RE: X.509 All in One

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: jef (jef_at_discussions.microsoft.com)
Date: 12/13/04 

Date: Mon, 13 Dec 2004 07:13:10 -0800

I re-read this and realized I mis-typed a couple of things that bear
clarification:

ASN.1: Abstract Syntax Notation One
BER: Basic Encoding Rules
CER: Canonical Encoding Rules
DER: Distinguished Encoding Rules

ASN.1 is a specification for encoding typed information in a serialized
format. In that sense, it has a similar function to Xml Schema -- describing
the types of information allowable. In fact, there are proposed mappings from
Xml Schema to ASN.1. The BER defines rules for encoding that provide the
encoder options as to how things are encoded. CER and DER subset the BER to
pick one or the other option explicitly, so that ambiguity may be removed.
You can read the spec in all it's glory here:
http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf

PKCS: Public Key Cryptography Standards
PDU: Protocol Data Units (aka message)
PKCS defines protocols, rules, and message formats for public key
cryptography. PKCS#12 exports a single ASN1. PDU for PFX. This PDU is
[intended to be] the content of file with an extension .pfx.

.CER are typically DER-encoding public key only certificates. They *could*
however contain private key information, and it would most likely be in PKCS
#12 (pfx format), and you *should* be able to freely change the extensions,
because the underlying [binary] encoding is the same.

Now, with all that being said, I don't write code that writes these PDUs for
a living, and I mostly have exposure to them through [programmatic or
non-programmatic] use of PKI and watching SSL packets go by, so I reserve the
right to have some of the details wrong :)

"jef" wrote:

> Hi Tareq,
>
> That is a tall order. I hope I can get you closer to the answers you need,
> but no promises!
>
> Pronunciation: "Ecks five oh nine"
>
> X.509 is a collection of recommendations for standardizing public key
> infrastructure. See http://en.wikipedia.org/wiki/X.509 for an overview and
> links to the working group, where you can find and read all the relevant RFCs
> (a monumental task).
>
> There are a number of ways to get a certificate, and which to choose depends
> on how you want to use it. You can purchase certificates from, e.g.
> http://verisign.com/products-services/security-services/ssl/index.html that
> you can use in a web server. The certificate identifies the web server and
> provides a means of encrypting and signing, in the case of SSL/TLS, a
> symmetric key that is subsequently used to encrypt the data passed across the
> connection. You can also get personal certificates that you could use to
> digitally sign/verify or encrypt/decrypt, e.g. email messages or soap
> messages. If you are just wanting to get familiar with the technology, I
> would highly recommend that you use a product like OpenSSL
> (http://www.openssl.org) instead of purchasing a certificate. Microsoft also
> has tools that you can use to issue your own certificates if you have or
> don't mind purchasing the necessary software. Check out:
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sec_auth_certobtainsrv.asp
>
> .cer and .pfx are the file extensions of two different formats for
> certificate files.
> PFX is a PKCS#12 format. See
> http://www.rsasecurity.com/rsalabs/node.asp?id=2138 for the specification.
> .cer is a different format. CER stands for "Canonical Encoding Rules,"
> though by a nice twist of fate (in my experience), the contents of a .CER
> file are typically encoded using DER, the Distinquished Encoding Rules.
>
> PFX/PKCS#12 files store both the public and private key, where .CER only
> stores the public key.
>
> When a certificate is issued, it is typically in PKCS#12 format, so .pfx.
>
> The usage is general encryption/decryption and signature/verification,
> though it is typically used for SSL on web servers. It is rarely if ever used
> to sign code in my experience.
>
> Good luck, and I hope that helps.
> Jef Newsom
> http://integralpath.blogs.com
>
> "Tareq Muhammad" wrote:
>
> > X.509 All in One
> >
> > Hi All,
> >
> > I want to konw everything about X.509
> >
> > Here is My Questions:
> >
> > 1. How to Pronouncate X.509?
> > 2. What is X.509?
> > 3. How to get X.509 Cert with detailed steps?
> > 4. What is .Cer and PFX? how to get each one of them?
> > 5. When I issue a X.509 does the issuer give me the .cer or PFx ?
> > 5. What is X.509 Usage, secure web services only? or it can be used to sign
> > my code?
> >
> >