The document provides an overview of X.509 certificates, discussing the fundamentals of cryptography, including symmetric and asymmetric cryptography, digital signatures, and hash functions. It explains the role of Certification Authorities (CAs) in issuing certificates, the concept of a certification path, and the importance of a root certificate in verifying digital identities. Additionally, it addresses the management of digital certificates, their expiration, and the distinctions between certificate encodings and file extensions.

1. An introduction to
X.509 certificates
Stéphane Potier
stephane.potier [at] br-automation.com

2. Basics of cryptography
Symmetric cryptography
Private/Public-key algorithms
Secure Hash Function
Digital Signature

3. Symmetric cryptography
Symmetric cryptography (e.g. AES) is used for data encryption
A secret ciphering key is used for both encryption and decryption (128 or 256 bits
recommended)
The secret ciphering key must be known by both client and server, it must be exchanged in a
secure way between them
Based on secret ciphering key

4. Public and Private Key pair
The Public and Private Key pair comprise of two uniquely
mathematically related cryptographic keys
• A public key is made available to everyone
• A private key is confidential to its owner
Whatever is encrypted with a Public Key may only be decrypted
by its corresponding Private Key and vice versa
Public and Private Key pair is used by :
• Asymmetrical cryptography, for confidentiality
• Digital signature, for authentication
Unpredictable large random numbers

5. Asymmetrical cryptography
Public-key cryptography is a class of cryptographic protocols based on algorithms that require
Public and Private Key pair
• Public Key may be disseminated widely, Private Key is secret and only known by the owner
• The Public Key is used to encrypt the message, the Private Key to decrypt it
• For example, Bob uses the Public Key of Alice to encrypt a message. Alice is the only one that can decrypt the message. The
message remains confidential to anyone else since they do not know Alice’s Private Key.
Public-key algorithm

6. Secure Hash Algorithm (SHA)
Hash functions are used to map data of arbitrary size to data of fixed size
In cryptography, hash function produce a checksum (hash value) used to verify data integrity
A cryptographic hash function has following characteristics:
• Minor change in the input data completely change the hash value
• Easy verification that some input data maps to a given hash value
• Difficulty to reconstruct input data from hash value
SHA (Secure Hash Algorithm) is a
famous cryptographic hash function
• SHA0 is obsolete
• SHA1 is deprecated since 31/12/2016
• SHA2 is currently recommended
• SHA3 are newest version
Integrity of data

7. Digital signature
Digital signature ensure authentication and integrity of data
• Asymmetric cryptography used for data authentication
• Cryptographic hash function used for data integrity
Authentication and integrity of data

8. Combining symmetric and asymmetric algorithms
Symmetric cryptography
• Fast encryption requiring less processing power
• Secure exchange of ciphering key is necessary
Asymmetric cryptography
• Slow encryption method based on long keys (2048 bits)
• Requires public key infrastructure
Exchange of session key between Bob and Alice via asymmetric cryptography , then
symmetric cryptography based on this session key
Session key exchange

9. Basics of
X.509 certificates

10. X.509 certificate
A digital certificate certifies the ownership of a public key by the named subject of the
certificate
The digital certificate itself is protected by a digital signature whose authenticity can be verified
by the public key of the Certification Authority (CA) that issued the certificate
Ensuring authenticity and integrity

11. Certification Authority (CA)
Certification Authority (CA) issues certificates
Certificate is signed with the private key of the CA
CA’s private key must be very private, it is the basis of all trust for issued certificates
Trusted third party issuing certificates

12. Obtaining digital certificate
A certificate signing request (CSR) is sent from an applicant to a certificate authority in order
to apply for a digital identity certificate
Certificate signing request

13. Verifying digital certificate
Authentication and Integrity of a certificate is verified using the Public Key of the Certification
Authority that issued that certificate
Authentication and Integrity check

14. Certification path
Chain of trust
• A certificate contains its issuer (CA that signed it)
• The issuer’s certificate also contains its issuer (CA that signed issuer’s certificate)
• This chain of certificates is called a certification path
Digital certificates are verified using a chain of trust

15. Root certificate
A root certificate is the top-most certificate of the certification path
A root certificate is issued by a trusted certificate authority (CA), which self-sign it
The root certificate is usually made trustworthy by secure physical distribution (distributed with
operating system)
Top-most certificate of the certification path
Self-signed

16. Verification of digital certificates
1. Client (i.e. web browser) initiate a TLS handshake with Amazon website, and gets certificates for both Amazon and Symantec
2. Client verifies Amazon’s certificate using Symantec’s Public Key contained in Symantec’s certificate
3. Client verifies Symantec’s certificate using VeriSign’s Public Key contained in VeriSign’s certificate (VeriSign’s certificate is a root
certificate locally stored on the client by the operating system)
Digital certificates are verified using a chain of trust

17. Self-signed certificate
A self-signed certificate :
• Is signed by issuer to identify itself
• Is signed by issuer with its own private key
• Has no Certificate Authority
The benefits:
• Self-signed certificates are free of charge (unlike CA issued certificates)
The risks :
• Self-signed certificates are not issued by a trusted certificate authority (1)
• Since client can not trust this self-signed certificate, it will raise a warning
• Users must avoid being “trained” to bypass warnings or add exceptions
→ An entity accepting a self-signed certificate must follow similar trusting process than the
addition of a new CA certificate
(1) Excepted for root certificates that are self-signed and issued by trusted certification authority
Risks and benefits

18. X.509 certificate encodings and file extensions
DER vs. CRT vs. CER vs. PEM
Certificate encodings Encoding type
PEM (Privacy Enhanced Mail) Base64 ASCII encoding
DER (Distinguished Encoding Rules) Binary encoding
Certificate file extension Encoding type
.cer PEM or DER
.crt PEM or DER
.der DER
.pem PEM
DER encoded, .cer file extension, certificate
PEM encoded, .pem file extension, certificate

19. Certificate store
A certificate store is used to store and manage digital certificates
Certificate store usually contains :
• Own private keys
• Own certificates
• Trusted 3rd party certificates
• Revocation list (certificates revoked by the issuing CA before their scheduled expiration date and should no longer be trusted)
Most well-known root certificates are usually stored in the certificate store
It is possible to add a root (signed by CA) certificate or a self-signed certificate in the
certificate store
Only add a trusted certificate in the certificate store !!!
Storage of digital certificates

20. Expired certificate
Every certificate has an expiry date, meaning the time and date past which the certificate is no
longer valid
The client determines what happens once certificate expires on a server
• The client can not connect to the server
• A warning is raised to indicate certificate has expired
• …
Before current certificate expires, a new certificate must be installed in the server
Validity date expiry

21. PERFECTION IN AUTOMATION