Widows Server 2008 - How Certificates Work

Before we delve into the inner workings of a certificate, let’s discuss what a certificate actually is in layman’s terms. In PKI, a digital certificate is a tool used for binding a public key with a particular owner. A great comparison is a driver’s license. Consider the information listed on a driver’s license:

• Name
• Address
• Date of birth
• Photograph
• Signature
• Social security number (or another unique number such as a state issued license number)
• Expiration date
• Signature/certification by an authority (typically from within the issuing state’s government body)

The information on a state license photo is significant because it provides crucial information about the owner of that particular item. The signature from the state official serves as a trusted authority for the state, certifying that the owner has been verified and is legitimate to be behind the wheel of a car. Anyone, like an officer, who wishes to verify a driver’s identity and right to commute from one place to another by way of automobile need only ask for and review the driver’s license. In some cases, the officer might even call or reference that license number just to ensure it is still valid and has not been revoked.

A digital certificate in PKI serves the same function as a driver’s license. Various systems and checkpoints may require verification of the owner’s identity and status and will reference the trusted third party for validation. It is the certificate that enables this quick hand-off of key information between the parties involved.

The information contained in the certificate is actually part or the X.509 certificate standard. X.509 is actually an evolution of the X.500 directory standard. Initially intended to provide a means of developing easy-to-use electronic directories of people that would be available to all Internet users, it became a directory and mail standard for a very commonly known mail application: Microsoft Exchange 5.5. The X.500 directory standard specifies a common root of a hierarchical tree although the “tree” is inverted: the root of the tree is depicted at the “top” level while the other branches— called “containers”—are below it. Several of these types of containers exist with a specific naming convention. In this naming convention, each portion of a name is specified by the abbreviation of the object type or a container it represents. For example, a CN= before a username represents it is a “common name”, a C= precedes a “country,”, and an O= precedes “organization”. These elements are worth remembering as they will appear not only in discussions about X.500 and X.509, but they are ultimately the basis for the scheme of Microsoft’s premier directory service, Active Directory.

X.509 is the standard used to define what makes up a digital certificate. Within this standard, a description is given for a certificate as allowing an association between a user’s distinguished name (DN) and the user’s public key. The DN is specified by a naming authority (NA) and used as a unique name by the certificate authority (CA) who will create the certificate.



X.509 Certificate Data
Serial Number. A unique identifier.

Subject. The name of the person or company that is
being identified, sometimes listed as “Issued To”.

Signature Algorithm. The algorithm used to create the signature.

Issuer. The trusted authority that verified the information and generated the certificate, sometimes listed as “Issued By”.

Valid From. The date the certificate was activated.

Valid To. The last day the certificate can be used.

Public Key. The public key that corresponds to the private key.

Thumbprint Algorithm. The algorithm used to create the unique value of a certificate.

Thumbprint. The unique value of every certificate, which positively identifies the certificate. If there is ever a question about the authenticity of a certificate, check this value with the issuer.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition