Creating a Network of Trust Using X.509 Certifi cates - Implementing SSL/TLS Using Cryptography and PKI

Cryptography Reference

In-Depth Information

to generate a new public key without a private key to go with it. The structure

of this key fi le is revisited later.

Also, notice the parameters: -keyform and -outform . There are two options

here, der and pem . der is, unsurprisingly, the ASN.1 DER-encoded representa-

tion of the certifi cate or key fi le. pem , which stands for Privacy Enhanced Mail, is

a Base-64 encoded representation of the DER-encoded certifi cate with a header

and a footer. A pem -encoded certifi cate fi le looks like this:

-----BEGIN CERTIFICATE-----

MIIDUjCCAvygAwIBAgIJAMdcnerewaJQMA0GCSqGSIb3DQEBBQUAMIGkMQswCQYD

VQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxEjAQBgNVBAcTCVNvdXRobGFrZTEUMBIG

...

AwEB/zANBgkqhkiG9w0BAQUFAANBAKf3QiQgbre9DSq4aeED9v0nonEHXPRsU79j

l3q/IUMlhmtuZ4SIlNAPvRdZ6DUIvWqVVJbtl5Bm7MKo7KCMarc=

-----END CERTIFICATE-----

And a pem -encoded key fi le looks like this:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,DF6F51939AF51B22

+cvob7sZl6Ew8/iBqNUF1Q40B14mYzw43cS08/xpzbqtkczYfiQeYN8N4dl8h3tp

VzoeCoRKsBKtl89NtpzTJocv33vgcaTFHt1BXBnOPxrQALhyV1x4ADIoW5e7rvsW

...

RmyqjA8BH9JeCPzvJlmir55OYB9aCQBTR3+mAlvVrnx5eng1f0YCw/tneXJor3jT

IgYBcTpEvug5qeGVl27UA2cI/lcCuNQ0Cjdfztlhhmo=

-----END RSA PRIVATE KEY-----

These structures are more amenable to being transmitted in e-mail than

DER-encoded fi les. SSL always deals in DER-encoded fi les, though.

NOTE You'll encounter the term PEM every once in a while as you read

through the offi cial Internet documentation on certifi cates. Privacy-Enhanced

Mail was the fi rst attempt to apply X.509 certifi cates in an Internet context, so

some of the terminology stuck.

The cert.der fi le is 845 bytes long. If you did this yourself and used your own

name, location, and e-mail information, it might be slightly longer or shorter,

but should be in this same neighborhood. The contents of this fi le are

jdavies@home:ssl$ od -t x1 cert.der

0000000 30 82 03 49 30 82 02 f3 a0 03 02 01 02 02 09 00

0000020 ca 30 e1 8f 77 8d a2 81 30 0d 06 09 2a 86 48 86

0000040 f7 0d 01 01 05 05 00 30 81 a1 31 0b 30 09 06 03

0000060 55 04 06 13 02 55 53 31 0b 30 09 06 03 55 04 08

0000100 13 02 54 58 31 12 30 10 06 03 55 04 07 13 09 53

0000120 6f 75 74 68 6c 61 6b 65 31 14 30 12 06 03 55 04

0000140 0a 13 0b 54 72 61 76 65 6c 6f 63 69 74 79 31 15

0000160 30 13 06 03 55 04 0b 13 0c 41 72 63 68 69 74 65

0000200 63 74 75 72 65 31 16 30 14 06 03 55 04 03 13 0d

Implementing SSL/TLS Using Cryptography and PKI

Search WWH ::

Custom Search

Home