Certification and Authentication

## In a nutshell Authentication between two clients works on the theory of each party having a private key that is not shared and a public key that is freely exchanged. The relationship between the public key and the private key is such that when Alice encodes data using her private key, anyone with her public key can verify that she must indeed have had the private key, but without the process being reversible. Someone with Alice's public key cannot encode data on her behalf. This concept plays on the fact that some mathematical functions are trivial to verify but difficult to reverse. Thus, the public and private keys are linked, but the private key cannot be calculated knowing only the public key. ## Certificates A certificate is a container that holds the public key, although sometimes it is also used to describe the container for the private key. A certificate includes: - the public key - the name of the server or party - the signature from a certification authority (CA) that verifies that the public key does indeed belong to the server ### Types of certificates #### PKCS#12 `.pfx` Used by Windows servers, this is certificate that contains the private key, public key, and some objects for password protection. The public key can be extracted from the `.pfx` (and then distributed) using two methods: 1. Use the certificate manager in Windows Management Console to import the certificate, mark it as exportable, and then export it. 2. Use [Open SSL's PKCS12 tool](http://www.openssl.org/docs/apps/pkcs12.html). ``` openssl pkcs12 -in input.pfx -out mycerts.crt -nokeys -clcerts ``` Source: https://stackoverflow.com/questions/403174/convert-pfx-to-cer #### `.cer`, `.cert` Usually contains the public key. `.cer` is conventionally used for DER-encoded files (binary). #### `.crt` This contains just the public key. It is handled by both Mac and Windows and is called the PEM format. ## Encodings Encodings can also be used as file extensions for certificates, but they are not certificates: they are ways to encode certificates. They specify a format for certificates. ### `.pem` Used for files that contain [[ASCII]] (Base64) prefixed with `—– BEGIN` ### `.der` Used for binary-encoded DER certificates. They may also have the `.cer` or `.crt` extensions. ## Implementations - [[SSL]] ## Related [[Difference between .pfx and .cert certificates]] [[Cryptography]]