (PKI) scheme, the certificate issuer is a ] (CA),<ref>{{Cite journal |last1=Chadwick |first1=David W |last2=Basden |first2=Andrew |date=2001-10-31 |title=Evaluating Trust in a Public Key Certification Authority |url=https://www.sciencedirect.com/science/article/pii/S0167404801007106 |journal=Computers & Security |language=en |volume=20 |issue=7 |pages=592–611 |doi=10.1016/S0167-4048(01)00710-6 |issn=0167-4048 |access-date=2022-02-26 |archive-date=2022-02-26 |archive-url=https://web.archive.org/web/20220226191547/https://www.sciencedirect.com/science/article/pii/S0167404801007106 |url-status=live }}</ref> usually a company that charges customers a fee to issue certificates for them. By contrast, in a ] scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate. In case of key compromise, a certificate may need to be ].

The most common format for public key certificates is defined by ]. Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as ] as defined in {{IETF RFC|5280}}.

== Types of certificate == == Types of certificate ==

].]]

].]]

=== TLS/SSL server certificate === === TLS/SSL server certificate ===
The ] (TLS) protocol – as well as its outdated predecessor, the ] (SSL) protocol – ensures that the communication between a ] and a ] is secure. The protocol requires the server to present a digital certificate, proving that it is the intended destination. The connecting client conducts ], ensuring that:
In TLS (an updated replacement for SSL), a ] is required to present a certificate as part of the initial connection setup. A ] connecting to that server will perform the ]:
# The subject of the certificate matches the ] (ie. domain name) to which the client is trying to connect. # The subject of the certificate matches the ] (not to be confused with the ]) to which the client is trying to connect.
# The certificate is signed by a trusted certificate authority. # A trusted certificate authority has signed the certificate.
The ''Subject'' field of the certificate must identify the primary hostname of the server as the ''Common Name''.{{Clarify|date=September 2022}} The hostname must be publicly accessible, not using ]es or ].<ref>{{cite web|url=https://docs.digicert.com/en/certcentral/certificate-tools/discovery-user-guide/tls-ssl-certificate-vulnerabilities/internal-names.html |title=Internal names |publisher=] Documentation}}</ref> A certificate may be valid for multiple hostnames (e.g., a domain and its subdomains). Such certificates are commonly called ''Subject Alternative Name (SAN) certificates'' or ''Unified Communications Certificates (UCC)''. These certificates contain the ] field, though many CAs also put them into the ''Subject Common Name'' field for backward compatibility. If some of the hostnames contain an asterisk (*), a certificate may also be called a ].


Once the certification path validation is successful, the client can establish an encrypted connection with the server.
The primary hostname (] of the website) is listed as the '''Common Name''' in the '''Subject''' field of the certificate. A certificate may be valid for multiple hostnames (multiple websites). Such certificates are commonly called '''Subject Alternative Name (SAN) certificates''' or '''Unified Communications Certificates (UCC)'''. These certificates contain the field ], though many CAs will also put them into the '''Subject Common Name''' field for backward compatibility. If some of the hostnames contain an asterisk (*), a certificate may also be called a ].


Internet-facing servers, such as public ], must obtain their certificates from a trusted, public certificate authority (CA).
A TLS server may be configured with a self-signed certificate. When that is the case, clients will generally be unable to verify the certificate, and will terminate the connection unless certificate checking is disabled.


=== TLS/SSL client certificate === === TLS/SSL client certificate ===
Client certificates are less common than server certificates, and are used to authenticate the client connecting to a TLS service, for instance to provide access control. Because most services provide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than a hostname. Also, because authentication is usually managed by the service provider, client certificates are not usually issued by a public CA that provides server certificates. Instead, the operator of a service that requires client certificates will usually operate their own internal CA to issue them. Client certificates are supported by many web browsers, but most services use passwords and cookies to authenticate users, instead of client certificates. Client certificates authenticate the client connecting to a TLS service, for instance to provide access control. Because most services provide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than a hostname. In addition, the certificate authority that issues the client certificate is usually the service provider to which client connects because it is the provider that needs to perform authentication. Some service providers even offer free SSL certificates as part of their packages.<ref>{{Cite web |title=Free SSL Certificate {{!}} IONOS by 1&1 |url=https://www.ionos.co.uk/security/free-ssl |access-date=2022-07-15 |website=www.ionos.co.uk |language=en-GB |archive-date=2022-07-18 |archive-url=https://web.archive.org/web/20220718121336/https://www.ionos.co.uk/security/free-ssl |url-status=live }}</ref>


While most web browsers support client certificates, the most common form of authentication on the Internet is a username and password pair. Client certificates are more common in ] (VPN) and ], where they authenticate devices.
Client certificates are more common in ] systems, where they are used to authenticate devices to ensure that only authorized devices can make certain RPC calls.


=== Email certificate === === Email certificate ===
In accordance with the ] protocol, email certificates can both establish the message integrity and encrypt messages. To establish encrypted email communication, the communicating parties must have their digital certificates in advance. Each must send the other one digitally signed email and opt to import the sender's certificate.
In the ] protocol for secure email, senders need to discover which public key to use for any given recipient. They get this information from an email certificate. Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.


Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.
=== Code signing certificate ===
{{Main article|Code signing}}
Certificates can also be used to validate signatures on programs to ensure they were not tampered with during delivery.


=== Qualified certificate === === Self-signed and root certificates ===
{{Main article|Qualified digital certificate}} {{Main|Root certificate|Self-signed certificate}}
A certificate identifying an individual, typically for ] purposes. These are most commonly used in Europe, where the ] regulation standardizes them and requires their recognition.


A ] is a certificate with a subject that matches its issuer, and a signature that can be verified by its own public key.
=== Root certificate ===
{{Main article|Root certificate}}
A self-signed certificate used to sign other certificates. Also sometimes called a '''trust anchor'''.


Self-signed certificates have their own limited uses. They have full trust value when the issuer and the sole user are the same entity. For example, the Encrypting File System on Microsoft Windows issues a self-signed certificate on behalf of the encrypting user and uses it to transparently decrypt data on the fly. The digital certificate chain of trust starts with a self-signed certificate, called a '']'', ''trust anchor'', or ''trust root''. A certificate authority self-signs a root certificate to be able to sign other certificates.
=== Intermediate certificate ===
A certificate used to sign other certificates. An intermediate certificate must be signed by another intermediate certificate, or a root certificate.


An intermediate certificate has a similar purpose to the root certificate – its only use is to sign other certificates. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate needs to sign it.
=== End-entity or leaf certificate ===
Any certificate that cannot be used to sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.


An end-entity or leaf certificate is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.
=== Self-signed certificate ===

{{Main article|Self-signed certificate}}
=== Subject Alternative Name certificate ===
A certificate with a subject that matches its issuer, and a signature that can be verified by its own public key. Most types of certificate can be self-signed. Self-signed certificates are also often called '''] certificates''' to emphasize their untrustworthiness.
]]]
Subject Alternative Name (SAN) certificates are an ] to ] that allows various values to be associated with a security certificate using a <code>subjectAltName</code> field.<ref>{{cite web
| url=https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Subject-Alternative-Name
| title=x509v3_config - X509 V3 certificate extension configuration format
| publisher=]
| access-date=2020-01-16}}</ref> These values are called ''Subject Alternative Names'' (SANs). Names include:<ref>{{IETF RFC|5280}}: 4.2.1.6. Subject Alternative Name</ref>

* ]
* ]es
* ]s
* ]s: this is usually also provided as the Common Name ] within the Subject field of the main certificate.
* Directory names: alternative ] to that given in the Subject.
* Other names, given as a ''General Name'' or ''Universal Principal Name'': a registered ] followed by a value.

{{IETF RFC|2818}} (May 2000) specifies Subject Alternative Names as the preferred method of adding DNS names to certificates, deprecating the previous method of putting DNS names in the <code>commonName</code> field.<ref name="chrome58">{{cite web |url=https://developers.google.com/web/updates/2017/03/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates |title=Deprecations and Removals in Chrome 58 |last=Medley |first=Joseph |date=March 2017 |publisher=Google Inc. |access-date=2022-01-04 }}</ref> ] version 58 (March 2017) removed support for checking the <code>commonName</code> field at all, instead only looking at the SANs.<ref name="chrome58" />

As shown in the picture of Wikimedia's section on the right, the SAN field can contain wildcards.<ref>{{cite web|url=https://docs.digicert.com/en/certcentral/certificate-tools/certificate-lifecycle-automation-guides/certcentral-managed-automation/common-name--cn--for-a-wildcard-certificate.html |title=Common Name (CN) for a wildcard certificate |publisher=DigiCert Documentation}}</ref> Not all vendors support or endorse mixing wildcards into SAN certificates.<ref>{{cite web|url=https://www.thawte.com/resources/pdfs/Thawte_Multiuse_SSL_WP.pdf |title=Wildcard and SAN: Understanding Multi-Use SSL Certificates |date=2013 |publisher=]}}</ref>

===Wildcard certificate===
]: {{code|*}})]]

A public key certificate which uses an ] {{code|*}} (the <em>wildcard</em>) in its ] fragment is called a Wildcard certificate.
Through the use of {{code|*}}, a single certificate may be used for multiple ]s. It is commonly used for ] in ].

For example, a single wildcard certificate for {{code|https://*.example.com}} will secure all these subdomains on the {{code|https://*.example.com}} domain:

* {{code|payment.example.com}}
* {{code|contact.example.com}}
* {{code|login-secure.example.com}}
* {{code|www.example.com}}

Instead of getting separate certificates for subdomains, you can use a single certificate for all main domains and subdomains and reduce cost.<ref>{{cite web|title=Wildcard Certificate Explained in Simpler Terms|url=http://searchsecurity.techtarget.com/definition/wildcard-certificate|date = 23 May 2016}}</ref>

Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops),<ref>
{{cite web
| url= http://tools.ietf.org/html/rfc2818#page-5
| title= <nowiki>RFC 2818</nowiki> - HTTP Over TLS
| publisher= ]
| date= May 2000
| quote= *.a.com matches foo.a.com but not bar.foo.a.com.
| page= 5
| accessdate= 2014-12-15
}}
</ref> these domains would not be valid for the certificates:<ref>
{{cite IETF
| url= https://tools.ietf.org/html/rfc2595#page-3
| title= <nowiki>RFC 2595</nowiki> - Using TLS with IMAP, POP3 and ACAP
| publisher= ]
| date= June 1999
| quote= For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.
| page= 3
| doi= 10.17487/RFC2595
| rfc=2595
| accessdate= 2014-12-15
| last1= Newman
| first1= C.
| doi-access= free
}}
</ref>
* {{code|test.login.example.com}}
* {{code|example.com}}
Note possible exceptions by CAs, for example wildcard-plus cert by DigiCert contains an automatic "Plus" property for the naked domain {{code|example.com}}.{{cn|date=September 2024}}

====Limitations====
Only a single level of ] matching is supported in accordance with {{IETF RFC|2818}}.<ref name=":0"></ref>

It is not possible to get a wildcard for an ].<ref>
{{cite web
| url= https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf#page=16
| title= Guidelines For The Issuance And Management Of Extended Validation Certificates, Version 1.5.2
| publisher= CA/Browser Forum
| quote= Wildcard certificates are not allowed for EV Certificates.
| page= 10
| date=2014-10-16
| accessdate= 2014-12-15
}}
</ref> A workaround could be to add every virtual host name in the ] (SAN) extension,<ref></ref><ref></ref> the major problem being that the certificate needs to be reissued whenever a new virtual server is added. (See '']'' for more information.)

Wildcards can be added as domains in multi-domain certificates or ]s (UCC). In addition, wildcards themselves can have {{code|subjectAltName}} extensions, including other wildcards. For example, the wildcard certificate {{code|*.wikipedia.org}} has {{code|*.m.wikimedia.org}} as a Subject Alternative Name. Thus it secures {{code|www.wikipedia.org}} as well as the completely different website name {{code|meta.m.wikimedia.org}}.<ref></ref>

{{IETF RFC|6125}} argues against wildcard certificates on security grounds, in particular "partial wildcards".<ref>
{{cite IETF
| url= https://tools.ietf.org/html/rfc6125#section-7.2
| date= March 2011
| publisher= ]
| title= RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
| quote= This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure). Several security considerations justify tightening the rules:
| page= 31
| doi= 10.17487/RFC6125
| rfc=6125
| accessdate= 2014-12-10
| last1= Saint-Andre
| first1= P.
| last2= Hodges
| first2= J.
| doi-access= free}}
</ref>

====Further examples====
The wildcard applies only to one level of the domain name. {{code|*.example.com}} matches {{code|sub1.example.com}} but not {{code|example.com}} and not {{code|sub2.sub1.domain.com}}

The wildcard may appear anywhere inside a label as a "partial wildcard" according to early specifications<ref>{{Cite IETF |url=https://tools.ietf.org/html/rfc2818.html |title=RFC 2818 - HTTP Over TLS |last1=Rescorla |first1=E. |date=May 2000 |website=tools.ietf.org |doi=10.17487/RFC2818 |rfc=2818 |language=en |accessdate=2019-04-20}}</ref>

:{{code|f*.domain.com}} is OK. It will match {{code|frog.domain.com}} but not {{code|frog.super.domain.com}}

:{{code|baz*.example.net}} is OK and matches {{code|baz1.example.net}}
:{{code|*baz.example.net}} is OK and matches {{code|foobaz.example.net}}
:{{code|b*z.example.net}} is OK and matches {{code|buzz.example.net}}

However, use of "partial-wildcard" certs is not recommended. As of 2011, partial wildcard support is optional, and is explicitly disallowed in SubjectAltName headers that are required for multi-name certificates.<ref>{{Cite IETF |url=https://tools.ietf.org/html/rfc6125.html |title=RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) |last1 = Saint-Andre |first1 = P. |last2 = Hodges|first2 = J.|date=March 2011 |website=tools.ietf.org |doi=10.17487/RFC6125 |rfc=6125 |language=en |access-date=2019-04-20|doi-access=free }}</ref> All major browsers have deliberately '''removed''' support for partial-wildcard certificates;<ref>{{cite web |url=https://codereview.chromium.org/762013002 |title=Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling |publisher=The Chromium Projects, Google Inc.|date=3 December 2014 |accessdate=21 October 2020}}</ref><ref>{{cite web |url=https://bugzilla.mozilla.org/show_bug.cgi?id=1107791 |title=Limit wildcard DNS ID support to names of the form *.example.com (not foo*.example.com) |publisher=The Mozilla Foundation |date=10 December 2014 |accessdate=21 October 2020}}</ref> they will result in a "SSL_ERROR_BAD_CERT_DOMAIN" error. Similarly, it is typical for standard libraries in programming languages to not support "partial-wildcard" certificates. For example, any "partial-wildcard" certificate will not work with the latest versions of both Python<ref>{{cite web |url=https://bugs.python.org/issue23033 |title=Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling |publisher=The Python Software Foundation |date=26 November 2017 |accessdate=21 October 2020}}</ref> and Go. Thus,

Do not allow a label that consists entirely of just a wildcard unless it is the left-most label
:''{{code|sub1.*.domain.com}}'' is not allowed.

A cert with multiple wildcards in a name is not allowed.
:{{code|*.*.domain.com}}

A cert with {{code|*}} plus a top-level domain is not allowed.
:{{code|*.com}}

Too general and should not be allowed.
:{{code|*}}

International domain names encoded in ASCII (A-label) are labels that are ] and begin with {{code|xn--}}. URLs with international labels cannot contain wildcards.<ref>{{cite web|url=https://docs.digicert.com/en/certcentral/manage-certificates/public-certificates---data-entries-that-violate-industry-standards.html#idp433257 |title=Restrictions on data entries for public certificates |publisher=] Documentation}}</ref>
:{{code|xn--caf-dma.com}} is {{code|café.com}}
:{{code|xn--caf-dma*.com}} is not allowed
:{{code|Lw*.xn--caf-dma.com}} is allowed

=== Other certificates ===

* EMV certificate: ] is a payment method based on a technical standard for ], ] and ] (ATM). EMV payment cards are preloaded with a card issuer certificate, signed by the EMV certificate authority<ref name="Certs">{{cite web|url=https://emvca.com/index.html#EMV-CA|title=EMV CA|date=2 December 2010|publisher=EMV Certificate Authority Worldwide|access-date=January 20, 2020|archive-date=4 July 2020|archive-url=https://web.archive.org/web/20200704133359/https://emvca.com/index.html#EMV-CA|url-status=live}}</ref> to validate authenticity of the payment card during the payment transaction.
* ]: Certificates can validate ] (or their ]) to ensure they were not tampered with during delivery.
* ]: A certificate identifying an individual, typically for ] purposes. These are most commonly used in Europe, where the ] regulation standardizes them and requires their recognition.
* Role-based certificate: Defined in the ''] Certificate Policy for the Federal Bridge Certification Authority (FBCA)'', role-based certificates "identify a specific role on behalf of which the subscriber is authorized to act rather than the subscriber’s name and are issued in the interest of supporting accepted business practices."<ref>{{Cite web |url=https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-x509-cert-policy-fbca.pdf |title=X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) |access-date=2021-05-07 |archive-date=2021-03-18 |archive-url=https://web.archive.org/web/20210318002502/https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-x509-cert-policy-fbca.pdf |url-status=live }}</ref>
* Group certificate: Defined in the ''] Certificate Policy for the Federal Bridge Certification Authority (FBCA)'', for "cases where there are several entities acting in one capacity, and where non-repudiation for transactions is not desired."<ref>{{Cite web |url=https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-x509-cert-policy-fbca.pdf |title=X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) |access-date=2021-05-07 |archive-date=2021-03-18 |archive-url=https://web.archive.org/web/20210318002502/https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-x509-cert-policy-fbca.pdf |url-status=live }}</ref>


==Common fields== ==Common fields==
{{see also|X.509#Structure of a certificate}}These are some of the most common fields in certificates. Most certificates contain a number of fields not listed here. Note that in terms of a certificate's X.509 representation, a certificate is not "flat" but contains these fields nested in various structures within the certificate. {{See also|X.509#Structure of a certificate}}These are some of the most common fields in certificates. Most certificates contain a number of fields not listed here. Note that in terms of a certificate's X.509 representation, a certificate is not "flat" but contains these fields nested in various structures within the certificate.
* '''Serial Number''': Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information. * ''Serial Number'': Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
* '''Subject''': The entity a certificate belongs to: a machine, an individual, or an organization. * ''Subject'': The entity a certificate belongs to: a machine, an individual, or an organization.
* '''Issuer''': The entity that verified the information and signed the certificate. * ''Issuer'': The entity that verified the information and signed the certificate.
* '''Not Before''': The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid ] problems. * ''Not Before'': The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid ] problems.
* '''Not After''': The time and date past which the certificate is no longer valid. * ''Not After'': The time and date past which the certificate is no longer valid.
* '''Key Usage''': The valid cryptographic uses of the certificate's public key. Common values include digital signature validation, key encipherment, and certificate signing. * ''Key Usage'': The valid cryptographic uses of the certificate's public key. Common values include digital signature validation, key encipherment, and certificate signing.
* '''Extended Key Usage''': The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing. * ''Extended Key Usage'': The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing.
* '''Public Key''': A public key belonging to the certificate subject. * ''Public Key'': A public key belonging to the certificate subject.
* '''Signature Algorithm''': The algorithm used to ] the public key certificate. * ''Signature Algorithm'': This contain a hashing algorithm and a digital signature algorithm. For example "sha256RSA" where sha256 is the hashing algorithm and RSA is the signature algorithm.
* '''Signature''': A signature of the certificate body by the issuer's private key. * ''Signature'': The body of the certificate is hashed (hashing algorithm in "Signature Algorithm" field is used) and then the hash is signed (signature algorithm in the "Signature Algorithm" field is used) with the issuer's private key.

===Example===
This is an example of a decoded SSL/TLS certificate retrieved from SSL.com's website. The issuer's common name (CN) is shown as <code>SSL.com EV SSL Intermediate CA RSA R3</code>, identifying this as an ] (EV) certificate. Validated information about the website's owner (SSL Corp) is located in the <code>Subject</code> field. The <code>X509v3 Subject Alternative Name</code> field contains a list of domain names covered by the certificate. The <code>X509v3 Extended Key Usage</code> and <code>X509v3 Key Usage</code> fields show all appropriate uses.
<div class="plainlinks">
{{pre|1=
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
72:14:11:d3:d7:e0:fd:02:aa:b0:4e:90:09:d4:db:31
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com EV SSL Intermediate CA RSA R3
Validity
Not Before: Apr 18 22:15:06 2019 GMT
Not After : Apr 17 22:15:06 2021 GMT
Subject: C=US, ST=Texas, L=Houston, O=SSL Corp/serialNumber=NV20081614243, CN=www.ssl.com/postalCode=77098/businessCategory=Private Organization/street=3100 Richmond Ave/jurisdictionST=Nevada/jurisdictionC=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ad:0f:ef:c1:97:5a:9b:d8:1e ...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BF:C1:5A:87:FF:28:FA:41:3D:FD:B7:4F:E4:1D:AF:A0:61:58:29:BD

Authority Information Access:
CA Issuers - URI:http://www.ssl.com/repository/SSLcom-SubCA-EV-SSL-RSA-4096-R3.crt
OCSP - URI:http://ocsps.ssl.com

X509v3 Subject Alternative Name:
DNS:www.ssl.com, DNS:answers.ssl.com, DNS:faq.ssl.com, DNS:info.ssl.com, DNS:links.ssl.com, DNS:reseller.ssl.com, DNS:secure.ssl.com, DNS:ssl.com, DNS:support.ssl.com, DNS:sws.ssl.com, DNS:tools.ssl.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.1
Policy: 1.2.616.1.113527.2.5.1.1
Policy: 1.3.6.1.4.1.38064.1.1.1.5
CPS: https://www.ssl.com/repository

X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 CRL Distribution Points:

Full Name:
URI:http://crls.ssl.com/SSLcom-SubCA-EV-SSL-RSA-4096-R3.crl

X509v3 Subject Key Identifier:
E7:37:48:DE:7D:C2:E1:9D:D0:11:25:21:B8:00:33:63:06:27:C1:5B
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 87:75:BF:E7:59:7C:F8:8C:43:99 ...
Timestamp : Apr 18 22:25:08.574 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:40:51:53:90:C6:A2 ...
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB ...
Timestamp : Apr 18 22:25:08.461 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:43:80:9E:19:90:FD ...
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 55:81:D4:C2:16:90:36:01:4A:EA ...
Timestamp : Apr 18 22:25:08.769 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C1:3E:9F:F0:40 ...
Signature Algorithm: sha256WithRSAEncryption
36:07:e7:3b:b7:45:97:ca:4d:6c ...
}}
</div>


==Usage in the European Union== ==Usage in the European Union==
In the European Union, ]s on legal documents are commonly performed using ]s with accompanying identity certificates. This is largely because such signatures are granted the same enforceability as handwritten signatures under ], an ]. In the European Union, ] on legal documents are commonly performed using ]s with accompanying identity certificates. However, only ]s (which require using a qualified trust service provider and signature creation device) are given the same power as a physical signature.


==Certificate authorities== ==Certificate authorities==
{{Main article|Certificate authority}} {{Main|Certificate authority}}
] ]
In the ] trust model, a certificate authority (CA) is responsible for signing certificates. These certificates act as an introduction between two parties, which means that a CA acts as a trusted third party. A CA processes requests from people or organizations requesting certificates (called subscribers), verifies the information, and potentially signs an end-entity certificate based on that information. To perform this role effectively, a CA needs to have one or more broadly trusted root certificates or intermediate certificates and the corresponding private keys. CAs may achieve this broad trust by having their root certificates included in popular software, or by obtaining a cross-signature from another CA delegating trust. Other CAs are trusted within a relatively small community, like a business, and are distributed by other mechanisms like Windows ]. In the ] trust model, a certificate authority (CA) is responsible for signing certificates. These certificates act as an introduction between two parties, which means that a CA acts as a trusted third party. A CA processes requests from people or organizations requesting certificates (called subscribers), verifies the information, and potentially signs an end-entity certificate based on that information. To perform this role effectively, a CA needs to have one or more broadly trusted root certificates or intermediate certificates and the corresponding private keys. CAs may achieve this broad trust by having their root certificates included in popular software, or by obtaining a cross-signature from another CA delegating trust. Other CAs are trusted within a relatively small community, like a business, and are distributed by other mechanisms like Windows ].


Certificate authorities are also responsible for maintaining up-to-date revocation information about certificates they have issued, indicating whether certificates are still valid. They provide this information through ] (OCSP) and/or Certificate Revocation Lists (CRLs). Certificate authorities are also responsible for maintaining up-to-date revocation information about certificates they have issued, indicating whether certificates are still valid. They provide this information through ] (OCSP) and/or Certificate Revocation Lists (CRLs). Some of the larger certificate authorities in the market include ], ], and ].<ref>{{Cite web|title=Usage Statistics and Market Share of SSL Certificate Authorities for Websites, May 2020|url=https://w3techs.com/technologies/overview/ssl_certificate|website=w3techs.com|access-date=2020-05-01|archive-date=2022-06-30|archive-url=https://web.archive.org/web/20220630123456/https://w3techs.com/technologies/overview/ssl_certificate|url-status=live}}</ref>


== Root programs == == Root programs ==
Some major software contains a list of certificate authorities that are trusted by default. This makes it easier for end-users to validate certificates, and easier for people or organizations that request certificates to know which certificate authorities can issue a certificate that will be broadly trusted. This is particularly important in HTTPS, where a web site operator generally wants to get a certificate that is trusted by nearly all potential visitors to their web site. Some major software contain a list of certificate authorities that are trusted by default.{{Citation needed|date=September 2022}} This makes it easier for end-users to validate certificates, and easier for people or organizations that request certificates to know which certificate authorities can issue a certificate that will be broadly trusted. This is particularly important in HTTPS, where a web site operator generally wants to get a certificate that is trusted by nearly all potential visitors to their web site.


The policies and processes a provider uses to decide which certificate authorities their software should trust are called root programs. The most influential root programs are: The policies and processes a provider uses to decide which certificate authorities their software should trust are called root programs. The most influential root programs are:{{Citation needed|date=September 2022}}
* *
* *
Line 73: Line 288:
* Adobe Adobe Approved Trust List and root programs (used for document signing) * Adobe Adobe Approved Trust List and root programs (used for document signing)


Browsers other than Firefox generally use the operating system's facilities to decide which certificate authorities are trusted. So, for instance, Chrome on Windows trusts the certificate authorities included in the Microsoft Root Program, while on macOS or iOS, Chrome trusts the certificate authorities in the Apple Root Program.<ref>{{Cite web|url=https://www.chromium.org/Home/chromium-security/root-ca-policy|title=Root Certificate Policy – The Chromium Projects|website=www.chromium.org|access-date=2017-03-19}}</ref> Edge and Safari use their respective operating system trust stores as well, but each is only available on a single OS. Firefox uses the Mozilla Root Program trust store on all platforms. Browsers other than Firefox generally use the operating system's facilities to decide which certificate authorities are trusted. So, for instance, Chrome on Windows trusts the certificate authorities included in the Microsoft Root Program, while on macOS or iOS, Chrome trusts the certificate authorities in the Apple Root Program.<ref>{{Cite web|url=https://www.chromium.org/Home/chromium-security/root-ca-policy|title=Root Certificate Policy – The Chromium Projects|website=www.chromium.org|access-date=2017-03-19|archive-date=2017-03-20|archive-url=https://web.archive.org/web/20170320053911/https://www.chromium.org/Home/chromium-security/root-ca-policy|url-status=live}}</ref> Edge and Safari use their respective operating system trust stores as well, but each is only available on a single OS. Firefox uses the Mozilla Root Program trust store on all platforms.


The Mozilla Root Program is operated publicly, and its certificate list is part of the ] Firefox web browser, so it is broadly used outside Firefox. For instance, while there is no common Linux Root Program, many Linux distributions, like Debian,<ref>{{Cite web|url=https://launchpad.net/ca-certificates|title=ca-certificates in Launchpad|website=launchpad.net|language=en|access-date=2017-03-19}}</ref> include a package that periodically copies the contents of the Firefox trust list, which is then used by applications. The Mozilla Root Program is operated publicly, and its certificate list is part of the ] Firefox web browser, so it is broadly used outside Firefox.{{Citation needed|date=September 2022}} For instance, while there is no common Linux Root Program, many Linux distributions, like Debian,<ref>{{Cite web|url=https://launchpad.net/ca-certificates|title=ca-certificates in Launchpad|website=launchpad.net|date=30 April 2010 |language=en|access-date=2017-03-19|archive-date=2017-03-20|archive-url=https://web.archive.org/web/20170320055526/https://launchpad.net/ca-certificates|url-status=live}}</ref> include a package that periodically copies the contents of the Firefox trust list, which is then used by applications.


Root programs generally provide a set of valid purposes with the certificates they include. For instance, some CAs may be considered trusted for issuing TLS server certificates, but not for code signing certificates. This is indicated with a set of trust bits in a root certificate storage system. Root programs generally provide a set of valid purposes with the certificates they include. For instance, some CAs may be considered trusted for issuing TLS server certificates, but not for code signing certificates. This is indicated with a set of trust bits in a root certificate storage system.


==Revocation==
==Certificates and website security==
{{main|Certificate revocation}}
A certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker would be able to exploit such a compromised or misissued certificate until expiry.{{sfn|Smith|Dickinson|Seamons|2020|p=1}} Hence, revocation is an important part of a ].{{sfn|Sheffer|Saint-Andre|Fossati|2022|loc=7.5. Certificate Revocation}} Revocation is performed by the issuing ], which produces a ] statement of revocation.{{sfn|Chung|Lok|Chandrasekaran|Choffnes|2018|p=3}}

For distributing revocation information to clients, timeliness of the discovery of revocation (and hence the window for an attacker to exploit a compromised certificate) trades off against resource usage in querying revocation statuses and privacy concerns.{{sfn|Smith|Dickinson|Seamons|2020|p=10}} If revocation information is unavailable (either due to accident or an attack), clients must decide whether to ''fail-hard'' and treat a certificate as if it is revoked (and so degrade ]) or to ''fail-soft'' and treat it as unrevoked (and allow attackers to sidestep revocation).{{sfn|Larisch|Choffnes|Levin|Maggs|2017|p=542}}

Due to the cost of revocation checks and the availability impact from potentially-unreliable remote services, ] limit the revocation checks they will perform, and will fail-soft where they do.{{sfn|Smith|Dickinson|Seamons|2020|p=1-2}} ] are too bandwidth-costly for routine use, and the ] presents connection latency and privacy issues. Other schemes have been proposed but have not yet been successfully deployed to enable fail-hard checking.{{sfn|Sheffer|Saint-Andre|Fossati|2022|loc=7.5. Certificate Revocation}}

==Website security==


The most common use of certificates is for ]-based web sites. A ] validates that an HTTPS ] is authentic, so that the user can feel secure that his/her interaction with the ] has no eavesdroppers and that the web site is who it claims to be. This security is important for ]. In practice, a web site operator obtains a certificate by applying to a certificate authority with a ]. The certificate request is an electronic document that contains the web site name, company information and the public key. The certificate provider signs the request, thus producing a public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site. The most common use of certificates is for ]-based web sites. A ] validates that an HTTPS ] is authentic, so that the user can feel secure that his/her interaction with the ] has no eavesdroppers and that the web site is who it claims to be. This security is important for ]. In practice, a web site operator obtains a certificate by applying to a certificate authority with a ]. The certificate request is an electronic document that contains the web site name, company information and the public key. The certificate provider signs the request, thus producing a public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.


As an example, when a user connects to <code><nowiki>https://www.example.com/</nowiki></code> with their browser, if the browser does not give any certificate warning message, then the user can be theoretically sure that interacting with <code><nowiki>https://www.example.com/</nowiki></code> is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted. As an example, when a user connects to <code><nowiki>https://www.example.com/</nowiki></code> with their browser, if the browser does not give any certificate warning message, then the user can be theoretically sure that interacting with <code><nowiki>https://www.example.com/</nowiki></code> is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site.{{Citation needed|date=September 2022}} No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed.{{Citation needed|date=September 2022}} At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.


A certificate provider can opt to issue three types of certificates, each requiring its own degree of vetting rigor. In order of increasing rigor (and naturally, cost) they are: Domain Validation, Organization Validation and Extended Validation. These rigors are loosely agreed upon by voluntary participants in the ]. A certificate provider can opt to issue three types of certificates, each requiring its own degree of vetting rigor. In order of increasing rigor (and naturally, cost) they are: Domain Validation, Organization Validation and Extended Validation. These rigors are loosely agreed upon by voluntary participants in the ].{{Citation needed|date=September 2022}}


=== Validation levels === === Validation levels ===


====Domain validation==== ====Domain validation====
{{Main article|Domain-validated certificate}} {{Main|Domain-validated certificate}}
A certificate provider will issue a Domain Validation (DV) class certificate to a purchaser if the purchaser can demonstrate one vetting criterion: the right to administratively manage a domain name. A certificate provider will issue a domain-validated (DV) certificate to a purchaser if the purchaser can demonstrate one vetting criterion: the right to administratively manage the affected DNS domain(s).


====Organization validation==== ====Organization validation====


A certificate provider will issue an Organization Validation (OV) class certificate to a purchaser if the purchaser can meet two criteria: the right to administratively manage the domain name in question, and perhaps, the organization's actual existence as a legal entity. A certificate provider publishes its OV vetting criteria through its ]. A certificate provider will issue an organization validation (OV) class certificate to a purchaser if the purchaser can meet two criteria: the right to administratively manage the domain name in question, and perhaps, the organization's actual existence as a legal entity. A certificate provider publishes its OV vetting criteria through its ].


====Extended validation==== ====Extended validation====
{{Main article|Extended Validation Certificate}} {{Main|Extended Validation Certificate}}
To acquire an ] (EV) certificate, the purchaser must persuade the certificate provider of its legal identity, including manual verification checks by a human. As with OV certificates, a certificate provider publishes its EV vetting criteria through its ]. To acquire an ] (EV) certificate, the purchaser must persuade the certificate provider of its legal identity, including manual verification checks by a human. As with OV certificates, a certificate provider publishes its EV vetting criteria through its ].


Until 2019, major browsers such as Chrome and Firefox generally offered users a visual indication of the legal identity when a site presented an EV certificate. This was done by showing the legal name before the domain, and a bright green color to highlight the change. Most browsers deprecated this feature<ref>{{Cite web|url=https://groups.google.com/forum/m/?fromgroups&hl=en#!topic/firefox-dev/6wAg_PpnlY4|title=Firefox-dev Google group - Intent to Ship: Move Extended Validation Information out of the URL bar|website=groups.google.com|access-date=2020-08-03|archive-date=2020-08-12|archive-url=https://web.archive.org/web/20200812031241/https://groups.google.com/forum/m/?hl=en&fromgroups#!topic/firefox-dev/6wAg_PpnlY4|url-status=live}}</ref><ref>{{Cite web|url=https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ|title=Chrome Security-dev Google group - Upcoming Change to Chrome's Identity Indicators|website=groups.google.com|access-date=2020-08-03|archive-date=2020-06-07|archive-url=https://web.archive.org/web/20200607075453/https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ|url-status=live}}</ref> providing no visual difference to the user on the type of certificate used. This change followed security concerns raised by forensic experts and successful attempts to purchase EV certificates to impersonate famous organizations, proving the inefficiency of these visual indicators and highlighting potential abuses.<ref>{{Cite web|url=https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/|title=Extended Validation Certificates are (Really, Really) Dead|website=troyhunt.com|date=12 August 2019|access-date=2020-08-03|archive-date=2020-07-16|archive-url=https://web.archive.org/web/20200716132825/https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/|url-status=live}}</ref>
Browsers will generally offer users a visual indication of the legal identity when a site presents an EV certificate. Most browsers show the legal name before the domain, and use a bright green color to highlight the change. In this way, the user can see the legal identity of the owner has been verified.


===Weaknesses=== ===Weaknesses===


A ] will give no warning to the user if a web site suddenly presents a different certificate, even if that certificate has a lower number of key bits, even if it has a different provider, and even if the previous certificate had an expiry date far into the future.{{Citation needed|date=April 2012}} However a change from an EV certificate to a non-EV certificate will be apparent as the green bar will no longer be displayed. Where certificate providers are under the jurisdiction of governments, those governments may have the freedom to order the provider to generate any certificate, such as for the purposes of law enforcement. Subsidiary wholesale certificate providers also have the freedom to generate any certificate. A ] will give no warning to the user if a web site suddenly presents a different certificate, even if that certificate has a lower number of key bits, even if it has a different provider, and even if the previous certificate had an expiry date far into the future.{{Citation needed|date=April 2012}} Where certificate providers are under the jurisdiction of governments, those governments may have the freedom to order the provider to generate any certificate, such as for the purposes of law enforcement. Subsidiary wholesale certificate providers also have the freedom to generate any certificate.


All web browsers come with an extensive built-in list of trusted ]s, many of which are controlled by organizations that may be unfamiliar to the user.<ref>{{cite web|title=List of certificates included by Mozilla|url=https://www.mozilla.org/projects/security/certs/included/|publisher=Mozilla.org|accessdate=30 July 2012}}</ref> Each of these organizations is free to issue any certificate for any web site and have the guarantee that web browsers that include its root certificates will accept it as genuine. In this instance, end users must rely on the developer of the browser software to manage its built-in list of certificates and on the certificate providers to behave correctly and to inform the browser developer of problematic certificates. While uncommon, there have been incidents in which fraudulent certificates have been issued: in some cases, the browsers have detected the fraud; in others, some time passed before browser developers removed these certificates from their software.<ref>{{cite web|title=DigiNotar removal by Mozilla|url=https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/|publisher=Mozilla.org|accessdate=30 July 2012}}</ref><ref>{{cite web|title=DigitNotar removal by Google|url=http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html|publisher=Google.com|accessdate=30 July 2012}}</ref> All web browsers come with an extensive built-in list of trusted ]s, many of which are controlled by organizations that may be unfamiliar to the user.<ref name=":0">{{cite web|title=List of certificates included by Mozilla|url=https://www.mozilla.org/projects/security/certs/included/|publisher=Mozilla.org|access-date=30 July 2012|archive-date=3 August 2012|archive-url=https://web.archive.org/web/20120803105538/http://www.mozilla.org/projects/security/certs/included/|url-status=live}}</ref> Each of these organizations is free to issue any certificate for any web site and have the guarantee that web browsers that include its root certificates will accept it as genuine. In this instance, end users must rely on the developer of the browser software to manage its built-in list of certificates and on the certificate providers to behave correctly and to inform the browser developer of problematic certificates. While uncommon, there have been incidents in which fraudulent certificates have been issued: in some cases, the browsers have detected the fraud; in others, some time passed before browser developers removed these certificates from their software.<ref>{{cite web|title=DigiNotar removal by Mozilla|date=2 September 2011 |url=https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/|publisher=Mozilla.org|access-date=30 July 2012|archive-date=3 June 2012|archive-url=https://web.archive.org/web/20120603095436/http://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/|url-status=live}}</ref><ref>{{cite web|title=DigitNotar removal by Google|url=http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html|access-date=30 July 2012|archive-date=13 September 2011|archive-url=https://web.archive.org/web/20110913024152/http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html|url-status=live}}</ref>


The list of built-in certificates is also not limited to those provided by the browser developer: users (and to a degree applications) are free to extend the list for special purposes such as for company intranets.<ref>{{cite web|title=Using certificates article at Mozilla.org|url=https://www.mozilla.org/projects/security/pki/psm/help_21/using_certs_help.html|publisher=Mozilla.org|accessdate=30 July 2012}}</ref> This means that if someone gains access to a machine and can install a new root certificate in the browser, that browser will recognize websites that use the inserted certificate as legitimate. The list of built-in certificates is also not limited to those provided by the browser developer: users (and to a degree applications) are free to extend the list for special purposes such as for company intranets.<ref>{{cite web|title=Using certificates article at Mozilla.org|url=https://www.mozilla.org/projects/security/pki/psm/help_21/using_certs_help.html|publisher=Mozilla.org|access-date=30 July 2012|archive-date=12 July 2012|archive-url=https://web.archive.org/web/20120712233633/http://www.mozilla.org/projects/security/pki/psm/help_21/using_certs_help.html|url-status=live}}</ref> This means that if someone gains access to a machine and can install a new root certificate in the browser, that browser will recognize websites that use the inserted certificate as legitimate.


For ], this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a ].<ref>Ran Canetti: Universally Composable Signature, Certification, and Authentication. CSFW 2004, http://eprint.iacr.org/2003/239</ref> For ], this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a ].<ref>Ran Canetti: Universally Composable Signature, Certification, and Authentication. CSFW 2004, http://eprint.iacr.org/2003/239 {{Webarchive|url=https://web.archive.org/web/20090828160103/http://eprint.iacr.org/2003/239 |date=2009-08-28 }}</ref>


===Usefulness versus unsecured web sites=== ===Usefulness versus unsecured web sites===


In spite of the limitations described above, certificate-authenticated TLS is considered mandatory by all security guidelines whenever a web site hosts confidential information or performs material transactions. This is because, in practice, in spite of the ] described above, web sites secured by public key certificates are still more secure than unsecured ] web sites.<ref>{{cite journal |author=], ] |date={{date|2014-01-18}} |title=Replacing passwords on the Internet AKA post-Snowden Opportunistic Encryption |conference=W3C STRINT Workshop 2014 |url=https://www.w3.org/2014/strint/papers/46.pdf }}</ref> In spite of the limitations described above, certificate-authenticated TLS is considered mandatory by all security guidelines whenever a web site hosts confidential information or performs material transactions. This is because, in practice, in spite of the ] described above, web sites secured by public key certificates are still more secure than unsecured ] web sites.<ref>{{cite journal |author=], ] |date=18 January 2014 |title=Replacing passwords on the Internet AKA post-Snowden Opportunistic Encryption |url=https://www.w3.org/2014/strint/papers/46.pdf |access-date=15 November 2014 |archive-date=27 October 2014 |archive-url=https://web.archive.org/web/20141027134430/https://www.w3.org/2014/strint/papers/46.pdf |url-status=live }}</ref>


== Standards == == Standards ==
The National Institute of Standards and Technology(]) Computer Security Division<ref>{{Cite web|url=http://csrc.nist.gov/publications/PubsSPs.html|title=NIST Computer Security Publications – NIST Special Publications (SPs)|website=csrc.nist.gov|access-date=2016-06-19}}</ref> provides guidance documents for Public Key Certificates: The National Institute of Standards and Technology (]) Computer Security Division<ref>{{Cite web|url=http://csrc.nist.gov/publications/PubsSPs.html|title=NIST Computer Security Publications – NIST Special Publications (SPs)|website=csrc.nist.gov|access-date=2016-06-19|archive-date=2017-09-17|archive-url=https://web.archive.org/web/20170917101423/http://csrc.nist.gov/publications/PubsSPs.html|url-status=live}}</ref> provides guidance documents for public key certificates:
* SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure<ref>{{Cite web|url=http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf|title=SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure|last=|first=|date=|website=|publisher=|archive-url=|archive-date=|dead-url=|access-date=}}</ref> * SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure<ref>{{Cite web|url=http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf|title=SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure|publisher=National Institute of Standards and Technology|access-date=2016-06-19|archive-date=2018-06-05|archive-url=https://web.archive.org/web/20180605104516/https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf|url-status=live}}</ref>
* SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication<ref>{{Cite web|url=http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-25.pdf|title=SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication|last=|first=|date=|website=|publisher=|archive-url=|archive-date=|dead-url=|access-date=}}</ref> * SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication<ref>{{Cite web |url=http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-25.pdf |title=SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication |publisher=National Institute of Standards and Technology |access-date=2016-06-19 |archive-date=2018-06-02 |archive-url=https://web.archive.org/web/20180602102217/https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-25.pdf |url-status=live }}</ref>


==See also== ==See also==
* ] *]
*]
* ] or ] or ] or ]
* ]


==References== ==References==
{{Reflist}}
<references />

==Works cited==
* {{ Cite book | doi = 10.1145/3278532.3278543 | chapter-url = https://taejoong.github.io/pubs/publications/chung-2018-ocsp.pdf | chapter = Is the Web Ready for OCSP Must-Staple? | title = Proceedings of the Internet Measurement Conference 2018 | year = 2018 | last1 = Chung | first1 = Taejoong | last2 = Lok | first2 = Jay | last3 = Chandrasekaran | first3 = Balakrishnan | last4 = Choffnes | first4 = David | last5 = Levin | first5 = Dave | last6 = Maggs | first6 = Bruce M. | last7 = Mislove | first7 = Alan | last8 = Rula | first8 = John | last9 = Sullivan | first9 = Nick | last10 = Wilson | first10 = Christo | pages = 105–118 | isbn = 9781450356190 | s2cid = 53223350 }}
* {{ Cite book | doi = 10.1109/sp.2017.17 | doi-access = free | chapter = CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers | title = 2017 IEEE Symposium on Security and Privacy (SP) | year = 2017 | last1 = Larisch | first1 = James | last2 = Choffnes | first2 = David | last3 = Levin | first3 = Dave | last4 = Maggs | first4 = Bruce M. | last5 = Mislove | first5 = Alan | last6 = Wilson | first6 = Christo | pages = 539–556 | isbn = 978-1-5090-5533-3 | s2cid = 3926509 }}
* {{ cite ietf | rfc = 9325 | last1 = Sheffer | first1 = Yaron | last2 = Saint-Andre | first2 = Pierre | last3 = Fossati | first3 = Thomas | date = November 2022 | title = Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) }}
* {{ Cite book | doi = 10.14722/ndss.2020.24084 | doi-access = free | chapter = Let's Revoke: Scalable Global Certificate Revocation | title = Proceedings 2020 Network and Distributed System Security Symposium | year = 2020 | last1 = Smith | first1 = Trevor | last2 = Dickinson | first2 = Luke | last3 = Seamons | first3 = Kent | isbn = 978-1-891562-61-7 | s2cid = 211268930 }}


{{SSL/TLS}} {{SSL/TLS}}
{{Authority control}}


] ]
] ]
]
] ]

Latest revision as of 22:43, 24 December 2024

Electronic document used to prove the ownership of a public key

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers a fee to issue certificates for them. By contrast, in a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate. In case of key compromise, a certificate may need to be revoked.

The most common format for public key certificates is defined by X.509. Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as Public Key Infrastructure (X.509) as defined in RFC 5280.

Types of certificate

The roles of root certificate, intermediate certificate and end-entity certificate as in the chain of trust.

TLS/SSL server certificate

The Transport Layer Security (TLS) protocol – as well as its outdated predecessor, the Secure Sockets Layer (SSL) protocol – ensures that the communication between a client computer and a server is secure. The protocol requires the server to present a digital certificate, proving that it is the intended destination. The connecting client conducts certification path validation, ensuring that:

  1. The subject of the certificate matches the hostname (not to be confused with the domain name) to which the client is trying to connect.
  2. A trusted certificate authority has signed the certificate.

The Subject field of the certificate must identify the primary hostname of the server as the Common Name. The hostname must be publicly accessible, not using private addresses or reserved domains. A certificate may be valid for multiple hostnames (e.g., a domain and its subdomains). Such certificates are commonly called Subject Alternative Name (SAN) certificates or Unified Communications Certificates (UCC). These certificates contain the Subject Alternative Name field, though many CAs also put them into the Subject Common Name field for backward compatibility. If some of the hostnames contain an asterisk (*), a certificate may also be called a wildcard certificate.

Once the certification path validation is successful, the client can establish an encrypted connection with the server.

Internet-facing servers, such as public web servers, must obtain their certificates from a trusted, public certificate authority (CA).

TLS/SSL client certificate

Client certificates authenticate the client connecting to a TLS service, for instance to provide access control. Because most services provide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than a hostname. In addition, the certificate authority that issues the client certificate is usually the service provider to which client connects because it is the provider that needs to perform authentication. Some service providers even offer free SSL certificates as part of their packages.

While most web browsers support client certificates, the most common form of authentication on the Internet is a username and password pair. Client certificates are more common in virtual private networks (VPN) and Remote Desktop Services, where they authenticate devices.

Email certificate

In accordance with the S/MIME protocol, email certificates can both establish the message integrity and encrypt messages. To establish encrypted email communication, the communicating parties must have their digital certificates in advance. Each must send the other one digitally signed email and opt to import the sender's certificate.

Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.

Self-signed and root certificates

Main articles: Root certificate and Self-signed certificate

A self-signed certificate is a certificate with a subject that matches its issuer, and a signature that can be verified by its own public key.

Self-signed certificates have their own limited uses. They have full trust value when the issuer and the sole user are the same entity. For example, the Encrypting File System on Microsoft Windows issues a self-signed certificate on behalf of the encrypting user and uses it to transparently decrypt data on the fly. The digital certificate chain of trust starts with a self-signed certificate, called a root certificate, trust anchor, or trust root. A certificate authority self-signs a root certificate to be able to sign other certificates.

An intermediate certificate has a similar purpose to the root certificate – its only use is to sign other certificates. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate needs to sign it.

An end-entity or leaf certificate is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.

Subject Alternative Name certificate

An example of a Subject Alternative Name section for domain names owned by the Wikimedia Foundation

Subject Alternative Name (SAN) certificates are an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called Subject Alternative Names (SANs). Names include:

RFC 2818 (May 2000) specifies Subject Alternative Names as the preferred method of adding DNS names to certificates, deprecating the previous method of putting DNS names in the commonName field. Google Chrome version 58 (March 2017) removed support for checking the commonName field at all, instead only looking at the SANs.

As shown in the picture of Wikimedia's section on the right, the SAN field can contain wildcards. Not all vendors support or endorse mixing wildcards into SAN certificates.

Wildcard certificate

An example of a wildcard certificate on comifuro.net (note the asterisk: *)

A public key certificate which uses an asterisk * (the wildcard) in its domain name fragment is called a Wildcard certificate. Through the use of *, a single certificate may be used for multiple sub-domains. It is commonly used for transport layer security in computer networking.

For example, a single wildcard certificate for https://*.example.com will secure all these subdomains on the https://*.example.com domain:

  • payment.example.com
  • contact.example.com
  • login-secure.example.com
  • www.example.com

Instead of getting separate certificates for subdomains, you can use a single certificate for all main domains and subdomains and reduce cost.

Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops), these domains would not be valid for the certificates:

  • test.login.example.com
  • example.com

Note possible exceptions by CAs, for example wildcard-plus cert by DigiCert contains an automatic "Plus" property for the naked domain example.com.

Limitations

Only a single level of subdomain matching is supported in accordance with RFC 2818.

It is not possible to get a wildcard for an Extended Validation Certificate. A workaround could be to add every virtual host name in the Subject Alternative Name (SAN) extension, the major problem being that the certificate needs to be reissued whenever a new virtual server is added. (See Transport Layer Security § Support for name-based virtual servers for more information.)

Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC). In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example, the wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. Thus it secures www.wikipedia.org as well as the completely different website name meta.m.wikimedia.org.

RFC 6125 argues against wildcard certificates on security grounds, in particular "partial wildcards".

Further examples

The wildcard applies only to one level of the domain name. *.example.com matches sub1.example.com but not example.com and not sub2.sub1.domain.com

The wildcard may appear anywhere inside a label as a "partial wildcard" according to early specifications

f*.domain.com is OK. It will match frog.domain.com but not frog.super.domain.com
baz*.example.net is OK and matches baz1.example.net
*baz.example.net is OK and matches foobaz.example.net
b*z.example.net is OK and matches buzz.example.net

However, use of "partial-wildcard" certs is not recommended. As of 2011, partial wildcard support is optional, and is explicitly disallowed in SubjectAltName headers that are required for multi-name certificates. All major browsers have deliberately removed support for partial-wildcard certificates; they will result in a "SSL_ERROR_BAD_CERT_DOMAIN" error. Similarly, it is typical for standard libraries in programming languages to not support "partial-wildcard" certificates. For example, any "partial-wildcard" certificate will not work with the latest versions of both Python and Go. Thus,

Do not allow a label that consists entirely of just a wildcard unless it is the left-most label

sub1.*.domain.com is not allowed.

A cert with multiple wildcards in a name is not allowed.

*.*.domain.com

A cert with * plus a top-level domain is not allowed.

*.com

Too general and should not be allowed.

*

International domain names encoded in ASCII (A-label) are labels that are ASCII-encoded and begin with xn--. URLs with international labels cannot contain wildcards.

xn--caf-dma.com is café.com
xn--caf-dma*.com is not allowed
Lw*.xn--caf-dma.com is allowed

Other certificates

  • EMV certificate: EMV is a payment method based on a technical standard for payment cards, payment terminals and automated teller machines (ATM). EMV payment cards are preloaded with a card issuer certificate, signed by the EMV certificate authority to validate authenticity of the payment card during the payment transaction.
  • Code-signing certificate: Certificates can validate apps (or their binaries) to ensure they were not tampered with during delivery.
  • Qualified certificate: A certificate identifying an individual, typically for electronic signature purposes. These are most commonly used in Europe, where the eIDAS regulation standardizes them and requires their recognition.
  • Role-based certificate: Defined in the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA), role-based certificates "identify a specific role on behalf of which the subscriber is authorized to act rather than the subscriber’s name and are issued in the interest of supporting accepted business practices."
  • Group certificate: Defined in the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA), for "cases where there are several entities acting in one capacity, and where non-repudiation for transactions is not desired."

Common fields

See also: X.509 § Structure of a certificate

These are some of the most common fields in certificates. Most certificates contain a number of fields not listed here. Note that in terms of a certificate's X.509 representation, a certificate is not "flat" but contains these fields nested in various structures within the certificate.

  • Serial Number: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
  • Subject: The entity a certificate belongs to: a machine, an individual, or an organization.
  • Issuer: The entity that verified the information and signed the certificate.
  • Not Before: The earliest time and date on which the certificate is valid. Usually set to a few hours or days prior to the moment the certificate was issued, to avoid clock skew problems.
  • Not After: The time and date past which the certificate is no longer valid.
  • Key Usage: The valid cryptographic uses of the certificate's public key. Common values include digital signature validation, key encipherment, and certificate signing.
  • Extended Key Usage: The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing.
  • Public Key: A public key belonging to the certificate subject.
  • Signature Algorithm: This contain a hashing algorithm and a digital signature algorithm. For example "sha256RSA" where sha256 is the hashing algorithm and RSA is the signature algorithm.
  • Signature: The body of the certificate is hashed (hashing algorithm in "Signature Algorithm" field is used) and then the hash is signed (signature algorithm in the "Signature Algorithm" field is used) with the issuer's private key.

Example

This is an example of a decoded SSL/TLS certificate retrieved from SSL.com's website. The issuer's common name (CN) is shown as SSL.com EV SSL Intermediate CA RSA R3, identifying this as an Extended Validation (EV) certificate. Validated information about the website's owner (SSL Corp) is located in the Subject field. The X509v3 Subject Alternative Name field contains a list of domain names covered by the certificate. The X509v3 Extended Key Usage and X509v3 Key Usage fields show all appropriate uses.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            72:14:11:d3:d7:e0:fd:02:aa:b0:4e:90:09:d4:db:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com EV SSL Intermediate CA RSA R3
        Validity
            Not Before: Apr 18 22:15:06 2019 GMT
            Not After : Apr 17 22:15:06 2021 GMT
        Subject: C=US, ST=Texas, L=Houston, O=SSL Corp/serialNumber=NV20081614243, CN=www.ssl.com/postalCode=77098/businessCategory=Private Organization/street=3100 Richmond Ave/jurisdictionST=Nevada/jurisdictionC=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ad:0f:ef:c1:97:5a:9b:d8:1e ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:BF:C1:5A:87:FF:28:FA:41:3D:FD:B7:4F:E4:1D:AF:A0:61:58:29:BD
            Authority Information Access: 
                CA Issuers - URI:http://www.ssl.com/repository/SSLcom-SubCA-EV-SSL-RSA-4096-R3.crt
                OCSP - URI:http://ocsps.ssl.com
            X509v3 Subject Alternative Name: 
                DNS:www.ssl.com, DNS:answers.ssl.com, DNS:faq.ssl.com, DNS:info.ssl.com, DNS:links.ssl.com, DNS:reseller.ssl.com, DNS:secure.ssl.com, DNS:ssl.com, DNS:support.ssl.com, DNS:sws.ssl.com, DNS:tools.ssl.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.1
                Policy: 1.2.616.1.113527.2.5.1.1
                Policy: 1.3.6.1.4.1.38064.1.1.1.5
                  CPS: https://www.ssl.com/repository
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://crls.ssl.com/SSLcom-SubCA-EV-SSL-RSA-4096-R3.crl
            X509v3 Subject Key Identifier: 
                E7:37:48:DE:7D:C2:E1:9D:D0:11:25:21:B8:00:33:63:06:27:C1:5B
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 87:75:BF:E7:59:7C:F8:8C:43:99 ...
                    Timestamp : Apr 18 22:25:08.574 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:40:51:53:90:C6:A2 ...
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB ...
                    Timestamp : Apr 18 22:25:08.461 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:43:80:9E:19:90:FD ...
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA ...
                    Timestamp : Apr 18 22:25:08.769 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C1:3E:9F:F0:40 ...
    Signature Algorithm: sha256WithRSAEncryption
         36:07:e7:3b:b7:45:97:ca:4d:6c ...

Usage in the European Union

In the European Union, (advanced) electronic signatures on legal documents are commonly performed using digital signatures with accompanying identity certificates. However, only qualified electronic signatures (which require using a qualified trust service provider and signature creation device) are given the same power as a physical signature.

Certificate authorities

Main article: Certificate authority
The procedure of obtaining a Public key certificate

In the X.509 trust model, a certificate authority (CA) is responsible for signing certificates. These certificates act as an introduction between two parties, which means that a CA acts as a trusted third party. A CA processes requests from people or organizations requesting certificates (called subscribers), verifies the information, and potentially signs an end-entity certificate based on that information. To perform this role effectively, a CA needs to have one or more broadly trusted root certificates or intermediate certificates and the corresponding private keys. CAs may achieve this broad trust by having their root certificates included in popular software, or by obtaining a cross-signature from another CA delegating trust. Other CAs are trusted within a relatively small community, like a business, and are distributed by other mechanisms like Windows Group Policy.

Certificate authorities are also responsible for maintaining up-to-date revocation information about certificates they have issued, indicating whether certificates are still valid. They provide this information through Online Certificate Status Protocol (OCSP) and/or Certificate Revocation Lists (CRLs). Some of the larger certificate authorities in the market include IdenTrust, DigiCert, and Sectigo.

Root programs

Some major software contain a list of certificate authorities that are trusted by default. This makes it easier for end-users to validate certificates, and easier for people or organizations that request certificates to know which certificate authorities can issue a certificate that will be broadly trusted. This is particularly important in HTTPS, where a web site operator generally wants to get a certificate that is trusted by nearly all potential visitors to their web site.

The policies and processes a provider uses to decide which certificate authorities their software should trust are called root programs. The most influential root programs are:

Browsers other than Firefox generally use the operating system's facilities to decide which certificate authorities are trusted. So, for instance, Chrome on Windows trusts the certificate authorities included in the Microsoft Root Program, while on macOS or iOS, Chrome trusts the certificate authorities in the Apple Root Program. Edge and Safari use their respective operating system trust stores as well, but each is only available on a single OS. Firefox uses the Mozilla Root Program trust store on all platforms.

The Mozilla Root Program is operated publicly, and its certificate list is part of the open source Firefox web browser, so it is broadly used outside Firefox. For instance, while there is no common Linux Root Program, many Linux distributions, like Debian, include a package that periodically copies the contents of the Firefox trust list, which is then used by applications.

Root programs generally provide a set of valid purposes with the certificates they include. For instance, some CAs may be considered trusted for issuing TLS server certificates, but not for code signing certificates. This is indicated with a set of trust bits in a root certificate storage system.

Revocation

Main article: Certificate revocation

A certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker would be able to exploit such a compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing certificate authority, which produces a cryptographically authenticated statement of revocation.

For distributing revocation information to clients, timeliness of the discovery of revocation (and hence the window for an attacker to exploit a compromised certificate) trades off against resource usage in querying revocation statuses and privacy concerns. If revocation information is unavailable (either due to accident or an attack), clients must decide whether to fail-hard and treat a certificate as if it is revoked (and so degrade availability) or to fail-soft and treat it as unrevoked (and allow attackers to sidestep revocation).

Due to the cost of revocation checks and the availability impact from potentially-unreliable remote services, Web browsers limit the revocation checks they will perform, and will fail-soft where they do. Certificate revocation lists are too bandwidth-costly for routine use, and the Online Certificate Status Protocol presents connection latency and privacy issues. Other schemes have been proposed but have not yet been successfully deployed to enable fail-hard checking.

Website security

The most common use of certificates is for HTTPS-based web sites. A web browser validates that an HTTPS web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that the web site is who it claims to be. This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate authority with a certificate signing request. The certificate request is an electronic document that contains the web site name, company information and the public key. The certificate provider signs the request, thus producing a public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.

As an example, when a user connects to https://www.example.com/ with their browser, if the browser does not give any certificate warning message, then the user can be theoretically sure that interacting with https://www.example.com/ is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.

A certificate provider can opt to issue three types of certificates, each requiring its own degree of vetting rigor. In order of increasing rigor (and naturally, cost) they are: Domain Validation, Organization Validation and Extended Validation. These rigors are loosely agreed upon by voluntary participants in the CA/Browser Forum.

Validation levels

Domain validation

Main article: Domain-validated certificate

A certificate provider will issue a domain-validated (DV) certificate to a purchaser if the purchaser can demonstrate one vetting criterion: the right to administratively manage the affected DNS domain(s).

Organization validation

A certificate provider will issue an organization validation (OV) class certificate to a purchaser if the purchaser can meet two criteria: the right to administratively manage the domain name in question, and perhaps, the organization's actual existence as a legal entity. A certificate provider publishes its OV vetting criteria through its certificate policy.

Extended validation

Main article: Extended Validation Certificate

To acquire an Extended Validation (EV) certificate, the purchaser must persuade the certificate provider of its legal identity, including manual verification checks by a human. As with OV certificates, a certificate provider publishes its EV vetting criteria through its certificate policy.

Until 2019, major browsers such as Chrome and Firefox generally offered users a visual indication of the legal identity when a site presented an EV certificate. This was done by showing the legal name before the domain, and a bright green color to highlight the change. Most browsers deprecated this feature providing no visual difference to the user on the type of certificate used. This change followed security concerns raised by forensic experts and successful attempts to purchase EV certificates to impersonate famous organizations, proving the inefficiency of these visual indicators and highlighting potential abuses.

Weaknesses

A web browser will give no warning to the user if a web site suddenly presents a different certificate, even if that certificate has a lower number of key bits, even if it has a different provider, and even if the previous certificate had an expiry date far into the future. Where certificate providers are under the jurisdiction of governments, those governments may have the freedom to order the provider to generate any certificate, such as for the purposes of law enforcement. Subsidiary wholesale certificate providers also have the freedom to generate any certificate.

All web browsers come with an extensive built-in list of trusted root certificates, many of which are controlled by organizations that may be unfamiliar to the user. Each of these organizations is free to issue any certificate for any web site and have the guarantee that web browsers that include its root certificates will accept it as genuine. In this instance, end users must rely on the developer of the browser software to manage its built-in list of certificates and on the certificate providers to behave correctly and to inform the browser developer of problematic certificates. While uncommon, there have been incidents in which fraudulent certificates have been issued: in some cases, the browsers have detected the fraud; in others, some time passed before browser developers removed these certificates from their software.

The list of built-in certificates is also not limited to those provided by the browser developer: users (and to a degree applications) are free to extend the list for special purposes such as for company intranets. This means that if someone gains access to a machine and can install a new root certificate in the browser, that browser will recognize websites that use the inserted certificate as legitimate.

For provable security, this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.

Usefulness versus unsecured web sites

In spite of the limitations described above, certificate-authenticated TLS is considered mandatory by all security guidelines whenever a web site hosts confidential information or performs material transactions. This is because, in practice, in spite of the weaknesses described above, web sites secured by public key certificates are still more secure than unsecured http:// web sites.

Standards

The National Institute of Standards and Technology (NIST) Computer Security Division provides guidance documents for public key certificates:

  • SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
  • SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication

See also

References

  1. ^ Wildcard SSL certificate limitation on QuovadisGlobal.com Cite error: The named reference ":0" was defined multiple times with different content (see the help page).
  2. Alrawais, Arwa; Alhothaily, Abdulrahman; Cheng, Xiuzhen; Hu, Chunqiang; Yu, Jiguo (2018-06-01). "SecureGuard: A Certificate Validation System in Public Key Infrastructure". IEEE Transactions on Vehicular Technology. 67 (6): 5399–5408. doi:10.1109/TVT.2018.2805700. ISSN 0018-9545. S2CID 49270949. Archived from the original on 2022-08-26. Retrieved 2022-08-26.
  3. Chadwick, David W; Basden, Andrew (2001-10-31). "Evaluating Trust in a Public Key Certification Authority". Computers & Security. 20 (7): 592–611. doi:10.1016/S0167-4048(01)00710-6. ISSN 0167-4048. Archived from the original on 2022-02-26. Retrieved 2022-02-26.
  4. "Internal names". DigiCert Documentation.
  5. "Free SSL Certificate | IONOS by 1&1". www.ionos.co.uk. Archived from the original on 2022-07-18. Retrieved 2022-07-15.
  6. "x509v3_config - X509 V3 certificate extension configuration format". OpenSSL. Retrieved 2020-01-16.
  7. RFC 5280: 4.2.1.6. Subject Alternative Name
  8. ^ Medley, Joseph (March 2017). "Deprecations and Removals in Chrome 58". Google Inc. Retrieved 2022-01-04.
  9. "Common Name (CN) for a wildcard certificate". DigiCert Documentation.
  10. "Wildcard and SAN: Understanding Multi-Use SSL Certificates" (PDF). Thawte. 2013.
  11. "Wildcard Certificate Explained in Simpler Terms". 23 May 2016.
  12. "RFC 2818 - HTTP Over TLS". Internet Engineering Task Force. May 2000. p. 5. Retrieved 2014-12-15. *.a.com matches foo.a.com but not bar.foo.a.com.
  13. Newman, C. (June 1999). RFC 2595 - Using TLS with IMAP, POP3 and ACAP. Internet Engineering Task Force. p. 3. doi:10.17487/RFC2595. RFC 2595. Retrieved 2014-12-15. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.
  14. "Guidelines For The Issuance And Management Of Extended Validation Certificates, Version 1.5.2" (PDF). CA/Browser Forum. 2014-10-16. p. 10. Retrieved 2014-12-15. Wildcard certificates are not allowed for EV Certificates.
  15. x509v3_config Subject Alternative Name
  16. The SAN option is available for EV SSL Certificates on Symantec.com
  17. SSLTools Certificate Lookup of Misplaced Pages.org's wildcard ssl certificate
  18. Saint-Andre, P.; Hodges, J. (March 2011). RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). Internet Engineering Task Force. p. 31. doi:10.17487/RFC6125. RFC 6125. Retrieved 2014-12-10. This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure). Several security considerations justify tightening the rules:
  19. Rescorla, E. (May 2000). "RFC 2818 - HTTP Over TLS". tools.ietf.org. doi:10.17487/RFC2818. RFC 2818. Retrieved 2019-04-20.
  20. Saint-Andre, P.; Hodges, J. (March 2011). "RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)". tools.ietf.org. doi:10.17487/RFC6125. RFC 6125. Retrieved 2019-04-20.
  21. "Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling". The Chromium Projects, Google Inc. 3 December 2014. Retrieved 21 October 2020.
  22. "Limit wildcard DNS ID support to names of the form *.example.com (not foo*.example.com)". The Mozilla Foundation. 10 December 2014. Retrieved 21 October 2020.
  23. "Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling". The Python Software Foundation. 26 November 2017. Retrieved 21 October 2020.
  24. "Restrictions on data entries for public certificates". DigiCert Documentation.
  25. "EMV CA". EMV Certificate Authority Worldwide. 2 December 2010. Archived from the original on 4 July 2020. Retrieved January 20, 2020.
  26. "X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA)" (PDF). Archived (PDF) from the original on 2021-03-18. Retrieved 2021-05-07.
  27. "X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA)" (PDF). Archived (PDF) from the original on 2021-03-18. Retrieved 2021-05-07.
  28. "Usage Statistics and Market Share of SSL Certificate Authorities for Websites, May 2020". w3techs.com. Archived from the original on 2022-06-30. Retrieved 2020-05-01.
  29. "Root Certificate Policy – The Chromium Projects". www.chromium.org. Archived from the original on 2017-03-20. Retrieved 2017-03-19.
  30. "ca-certificates in Launchpad". launchpad.net. 30 April 2010. Archived from the original on 2017-03-20. Retrieved 2017-03-19.
  31. Smith, Dickinson & Seamons 2020, p. 1.
  32. ^ Sheffer, Saint-Andre & Fossati 2022, 7.5. Certificate Revocation.
  33. Chung et al. 2018, p. 3.
  34. Smith, Dickinson & Seamons 2020, p. 10.
  35. Larisch et al. 2017, p. 542.
  36. Smith, Dickinson & Seamons 2020, p. 1-2.
  37. "Firefox-dev Google group - Intent to Ship: Move Extended Validation Information out of the URL bar". groups.google.com. Archived from the original on 2020-08-12. Retrieved 2020-08-03.
  38. "Chrome Security-dev Google group - Upcoming Change to Chrome's Identity Indicators". groups.google.com. Archived from the original on 2020-06-07. Retrieved 2020-08-03.
  39. "Extended Validation Certificates are (Really, Really) Dead". troyhunt.com. 12 August 2019. Archived from the original on 2020-07-16. Retrieved 2020-08-03.
  40. "DigiNotar removal by Mozilla". Mozilla.org. 2 September 2011. Archived from the original on 3 June 2012. Retrieved 30 July 2012.
  41. "DigitNotar removal by Google". Archived from the original on 13 September 2011. Retrieved 30 July 2012.
  42. "Using certificates article at Mozilla.org". Mozilla.org. Archived from the original on 12 July 2012. Retrieved 30 July 2012.
  43. Ran Canetti: Universally Composable Signature, Certification, and Authentication. CSFW 2004, http://eprint.iacr.org/2003/239 Archived 2009-08-28 at the Wayback Machine
  44. Ben Laurie, Ian Goldberg (18 January 2014). "Replacing passwords on the Internet AKA post-Snowden Opportunistic Encryption" (PDF). Archived (PDF) from the original on 27 October 2014. Retrieved 15 November 2014. {{cite journal}}: Cite journal requires |journal= (help)
  45. "NIST Computer Security Publications – NIST Special Publications (SPs)". csrc.nist.gov. Archived from the original on 2017-09-17. Retrieved 2016-06-19.
  46. "SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure" (PDF). National Institute of Standards and Technology. Archived (PDF) from the original on 2018-06-05. Retrieved 2016-06-19.
  47. "SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication" (PDF). National Institute of Standards and Technology. Archived (PDF) from the original on 2018-06-02. Retrieved 2016-06-19.

Works cited

TLS and SSL
Protocols and technologies
Public-key infrastructure
See also
History
Implementations
Notaries
Vulnerabilities
Theory
Cipher
Protocol
Implementation
Categories: