Manualshelf

HP Remote Device Access Security Overview for A.05.30 (December 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
17181920212223242526
A X.509 Certificates and Remote Device Access
A.1 Overview
An X.509 certificate contains a public key that can be used to check the validity of a digital signature. This
digital signature verifies the authenticity of a document, a message, another X.590 certificate, or any datum
of interest. The digital signature is generated using the X.509 certificate’s corresponding private key. X.509
certificates are the basis of trust in most secure Internet protocols, the most pervasive being SSL and TLS.
An X.509 certificate is identified by its subject name, which should be an X.500 name that is unique across
the Internet. For example, the X.500 subject name for one of VeriSign’s root certificates is C=US,
O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Subject names not only identify certificates, they also identify the entity that issued the certificate. These
certificate issuers, called Certification Authorities (CAs),, should be trusted third-party organizations.
Commercial CAs include VeriSign, Thawte, Entrust, and RSA.
The contents of an X.509 certificate that are relevant to this discussion are:
Subject Name
Issuer’s Subject Name
Subject’s Public Key
Serial Number
Validity Period
CRL Distribution Point
Authority Information Access
The following documents provide more information:
X.509 Certificates and Certificate Revocation Lists (CRLs)
http://java.sun.com/j2se/1.5.0/docs/guide/security/cert3.html
What is X.509?
http://www.tech-faq.com/x.509.shtml
X.509 Style Guide by Peter Gutmann
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
A.2 Certificate Revocation Lists
In an X.509 Public Key Infrastructure (PKI), a Certificate Authority (CA) attests a certificate’s authenticity by
signing the certificate with the CA’s private key. Anyone wishing to verify the certificate checks the signature
using the CA’s public key (that is, the CA’s certificate). If the certificate’s private key has been stolen, the
certificate can be revoked by the CA. The CA maintains revoked certificates in a Certificate Revocation List
(CRL). The CRL, which is a list of revoked certificates serial numbers, is signed by the CA. For a user to
validate a certificate, he/she must have a priori knowledge of the CA’s certificate.
A.1 Overview 23