Versions Compared

Old Version 2

changes.mady.by.user Brian Miller

Saved on

compared with

New Version 3

changes.mady.by.user Brian Miller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Clarify title

Table of Contents
outlinetrue

How to

...

Download & Import Certificates into the Java Keystore

...

Terminology

  1. X.509:  An ITU-T standard based on the ASN.1 standard
  2. Public Key Cryptography Standard (PKCS):  a set of standards published by RSA
  3. Public Key Infrastructure (PKI):  Overall infrastructure based on public & private key cryptography (large prime numbers), usually includes services for issuing, signing, renewing, and revoking certificates
  4. Certificate Authority (CA):  a central authority (server) used to sign and issue certificates, usually public, ex: Verisign, Thawte, etc.
  5. Root CA:  Top-level CA, usually the cert for this is self-signed and the public cert is distributed and installed to all clients, the private keys for this are usually locked away in a secure offline location to prevent compromise
  6. Signing/Intermediate CA:  CA that is actually used to sign certificates
  7. Certificate Revocation List (CRL):  list of revoked certificates
  8. Online Certificate Status Protocol (OCSP):  protocol to detect if a certificate has been revoked
  9. .CSR (Certificate Signing Request):  file extension defining a certification request, it is what is presented to the signing-CA for signing to become a certificate, consists of three main parts: the certification request information, a signature algorithm identifier, and a digital signature on the certification request information, usually encoded in PKCS#10- a Base64 (plain-text) format,
  10. Certificate:  the public key of a server/client/user with accompanying meta-data signed by a trusted authority, used for authentication, also called an X.509 certificate as it defines the format of certificates.  Usually includes an expiration date.
  11. Wildcard certificate:  a certificate that allows any hostname under a specific domain name.  
  12. Subject Alternative Name (SAN):  An X.509 v3 extension allowing for alternative Fully Qualified Domain Names (FQDN)s/domains to be defined, ex: DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org
  13. Full chain:  used to indicate that all certificates up to a root authority are available, ie: root-CA, signing/intermediate-CA, issued server/client/user certificate
  14. .DER (Distinguished Encoding Rules):  is a subset of the X.690 ITU-T standard specifying several ASN.1 encoding formats; also a file extension for certificates (usually binary encoded).  
  15. .PEM (Privacy-enhanced Electronic Mail):  certificate extension, Base64 (plain-text) encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  16. .CER, .CRT (Certificate):  certificate extension, X.509 format usually or Base64 (plain-text).  
  17. .P7B, .P7C (PKCS#7):  bundled certificate extension, SignedData structure without data, just certificate(s) or CRL(s)
  18. .P12 (PKCS#12) / .PFX (Personal inFormation eXchange):  bundle of (usually full-chain) certificate(s) (public) and private keys (password protected); PFX was a MS IIS standard that was the precursor to P12.  
  19. .JKS (Java Key Store):  Java key store (repository) and extension used to store private keys, public keys, and certificates, created by Java’s keytool binary

...