Certificate server

Certificate server

Certificate servers validate, or certify, keys as part of a Public key infrastructure. Keys are strings of text generated from a series of encryption algorithms that allow you to secure communication for a group of users. Many Web servers, such as Microsoft's Internet Information Services (IIS) or Apache's mod_ssl create keys that after having been validated, can be applied to other servers such as News servers or Web servers. The purpose of this process is to create a way for people to communicate and be reasonably sure that others are not eavesdropping or assuming a false identity.

Contents

Usage

The nature of e-mail and newsgroup servers and protocols makes them susceptible to identity theft. Digital certificates help minimize this security risk by authenticating users before they transmit information. A digital certificate is a password-protected, encrypted data file containing message encryption, user identification and message text. It is used to authenticate a program or a sender's public key, or to initiate SSL sessions. It must be signed by a certificate authority (CA) to be valid.

X.509 Description

The Internet Engineering Task Force RFC 2459, entitled "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", describes the protocols for the X.509 v3 certificate and X.509 v2 Certificate revocation list as a part of the Internet PKI. According to the RFC, "The goal of this specification is to develop a profile to facilitate the use of X.509 certificates within Internet applications for those communities wishing to make use of X.509 technology. Such applications may include WWW, electronic mail, user authentication, and IPsec." The structure of X.509 and the resulting PKI allow the owner of a public key to be certain that a private key is owned by the correct person, via the use of public key certificates digitally signed by a certificate authority.[1]

Implementation using Microsoft IIS

Microsoft's Certificate Services on IIS allows a server to issue or revoke digital certificates. The specific implementation requires a dedicated certificate server in one of four configurations as Certificate authorities.

  • Enterprise root CA
  • Enterprise subordinate CA
  • Stand-alone root CA
  • Stand-alone subordinate CA

Management of Certificate Services is done via a Microsoft Management Console snap-in, and a web based application. These programs can be used to view revoked, issued, pending, and failed requests for certificates.[2]

Open source implementations

There exist several open source implementations of certificate servers, commonly referred to as a CA or Certificate Authority. Common for all is that they provide the services to issue, revoke and manage digital certificates.

Some well known open source implementations are:

  • EJBCA
  • OpenCA
  • OpenSSL, it is really an SSL/TLS library, but comes with tools to use it as a simple certificate authority.

Implementation using Apache + mod_ssl

Apache can use a certificate server to get certificates used to provide secure communications with the SSL/TLS protocol.

The server based implementation of the Apache HTTP Server is "mod_ssl", a derivation of Apache-SSL based on the functionality of OpenSSL. Mod_ssl features support for SSLv2, SSLv3, and TLSv1, with X.509 client/server based authentication and certificate revocation. This is accomplished via three packages: the mod_ssl package, an extended API, and an SSL/TLS implementation toolkit such as OpenSSL.[3]

See also

References

  1. ^ Internet Engineering Task Force, Network Working Group (January 1999). "Internet X.509 Public Key Infrastructure Certificate and CRL Profile". http://www.ietf.org/rfc/rfc2459.txt. Retrieved 2009-04-21. 
  2. ^ Microsoft, Inc. (2009). "Managing Microsoft Certificate Services and SSL". http://technet.microsoft.com/en-us/library/bb727098.aspx. Retrieved 2009-04-21. 
  3. ^ ApacheCon, Santa Clara (2001-04-04). "Security Solutions with SSL". http://www.modssl.org/docs/apachecon2001/. Retrieved 2009-04-23. 

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Certificate-based encryption — is a system in which a certificate authority uses ID based cryptography to produce a certificate. This system gives the users both implicit and explicit certification, the certificate can be used as a conventional certificate (for signatures, etc …   Wikipedia

  • Certificate authority — In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others… …   Wikipedia

  • Server gated cryptography — (SGC) was created in response to United States federal legislation on the export of strong cryptography in the 1990s.The legislation had limited encryption to weak algorithms and shorter key lengths if used in software outside of the United… …   Wikipedia

  • Server Name Indication — One of the most common method of encrypting a stream oriented communication session is the Transport Layer Security (TLS) protocol. It is used, for example, when somebody types https in their browser.In order to guarantee that the site to which… …   Wikipedia

  • Certificate signing request — In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. The most common… …   Wikipedia

  • Server-based Certificate Validation Protocol — Das Server based Certificate Validation Protocol (SCVP) ist ein Internet Protokoll, das es Clients ermöglicht, den Aufbau einer X.509 Zertifikatskette und deren Validierung auszulagern. Dies wird vor allem von Clients, die mit dem Kettenaufbau… …   Deutsch Wikipedia

  • Certificate policy — A certificate policy is a document which aims to state what are the different actors of a public key infrastructure (PKI), their roles and their duties. This document is published in the PKI perimeter. When in use with X.509 certificates, a… …   Wikipedia

  • Certificate Management Protocol — CMP (Certificate Management Protocol) family: unknown field of application : certificate management newest version: cmp2000(2) OID of the newest version: 1.3.6.1.5.5.7.0.16 TCP/UDP port: 829 (pkix 3 ca ra) CMP in the TCP/IP model …   Wikipedia

  • Certificate Authority — Kryptokampagne der c t auf der CeBIT 2006 Eine Zertifizierungsstelle (englisch Certificate Authority, kurz CA) ist eine Organisation, die digitale Zertifikate herausgibt. Ein digitales Zertifikat ist gewissermaßen das Cyberspaceäquivalent eines… …   Deutsch Wikipedia

  • Certificate authority — Kryptokampagne der c t auf der CeBIT 2006 Eine Zertifizierungsstelle (englisch Certificate Authority, kurz CA) ist eine Organisation, die digitale Zertifikate herausgibt. Ein digitales Zertifikat ist gewissermaßen das Cyberspaceäquivalent eines… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”