Public Key Infrastructure (PKI) definitions and terminologies.
PKI: Public Key Infrastructure PKI stands for Public Key Infrastructure, and it is a system that enables secure communication over the internet by using public key cryptography. PKI is a collection of policies, procedures, hardware, software, and people that work together to create, manage, distribute, and revoke digital certificates and public-private key pairs.
In PKI, each entity has a public-private key pair, and the public key is published in a digital certificate, which is signed by a trusted third-party known as a Certificate Authority (CA).
This tool provides online X.509 certificate decoding for free.
Privacy first: The certificate decoding process occurs locally in your browser, with no data sent to any external server.
You can examine an X.509 certificate in PEM format using your browser without any need for external servers, similar to using openssl, but with greater privacy as there is no communication with a server.
Input X.509 certificate (in PEM format) The certificate data will remain within your browser and will be decoded through JavaScript executed on the client-side, ensuring its privacy.
2015: Let’s Encrypt Root CA Initial Setup In 2015, Let’s Encrypt have three CA certificates:
ISRG Root X1 Certificate Let’s Encrypt Intermediate X1 CA Certificate Let’s Encrypt Intermediate X2 CA Certificate Let’s Encrypt will issue certificates to subscribers from its intermediate CAs, allowing Let’s Encrypt to keep root CA safely offline. IdenTrust will cross-sign Let’s Encrypt intermediates. This allow our end certificates to be accepted by all major browsers while Let’s Encrypt propagate its own root.
CRL Introduction CRLs (Certificate Revoke List) are signed data structures that contain a list of revoked certificates. The integrity and authenticity of the CRL is provided by the digital signature appended to the CRL. The signer of the CRL is typically the same entity that signed the issued certificate.
CRL is defined in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile CRL File Format CRL encode in X509 format, CRL v2 structure as below:
OCSP Introduction The Online Certificate Status Protocol ( OCSP) is documented in the RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol.
OCSP is a relatively simple request/response protocol useful in determining the current status of a digital certificate without requiring CRLs.
OCSP encoded in ASN.1.
OCSP Request An OCSP request contains the following data:
protocol version (currently only Version 1 is defined). service request. one or more target certificate identifier.