Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
X.509 certificates z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
Public keys can be freely disseminated. In fact, the success of the various public key protocols requires a systematic and trustworthy way of distributing public keys and securely storing their associated private keys. The X.509 digital certificate is the packaging that enables the distribution of a single public key. The X.509 standard is the subsection of the International Telecommunication Union (ITU) X.500 directory standard that defines certificates. The X.509 digital certificate is a data structure that contains,
at minimum, the following fields:
In addition to these required fields, an X.509 certificate might contain one or more extensions that hold information about how the key is to be used (a KeyUsage extension) or how the certificate authority conducts its business (a CertificatePolicies extension). In its simplest form, a digital certificate is a binding between a named entity (a person or device) and a public key. It is a declaration that, for example, party A owns public key 123. Digital certificates can be issued by certificate authorities or they can be self-issued. Certificate authorities (CAs) are often well-known commercial organizations or they can be local or internal organizations. When a certificate authority uses its private key to sign and issue a certificate, it makes the declaration that binds the entity (subject) to its public key. When an organization issues its own certificate with itself as subject and issuer, signing with its own private key, the certificate is a called a self-signed certificate. |
Copyright IBM Corporation 1990, 2014
|