A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
A X.509 Certificates and Insight Remote Support Advanced
A.1 Overview
An X.509 certificate contains a public key that can be used to check the validity of a digital signature. This
digital signature verifies the authenticity of a document, a message, another X.590 certificate, or any datum
of interest. The digital signature is generated using the X.509 certificate’s corresponding private key. X.509
certificates are the basis of trust in most secure Internet protocols, the most pervasive being SSL and TLS.
An X.509 certificate is identified by its subject name, which should be an X.500 name that is unique across
the Internet. For example, the X.500 subject name for one of VeriSign’s root certificates is C=US,
O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Subject names not only identify certificates, they also identify the entity that issued the certificate. These
certificate issuers, called Certification Authorities (CAs), should be trusted third-party organizations. Commercial
CAs include VeriSign, Thawte, Entrust, and RSA.
The contents of an X.509 certificate that are relevant to this discussion are:
• Subject Name
• Issuer’s Subject Name
• Subject’s Public Key
• Serial Number
• Validity Period
• CRL Distribution Point
• Authority Information Access
The following documents provide more information:
•
X.509 Certificates and Certificate Revocation Lists (CRLs)
http://download.oracle.com/javase/1.5.0/docs/guide/security/cert3.html
•
What is X.509?
http://www.tech-faq.com/x.509.shtml
•
X.509 Style Guide
by Peter Gutmann
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
A.2 Certificate Revocation Lists
In an X.509 Public Key Infrastructure (PKI), a Certificate Authority (CA) attests a certificate’s authenticity by
signing the certificate with the CA’s private key. Anyone wishing to verify the certificate checks the signature
using the CA’s public key (that is, the CA’s certificate). If the certificate’s private key has been stolen, the
certificate can be revoked by the CA. The CA maintains revoked certificates in a Certificate Revocation List
(CRL). The CRL, which is a list of revoked certificates’ serial numbers, is signed by the CA. For a user to
validate a certificate, he/she must have a priori knowledge of the CA’s certificate.
A.3 Digital Signature Verification in the Remote Support Client
A.3.1 Signature Checking
The Remote Support Client (RSC) running on the CMS connects to a server at HP, https://services.isee.hp.com,
using SSL or TLS. The server signs a message containing a copy of its X.509 certificate and returns the
message to the RSC. The RSC must then verify the identity of the server:
1. The client checks the validity period of the server’s certificate. If the current date is not between the start
and end times of the certificate, the check fails.
2. Using the public key contained in the server’s certificate the client checks the message’s digital signature.
Failure at this point causes validation failure.
3. The client attempts to verify the server’s certificate. This is done by finding the certificate of the server
certificate’s issuer. This issuer’s certificate can be sent along with the server’s certificate or stored locally
on the client. (Most web browsers have a built-in certificate store of well-known certificate issuers.) If
A.1 Overview 49