Giriş
X509 en yaygın dijital sertifika standardı. Açıklaması şöyle.
İlk X.509 standardı 1988 yılında yayınlandı ve bir çok RFC dokümanına yayılmış vaziyette. X.509 için 3 sürüm var. v1, v2 ve v3.
v1
X509 en yaygın dijital sertifika standardı. Açıklaması şöyle.
There are many certificate formats that could be used by a key management system; one of the most common is the X509 format. X509 has gone through a few revisions; the version supported by the Java API is version 3. This format is an ANSI standard for certificates, and while there are PGP and other certificate formats in the word, the X509 format is dominant. This is the only format of certificate for which Java provides a standard API; if you want to support another certificate format, you must implement your own subclass of Certificate.Açıklaması şöyle.
An X.509 certificate binds a name to a public key value. The role of the certificate is to associate a public key with the identity contained in the X.509 certificate.Sürümleri
İlk X.509 standardı 1988 yılında yayınlandı ve bir çok RFC dokümanına yayılmış vaziyette. X.509 için 3 sürüm var. v1, v2 ve v3.
v1
İlk sürüm X.500'den ilham alıyor. Açıklaması şöyle
The reason certificates have the metadata they do is historical. Certificates are defined in the X.509 standard from the ITU-T. It is part of implementation of the X.500 standard, the Directory services. It’s also related to another standard called LDAPThese technologies were designed at the beginning of the internet (1988) and have a strong backing in the telephone networks.The X.500 family of standards were created to facilitate directory services (think phone books). For these it makes sense to record where someone is located in order to tie some arbitrary data (like a phone number) to a physical location or name (like address and name of user).
Directory Services için düşünülen ancak hayata geçmeyen yöntem şöyle
AFAIK the original idea was that there would be one Global X.500 Directory, branching out almost exactly like how DNS works nowadays – e.g. France would be delegated the C=FR subtree; Microsoft would manage the O=Microsoft,C=US subtree; and so on.Correct. That was the original, never fully implemented plan for DAP. It’s why we got LDAP. It would not be directly linked to just the C & O records but also by the issuer records.
v3
Açıklaması şöyle. Sertifika ASN.1 formatındadır.
Sertifika Çeşitleri
Sertifika alırken şu çeşitler olabilir.
Şöyledir.
Açıklaması şöyle. Sunucu ismi veya kullanıcı ismi gibi düşünülebilir. Bu alan yerine artık subjectAltName kullanılıyor. Çünkü bir çok sunucu artık tek bir alan ismi yerine birden fazla alan ismini sunuyor.
Issuer Name
Certificate Authority (CA) adı. "Issued By" olarak bilinir. "Common Name", "Organization" olarak gösterilir.
Örnek
Şöyle görürüz.
Private Key
Sertifikayı kullanan kişinin anahtarı. Bu nesnede Modulus+Public Exponent+Private Exponent bilgileri vardır.
Public Key
Sertifikayı kullanan kişinin anahtarı. Bu nesnede Modulus+Public Exponent vardır.
Serial Number
Certificate Authority (CA) tarafından atanan seri numara.
Subject Name
Sertifikayı kullanan kişinin adı
Subject Alternative Name (subjectAltName) - Etkin Kullanılan Alan Bu
x509 v3 certificates have extensions which are an ASN.1 sequence containing an OID, a critical flag, and an octetString called extnValue.Sertifika tabiki ASN.1 formatında gönderilemez. Bunun için DER encoding kullanılır.
Sertifika Çeşitleri
Sertifika alırken şu çeşitler olabilir.
Domain Validated (DV)
Organization Validated (OV)
Extended Validation (EV)Şöyledir.
GeoTrust Global CA
Google Internet Authority G2
*.google.comAçıklaması şöyle. Sunucu ismi veya kullanıcı ismi gibi düşünülebilir. Bu alan yerine artık subjectAltName kullanılıyor. Çünkü bir çok sunucu artık tek bir alan ismi yerine birden fazla alan ismini sunuyor.
The Common Name (AKA CN) represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.
In the case of a single-name certificate, the common name consists of a single host name (e.g. example.com, www.example.com), or a wildcard name in case of a wildcard certificate (e.g. *.example.com).
The common name is technically represented by the commonName field in the X.509 certificate specification.
Bir başka açıklama şöyle
Originally certificates were only valid for a single name. But with the growth of the web, it was very common that the same server would be accessible under multiple names. So certificates were extended to permit multiple names. The use of the Common Name (CN) field has been deprecated since 2000 in favor of the subjectAltName field (Subject Alternative Name, often abbreviated SAN). The subjectAltName field can contain a list of names (or name patterns starting with a wildcard), not just a single name.The subjectAltName field for the certificate offered by https://stackoverflow.com/ includes stackoverflow.com as well as *.stackexchange.com, *.stackoverflow.com, *.meta.stackexchange.com, etc. Chrome recognizes stackoverflow.com in the subjectAltName field. It's a bit weird that it only shows the CN value in the overview, but you can view the certificate details and see the SAN entries under “*.stackexchange.com” → “Certificate” → “Extensions” → “Certificate Subject Alternative Name”.
Certificate Authority (CA) adı. "Issued By" olarak bilinir. "Common Name", "Organization" olarak gösterilir.
Örnek
Şöyle görürüz.
Issuer: CN=ABC XYZ, O=ABC, C=IN
Private Key
Sertifikayı kullanan kişinin anahtarı. Bu nesnede Modulus+Public Exponent+Private Exponent bilgileri vardır.
Sertifikayı kullanan kişinin anahtarı. Bu nesnede Modulus+Public Exponent vardır.
Serial Number
Certificate Authority (CA) tarafından atanan seri numara.
Subject Name
Sertifikayı kullanan kişinin adı
Subject Alternative Name (subjectAltName) - Etkin Kullanılan Alan Bu
Sunucu ismi veya kullanıcı ismi gibi düşünülebilir. Aynı sertifikanın bir çok farklı alan ismi ile kullanılabilmesini sağlar. Açıklaması şöyle
Sertifikanın bir parçası değildir. tbsSertificate + signatureAlgorithm (CA tarafından imzalamak için kullanılan algoritma) + signatureValue değerlerinin tek yönlü bir hash'ten geçirilerek elde edilen değerdir. ThumbPrint sertifkaları kolayca aramak için kullanılır.
The common name can only contain up to one entry: either a wildcard or non-wildcard name. It’s not possible to specify a list of names covered by an SSL certificate in the common name field.
The Subject Alternative Name extension (also called Subject Alternate Name or SAN) was introduced to solve this limitation. The SAN allows issuance of multi-name SSL certificates.
The ability to directly specify the content of a certificate SAN depends on the Certificate Authority and the specific product. Most certificate authorities have historically marketed multi-domain SSL certificates as a separate product. They’re generally charged at a higher rate than a standard single-name certificate.
On the technical side, the SAN extension was introduced to integrate the common name. Since HTTPS was first introduced in 2000 (and defined by the RFC 2818), the use of the commonName field has been considered deprecated, because it’s ambiguous and untyped.
The CA/Browser Forum has since mandated that the SAN would also include any value present in the common name, effectively making the SAN the only required reference for a certificate match with the server name. The notion of the common name survives mostly as a legacy of the past. There are active discussions to remove its use from most browsers and interfaces.
Aslında Client ve Server sertifikaları arasındaki en önemli fark ta bu alan. Açıklaması şöyle
Structurally, client and server certs are the same. Both will need keyUsage: digitalSignature and will contain the same type of RSA or ECDSA key. They chain to an intermediate and root CA via Issuer and AIA fields in exactly the same way as server certs. They handle revocation via CRL or OCSP in exactly the same way as server certs.However, depending on the enforcement / authorization rules in your server, you may need to put different metadata in the client certs. For example:- Server certs almost always have a SubjectAltName of type dNSName matching the public domain name at which the server can be reached. This makes absolutely no sense for a client. Often instead you see a serialNumber DN component, or one of the less common SAN types.- Your server may be configured to require client certs to have the extendedKeyUsage: id-kp-clientAuth.- Your server may enforce groups, privileges or access controls based on policy OIDs or other custom v3 extensions.
Örnek
Bir örnek şöyle
The StackOverflow certificate has got a subjectAltName field with the following dNSNames in it, which allow the certificate to validate for StackOverflow.*.askubuntu.com*.blogoverflow.com*.mathoverflow.net*.meta.stackexchange.com*.meta.stackoverflow.com*.serverfault.com*.sstatic.net*.stackexchange.com*.stackoverflow.com*.stackoverflow.email*.stackoverflowteams.com*.superuser.comaskubuntu.comblogoverflow.commathoverflow.netopenid.stackauth.comserverfault.comsstatic.netstackapps.comstackauth.comstackexchange.comstackoverflow.blogstackoverflow.comstackoverflow.emailstackoverflowteams.comstacksnippets.netsuperuser.com
Security
Şu seviyeler olabilir.DV = only domain name control is verified.Eğer EV yoksa şuna benzer bir çıktı alırız.
OV = owner entity (organization) information is verified in addition.
EV = more thorough version of OV, which has traditionally been awarded with the "green bar" (but the "green bar" appears to be going away soon).
X509v3 Extended Key Usage:ThumbPrint
TLS Web Server Authentication, TLS Web Client Authentication
Sertifikanın bir parçası değildir. tbsSertificate + signatureAlgorithm (CA tarafından imzalamak için kullanılan algoritma) + signatureValue değerlerinin tek yönlü bir hash'ten geçirilerek elde edilen değerdir. ThumbPrint sertifkaları kolayca aramak için kullanılır.
Hiç yorum yok:
Yorum Gönder