A Brief Overview of PKI Certificate Extensions

While almost everyone has heard the term SSL or Secure Sockets Layer and realizes this has to do with online security and providing information through websites, few understand the use of PKI certificates, which are actually based on the same types of option.

Today, the most recent versions of SSL are actually known as TLS or Transport Layer Security. This is a protocol that allows for security over a computer network, including through websites with the use of SSL/TLS certificate as well as through email, Voice-over-IP (VoIP), instant messaging systems and even when faxing online.

This is done through the use of a set of keys. One of the keys is private and one is public. They are used to encrypt and decrypt data, but also to create a digital signature to protect data from tampering between the sender and the receiver. This is all done through complicated algorithms that generate the keys and a related cipher that is shared only by those keys.

The Certificate Authority, this where Comodo comes in, binds the keys with the specific person through the issuance of a certificate. This creates a link where the owner of the keys is recognized through the keys and the cert by the CA. In other words, we are creating the trust that the cert and the keys have been bound to a person and we can verify that through the application you provide.

The Extensions

To manage PKI certs, there are specific extensions that are used to designate restrictions on the specific usage. The most important standard used today is X.509. All of the digital certificates, also known as PKI certificates issued by Comodo are issued following the x.509 format that is published, recommended and approved by the International Telecommunication Union-Telecommunications Standardization Sector (ITU-T).

This means that our PKI certificate extensions are the same used by other Certificate Authorities around the world. They are also standardized as to format so they can be recognized by devices and meet all requirements for legal requirements for transmitting documents securely online.

These specific x.509 PKI certificate extensions don't just control the security, it also sets out how the certificate will be formatted, how certificates can be revoked and even the specific algorithms that will be used.

Obtaining the Certificate

All PKI certificate extensions are automatically included in the certificate when a Certificate Signing Request (CSR) is received by the Certificate Authority. This includes generating a private and a public key with the private key used to sign the CSR but also kept private and not submitted to the CA.

The public key is then bound to a specific entity. This can be an individual or an organization depending on the information in the CSR and the needs of the organization.

As our root certificates are embedded in 99.9% of all browsers and devices, our certificates are seen as from a trusted source. This includes the use for email systems and allows for digital signatures and email authentication.

When the cert is generated, it will provide specific information about the owner as well as other factors. These will appear in a specific order on the digital certificate that is always the same.

Near the bottom of the information on the certificate, there is a line for extensions. These are actually recognized PKI certificate extensions that will provide more information about a specific way that a certificate can be used. For example, it is possible to have PKI certificate extensions that show the certificate belongs to a CA or that extended key usage is included.

This extended key usage can include if it is at the end of the SSL or TLS connection, if it can be used for signatures or if it is for email. It can also indicate the ability to encrypt private and public objects in one file or if I is used for password protected data.

If there are multiple PKI certificate extensions each of the restrictions must be met for the certificate to be used. As this can become complicated, multiple extensions are typically only used for very specific types of usage.

To discuss your needs for Public Key Infrastructure protocols and framework, see our sales staff to determine the best products for your requirements. At Comodo, we have the experience and the ability to customize the security you need. To learn more, visit us online at https://www.instantssl.com, or give us a call at +1 888 266 6361.

Related Articles

Close icon

Comodo Advisor CHAT WITH

Chat With Instantssl Sales Team

Chat with Support

Click here to visit the online Comodo Support Portal.

Your support question may have already been answered.