Skip to content

Latest commit

 

History

History
63 lines (46 loc) · 2.94 KB

x_509.md

File metadata and controls

63 lines (46 loc) · 2.94 KB
aliases author created modified tags title
X.509
Certificates
Maneesh Sutar
2024-07-14
2024-09-28
X.509 Certificates

X.509 Certificates

Main reference: RFC5280

Also refer to my repository openssl cert commands to see example codes for generating X.509 certificates, with various combinations of CAs and CSRs

Contents of a certificate

See the section 4.1 for a list of all fields in a X.509 certificate.

The important fields (from algorithmic POV) are:

  1. signatureAlgorithm and signatureValue
  2. subjectPublicKeyInfo

Along with that, a certificate may contains extensions, like Key usage.

Algorithm support

Main reference: RFC3279
Above reference contains which key usage extension is expected for each algorithm.

About static DH key support

In theory, "DH key exchange" certificates are possible but they aren't used (almost at all)
See why dh can't be used for signing? and static dh with openssl
Even openssl doesn't directly support DH keys (without using -force_pubkey ).
Today many systems have moved to TLS 1.3 (which remove static keys altogether) or use TLS 1.2 with ephemeral keys.

Key usage extension

The Key usage extension determines for what purposes the public key of the subject can be used. Key usage restricts the use to some applications. But if this extension is absent, the key can be used without any restrictions.
e.g. RSA keys can (in theory) be used for key encipherment and for authentication (signature). If RSA public key is present in the certificate, we can restrict its usage with this extension.

Structure of Key usage extension is as follow:

KeyUsage ::= BIT STRING {
           digitalSignature        (0),
           nonRepudiation          (1), -- recent editions of X.509 have
                                -- renamed this bit to contentCommitment
           keyEncipherment         (2),
           dataEncipherment        (3),
           keyAgreement            (4),
           keyCertSign             (5),
           cRLSign                 (6),
           encipherOnly            (7),
           decipherOnly            (8) }

In a Certificate Requests, the subject can also request for specific KeyUsage extensions.
The Certificate Authority (CA) ==has the final say== on which KeyUsage to allow.