X.509 Certificate Contents

• Version.

• Serial Number.

• Signature Algorithm.

• Issuer Name.

• Validity Period.

• Subject Name.

  • Distinguished Name (DN) of the entity.

  • CN=Java Duke, OU=Java Software Division, O=U.Aveiro, C=PT.

• Subject Public Key Information.

  • Public Key Algorithm.

  • Subject Public Key.

• Certificate Signature Algorithm.

• Certificate Signature.

Certificate Authority enrollment

Simple Certificate Enrollment Protocol (SCEP) is used for the secure transportation of key information and certificates.

Enrolling in a Certificate Authority.

1. The end host generates a private-public key pair.

2. The end host generates a certificate request, which it forwards to the CA.

3. Manual, human intervention is required to approve the enrollment request.

4. After the approval, the CA signs the certificate with its private key and returns the completed certificate to the end host.

5. End host stores certificate.

Certificate Revocation Lists (CRL)

The CRL is another crucial PKI component.

This is a list of certificates that were formerly valid within the PKI but have been revoked for some reason.

These reasons could include any of the following:

• Compromise of keys within the certificate.

• Loss of access privileges for user/device.

• Change of PKI structure requiring certificate re-issue.

Usage and validity check

The cert is being presented within its validity period.

The CA that signed the cert is known and trustable.

The certificate is not on a revocation list (optional in some scenarios).