 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / December 2004X.509 All in One
X.509 All in One Hi All, I want to konw everything about X.509 Here is My Questions: 1. How to Pronouncate X.509? 2. What is X.509? 3. How to get X.509 Cert with detailed steps? 4. What is .Cer and PFX? how to get each one of them? 5. When I issue a X.509 does the issuer give me the .cer or PFx ? 5. What is X.509 Usage, secure web services only? or it can be used to sign my code? Hi Tareq, That is a tall order. I hope I can get you closer to the answers you need, but no promises! Pronunciation: "Ecks five oh nine" X.509 is a collection of recommendations for standardizing public key infrastructure. See http://en.wikipedia.org/wiki/X.509 for an overview and links to the working group, where you can find and read all the relevant RFCs (a monumental task). There are a number of ways to get a certificate, and which to choose depends on how you want to use it. You can purchase certificates from, e.g. http://verisign.com/products-services/security-services/ssl/index.html that you can use in a web server. The certificate identifies the web server and provides a means of encrypting and signing, in the case of SSL/TLS, a symmetric key that is subsequently used to encrypt the data passed across the connection. You can also get personal certificates that you could use to digitally sign/verify or encrypt/decrypt, e.g. email messages or soap messages. If you are just wanting to get familiar with the technology, I would highly recommend that you use a product like OpenSSL (http://www.openssl.org) instead of purchasing a certificate. Microsoft also has tools that you can use to issue your own certificates if you have or don't mind purchasing the necessary software. Check out: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/prodd ocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/pro ddocs/en-us/sec_auth_certobtainsrv.asp .cer and .pfx are the file extensions of two different formats for certificate files. PFX is a PKCS#12 format. See http://www.rsasecurity.com/rsalabs/node.asp?id=2138 for the specification. .cer is a different format. CER stands for "Canonical Encoding Rules," though by a nice twist of fate (in my experience), the contents of a .CER file are typically encoded using DER, the Distinquished Encoding Rules. PFX/PKCS#12 files store both the public and private key, where .CER only stores the public key. When a certificate is issued, it is typically in PKCS#12 format, so .pfx. The usage is general encryption/decryption and signature/verification, though it is typically used for SSL on web servers. It is rarely if ever used to sign code in my experience. Good luck, and I hope that helps. Jef Newsom http://integralpath.blogs.com > X.509 All in One > [quoted text clipped - 11 lines] > 5. What is X.509 Usage, secure web services only? or it can be used to sign > my code? That is great Jef, Now, I want to create my own certificate using makecert.exe I want to create the .pfx file and .Cer exactly like what happend with the WSE Samples, I found 3 files, one .cer and 2 .pfx files, Last question, why didn't the offer .cer file for the client too, the .cer which included just contains the public key for the server, which will be used be the client to encrypt message, but in the response from the server, server should encrypt with the client public key. so we should expect that there is a .cer file. again about verisign, how do U sperate the public key from the certificate? and which cerficate format they will give me and what is the recommend one ? > Hi Tareq, > [quoted text clipped - 60 lines] > > 5. What is X.509 Usage, secure web services only? or it can be used to sign > > my code? Tareq, It looks like they don't export the public key for the client because it isn't necessary for what they are demonstrating in the sample (which appears to only be encrypted in the request, but I could be wrong). It has been a good while since I have gone through the samples, though. You are thinking along the right lines about how the certificates would need to be configured for bi-directional, confidential communication. You can easily export the public key using either internet explorer or the MMC certificate snap-in. For IE, the steps are something like: Tools>Options>Content Tab>Certificates... button Select the certificate you want to export, and hit the export button. Follow the wizard and export the certificate DER encoded .CER format. It should be fairly self explanatory. Verisign actually has really detailed installation instructions that explain how they deliver certificates: http://www.verisign.com/support/install/index.html > That is great Jef, Now, I want to create my own certificate using makecert.exe > I want to create the .pfx file and .Cer exactly like what happend with the [quoted text clipped - 75 lines] > > > 5. What is X.509 Usage, secure web services only? or it can be used to sign > > > my code? I re-read this and realized I mis-typed a couple of things that bear clarification: ASN.1: Abstract Syntax Notation One BER: Basic Encoding Rules CER: Canonical Encoding Rules DER: Distinguished Encoding Rules ASN.1 is a specification for encoding typed information in a serialized format. In that sense, it has a similar function to Xml Schema -- describing the types of information allowable. In fact, there are proposed mappings from Xml Schema to ASN.1. The BER defines rules for encoding that provide the encoder options as to how things are encoded. CER and DER subset the BER to pick one or the other option explicitly, so that ambiguity may be removed. You can read the spec in all it's glory here: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf PKCS: Public Key Cryptography Standards PDU: Protocol Data Units (aka message) PKCS defines protocols, rules, and message formats for public key cryptography. PKCS#12 exports a single ASN1. PDU for PFX. This PDU is [intended to be] the content of file with an extension .pfx. .CER are typically DER-encoding public key only certificates. They *could* however contain private key information, and it would most likely be in PKCS #12 (pfx format), and you *should* be able to freely change the extensions, because the underlying [binary] encoding is the same. Now, with all that being said, I don't write code that writes these PDUs for a living, and I mostly have exposure to them through [programmatic or non-programmatic] use of PKI and watching SSL packets go by, so I reserve the right to have some of the details wrong :) > Hi Tareq, > [quoted text clipped - 60 lines] > > 5. What is X.509 Usage, secure web services only? or it can be used to sign > > my code? Thank you Jef, for your great and deep help :) > I re-read this and realized I mis-typed a couple of things that bear > clarification: [quoted text clipped - 93 lines] > > > 5. What is X.509 Usage, secure web services only? or it can be used to sign > > > my code? > ASN.1 is a specification for encoding typed information in a serialized > format. In that sense, it has a similar function to Xml Schema -- describing [quoted text clipped - 4 lines] > You can read the spec in all it's glory here: > http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf There are also two books about ASN.1 available free-of-charge from OSS Nokalva, an ASN.1 tool vendor, at: http://www.oss.com/asn1/booksintro.html O. Dubuisson
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.