Authorization Certificate
In computer security, an attribute certificate, or authorization certificate (AC) is a digital document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for the purpose of authorization, AC is called authorization certificate. AC is standardized in X.509. RFC 5755 further specifies the usage for authorization purpose in the Internet.
The authorization certificate works in conjunction with a public key certificate (PKC). While the PKC is issued by a certificate authority (CA) and is used as a proof of identity of its holder like a passport, the authorization certificate is issued by an attribute authority (AA) and is used to characterize or entitle its holder like a visa. Because identity information seldom changes and has a long validity time while attribute information frequently changes or has a short validity time, separate certificates with different security rigours, validity times and issuers are necessary.
Certificate Authority (CA)
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.
One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web. Another common use is in issuing identity cards by national governments for use in electronically signing documents
Intermediate CA certificate
A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.
Self-signed and root certificates
A self-signed certificate is a certificate with a subject that matches its issuer, and a signature that can be verified by its own public key.
For most purposes, such a self-signed certificate is worthless. However, the digital certificate chain of trust starts with a self-signed certificate, called a “root certificate,” “trust anchor,” or “trust root.” A certificate authority self-signs a root certificate to be able to sign other certificates.
An intermediate certificate has a similar purpose to the root certificate; its only use is to sign other certificate. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate need to sign it. An end-entity or leaf certificate is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.
PKIs (public key infrastructure)
Large organizations or government bodies may have their own PKIs (public key infrastructure), each containing their own CAs. Any site using self-signed certificates acts as its own CA.
Conversion
# Convert a certificate between binary DER encoding (.cer) and textual PEM encoding
$ openssl x509 -inform der -in output.cer -out my_output.pem
# convert crt files to PEM certs
$ openssl x509 -inform DER -in name.crt -out my.pem -outform PEM
# .cert to .crt
$ openssl x509 -inform PEM -in <filepath>/certificate.cert -out certificate.crt
# .cer to .p12
openssl pkcs12 -export -clcerts -in client-cert.cer -inkey client-key.key -out client.p12
# Convert .pem with No password to cert.p12
$ openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem -passout pass: -nokeys
# Create a pkcs12 file by .pem + a private key
openssl pkcs12 -export -out cert.p12 -in my.pem -inkey key.key
Display
# Display certificate information:
$ openssl x509 -in filename.crt -noout -text
# Display a certificate's expiration date:
$ openssl x509 -enddate -noout -in filename.
# Store a certificate's public key in a file:
$ openssl x509 -in certificate_file -noout -pubkey -out output_file
Verify
# verify .pem
$ openssl verify -untrusted ca-bundle cert.pem
# or
$ openssl verify -CAfile path1 path2
Reference
- https://en.wikipedia.org/wiki/Authorization_certificate
- https://en.wikipedia.org/wiki/Certificate_authority
- https://en.wikipedia.org/wiki/Public_key_certificate