beautypg.com

Certificates, About certificate authorities (cas) – Apple Mac OS X Server (Version 10.6 Snow Leopard) User Manual

Page 60

background image

Web, mail, and directory services use the public key with SSL to negotiate a shared key
for the duration of the connection.

For example, a mail server will send its public key to a connecting client and initiate
negotiation for a secure connection. The connecting client uses the public key to
encrypt a response to the negotiation. The mail server, because it has the private key,
can decrypt the response. The negotiation continues until the mail server and the
client have a shared secret to encrypt traffic between computers.

Certificates

A certificate is an electronic document that contains a public key with identification
information (name, organzation, email address, and so on). In a public key
environment, a certificate is digitally signed by a Certificate Authority, or its own
private key (the latter being a self-signed certificate).

A public key certificate is a file in a specified format (Mac OS X Server uses the x.509
format) that contains:

The public key half of a public-private key pair

Â

The key user’s identity information, such as a person’s name and contact information

Â

A validity period (how long the certificate can be trusted to be accurate)

Â

The URL of someone with the power to revoke the certificate (its

Â

revocation center)

The digital signature of a CA, or the key user

Â

About Certificate Authorities (CAs)

A CA is an entity that signs and issues digital identity certificates claiming that a party
is correctly identified. In this sense, a CA is a trusted third party used by other parties
when performing transactions.

In x.509 systems such as Mac OS X, CAs are hierarchical, with CAs being certified by
higher CAs, until you reach a root authority. A root authority is a CA that’s trusted by
the parties, so it doesn’t need to be authenticated by another CA. The hierarchy of
certificates is top-down, with the root authority’s certificate at the top.

A CA can be a company that signs and issues a public key certificate. The certificate
attests that the public key belongs to the owner recorded in the certificate.

In a sense, a CA is a digital notary public. You request a certificate by providing the CA
with your identity information, contact information, and the public key. The CA then
verifies your information so users can trust certificates issued for you by the CA.

60

Chapter 4

Enhancing Security