On Friday 23 February 2007 15:32:54 Bernhard Froehlich wrote: > Bruno Costacurta schrieb: > > Hello, > > > > as a newbie, I have some assumptions / questions hereafter about OpenSSL > > and certificates. Many thanks to correct / confirm me. > > > > - a certificate is a public key with metadata > > - metadata contain mandatories (ie. subject and issuer) and optional > > parameters > > - there is no relation between the key algorithm (ie.RSA) and the format > > of the certificate (ie.PKCS#12) > > - a certificate can always be converted to another format > > - the certificate request (.csr) is obsolete (and so should be deleted) > > once the certificate is created by the CA > > - technically speaking a 'home-made' CA is egual to a 'professional' CA > > Almost 100% correct till here (PKCS#12 is not a format specific for > certificates but "a bag" which can contain certificates, keys and > probably other things). > > > - the CA remains fully secure as long its private key remains > > undistributed / uncompromised > > ... and the key is strong enough not to be broken (brute force or > otherwise). And your procedures are good enough that noone can trick you > into issuing fake certificates. And many things more. So what you are > saying is one important part of the truth, but you can probably spend a > lifetime with the rest of it. > > > - for a CA, files serial & index files allows to maintain a (type of) > > database to persist which certificates (with related metadata values) > > were created by this CA > > Almost correct. The serial file has to make sure that there are no two > certificates with the same serial number issued by the same CA. > > > - serial information within the certificate is useless > > If you are still talking of only the serial number you are correct. But > if you also know the issuing CA you can uniquely identify the > certificate. A CRL (Certificate Revocation List) for example works by > publishing the serial numbers which have been revoked by a CA and OCSP > also tells you the status of a certificate if you only tell the (CA > specific) responder the serial number. >
As far as I understand, the serial information within the certificate is only useful as a reference for the CA. This reference can be used by the CA to revoke the certificate. Is this correct ? Is there other action that can be made by the CA on a specific certificate (ie. renew, some metadata changes...) ? Thanks, Bruno > > - can a certificate contain more than one public key ? > > That beats me. I don't think the typical client (that is, a browser) can > handle multiple keys of the subject if it would be possible to encode > it. And I cannot think of possible uses for multiple keys in one > certificate. Of course more public keys could be included as certificate > extensions if you write your own sofware that does something with these > extensions. > > > Thanks for attention. > > Bye, > > Bruno > > Hope it helps. > Ted > ;) -- Bruno Costacurta PGP key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 --
pgpB8RZB00mvt.pgp
Description: PGP signature