1.4.7 Certificates
CA, CRL, OCSP, CSR, wildcard.
Certificates are electronic files based on the X.509 standard that verify the identity of an entity and enable encrypted communication through Public Key Infrastructure (PKI).
Key Roles and Components - Certificate Authority (CA): the trusted entity that validates identities, issues certificates, and manages the full lifecycle, including revocation. - Registration Authority (RA): an optional helper that verifies an applicant's identity before passing the request to the CA. - Certificate Signing Request (CSR): the application sent to a CA to request a certificate; it contains the applicant's public key and identifying details. - Self-signed certificate: signed by the same entity it identifies. Fine for internal development or intranet services, but it lacks external trust and should not be used on public-facing sites.
Validation and Revocation - Certificate Revocation List (CRL): a published list of serial numbers for certificates revoked before their expiry, for example after a key compromise. - Online Certificate Status Protocol (OCSP): a real-time check of a single certificate's status; faster and lighter than downloading a full CRL. - OCSP stapling: the web server attaches a recent, CA-signed status response to the TLS handshake, so the client need not contact the CA itself. - Expiration: every certificate has a fixed lifetime; once expired, the browser shows a security warning.
Trust Models and Specialized Types - Hierarchical trust: a single Root CA at the top issues to intermediate (subordinate) CAs, which issue to end users. Trusting the Root means trusting the whole chain. - Wildcard certificate: covers a domain and all its subdomains — for example, one for *.example.com secures mail.example.com and web.example.com. - Subject Alternative Name (SAN): lets a single certificate protect several specific names, such as example.com and example.org. - File formats: common encodings include PEM (Base64/ASCII) and DER or CER (binary).
Quick recall - CSR → the application form sent to a CA, containing your public key. - OCSP vs CRL → OCSP is the modern real-time check; CRL is the legacy revoked list. - Intermediate CA → distributes workload and shields the offline Root CA. - X.509 → the standard format for digital certificates. - Certificate chain → end-entity certificate → intermediate(s) → trusted Root CA.