Certificates

Top  Previous  Next

A certificate is an electronic document, often in PEM format, which is used to prove the identity of a public key.

 

The certificate includes information about the key, the identity of the certificate holder (called the subject), and the digital signature of an entity that has verified the contents of the certificate (called the issuer).

In Transport Layer Security (TLS) the subject of a certificate is typically a computer or similar device.

 

The certificates are identified by the name that is provided when they are imported through the certificate dialog.

This name must be used when referring to a specific server or client certificate (e.g. when calling soConfigTLS).

 

Certificates which have an encryption key embedded (TLS server and TLS client certificates) may require a password when used.

 

 

The following three types of certificates are supported:

 

Root certificate

A root certificate is a self-signed certificate that identifies a root certificate authority (CA).

Root certificates are used to sign intermediate certificates, which in turn are used to sign TLS server certificates and TLS client certificates.

To verify that a TLS server or client certificate is valid, it is necessary to have the matching root certificate installed.

 

When validating external client/server certificates, all the installed root certificates are checked, regardless of their names.

 

 
TLS server certificate

In TLS, a server is required to present a certificate as part of the initial connection setup.

A client connecting to that server will verify at least two things:

1.The subject of the certificate matches the host-name to which the client is trying to connect.

2.The certificate is signed by a trusted CA.
 

Host names are listed in the Subject Alternative Name Field of the certificate.

 

If the server certificate is not signed directly by a root certificate, then it must include all the intermediate certificates that was used to sign it as a certificate chain.

 

 

TLS client certificate

Client certificates are less common than server certificates, and are used to authenticate the client connecting to a TLS server, for instance to provide access control.

 

If the client certificate is not signed directly by a root certificate, then it must include all the intermediate certificates that was used to sign it as a certificate chain.