Basics: Delta revocation lists

Certificate revocation lists (CRLs) are used to remove issued certificates from circulation before the end of their validity period.

A CRL is a signed list of the serial numbers of certificates that have been revoked by the certification authority. The revocation list has an expiration date (usually a few days short) and is reissued and signed by the associated certification authority at regular intervals.

Certificate revocation lists can reach a considerable size if the volume of revoked certificates is high (as a rule of thumb, you can expect about 5 megabytes per 100,000 entries). The regular download of large certificate revocation lists by subscribers can generate a large network load. To address this problem, there is the concept of delta revocation lists.

Continue reading „Grundlagen: Deltasperrlisten“

Roles in a public key infrastructure

Understanding the roles involved is essential for designing a public key infrastructure.

The term "public key infrastructure" encompasses much more than the technical components and is often misleadingly used.

In summary, a public key infrastructure is both an authentication technology and the totality of all the components involved.

Continue reading „Rollen in einer Public Key Infrastruktur“

Basics: Automatic Certificate Management Environment (ACME)

The ACME protocol was developed by the operators of the project Let's Encrypt designed to support the exhibition of Web server certificates to automate. It is specified in RFC 8555.

The goal is to make the process of proving ownership of the DNS resource (IP addresses cannot currently be identified, but this is planned in the future), but not of the person or organization behind it, in order to subsequently be able to obtain a web server certificate without human interaction.

Continue reading „Grundlagen: Automatic Certificate Management Environment (ACME)“

Basics: Elliptic curves with regard to their use in the public key infrastructure

With Windows Vista and Windows Server 2008, the Cryptography API: Next Generation (CNG) was introduced into the Windows systems.

This term refers to a collection of modern cryptographic functions. Among other things, the CNG enables the use of certificates that use keys based on elliptic curves (also called Elliptic Curve Cryptography, ECC) with the Microsoft Certification Authority and the Windows operating system.

Continue reading „Grundlagen: Elliptische Kurven in Hinsicht auf ihre Verwendung in der Public Key Infrastruktur“

The database schema of the Certification Authority database

Would you like to Queries against the Certification Authority database formulate, you must first know what you want to look for.

There is a possibility to output the database schema of the certification authority database.

Continue reading „Das Datenbankschema der Zertifizierungsstellen-Datenbank“

Basics: The Key Usage Certificate Extension

Certificate extensions were introduced with version 3 of the X.509 standard. The Key Usage extension is an optional certificate extension that can be used in the RFC 5280 is defined and is used to limit the allowed uses for a key.

Continue reading „Grundlagen: Die Key Usage Zertifikaterweiterung“

Basics of online responders (Online Certificate Status Protocol, OCSP)

Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.

This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.

As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.

The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.

Continue reading „Grundlagen Onlineresponder (Online Certificate Status Protocol, OCSP)“

Basics: Configuration file for the certification authority (capolicy.inf)

The capolicy.inf contains basic settings that can or should be specified before installing a certificate authority. In simple terms, it can be said that no certificate authority should be installed without it.

Continue reading „Grundlagen: Konfigurationsdatei für die Zertifizierungsstelle (capolicy.inf)“

Basics: Path Length Constraint

The attack on the MD5 signature algorithm demonstrated in late 2008 could only be used to create a usable forged certification authority certificate because the attacked certification authority had not configured any path length restriction.

The limitation of the path length is defined in the RFC 5280 described. The idea behind this is that the maximum depth of the certification authority hierarchy is stored in the "Basic Constraints" extension of a certification authority certificate.

Continue reading „Grundlagen: Einschränkung der Pfadlänge (Path Length Constraint)“

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Continue reading „Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Description of the different certificate formats

X.509 certificates are always encoded in the Distinguished Encoding Rules (DER) format. This is a binary, machine-readable format.

DER-encoded certificates can, however, also be converted into a text-based format using the BASE64 process so that they can be transmitted in an e-mail body, for example. BASE64 encloses the DER-encoded format, i.e. the certificate is and remains DER-encoded in any case.

Continue reading „Beschreibung der verschiedenen Zertifikat-Formate“

Basics: key algorithms, signature algorithms and signature hash algorithms

When planning a public key infrastructure, the question arises as to which cryptographic algorithms it should use.

The main principles are explained below.

Continue reading „Grundlagen: Schlüsselalgorithmen, Signaturalgorithmen und Signaturhashalgorithmen“

Basics: Finding certificates and validating the certification path

In order to determine whether a certificate has been issued by a certification authority that has been classified as trustworthy, a trust chain must be formed. To do this, all certificates in the chain must be determined and checked. Microsoft CryptoAPI builds all possible certificate chains and returns those with the highest quality to the requesting application.

Continue reading „Grundlagen: Auffinden von Zertifikaten und Validierung des Zertifizierungspfades“

Basics: Checking the revocation status of certificates

If a valid, unexpired certificate is to be withdrawn from circulation, it must be revoked. For this purpose, the certification authorities maintain corresponding revocation lists in which the digital fingerprints of the revoked certificates are listed. They must be queried during the validity check.

Continue reading „Grundlagen: Überprüfung des Sperrstatus von Zertifikaten“