Certificate Basics (KBA10543)
KBA
KBA#
Summary
This article, and its companion articles, describe how to investigate the contents of certificates in PEM, JKS, PKCS#12 and PFX files, as well as certificates bound to a listening TLS enabled port. The information in this article is not specific to Delphix and broadly applies to all application scenarios where x509 certificates are used for SSL/TLS. Examples covering both Unix and Windows commands are provided. The focus for investigation methods is using command line tools.
This article does not address specific certificate error messages as seen in the Delphix appliance. Instead it provides useful information to understand the most common types of errors that you may encounter in many applications related to certificates.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Date Release Nov 21, 2023 17.0.0.0 Oct 18, 2023 16.0.0.0 Sep 21, 2023 15.0.0.0 Aug 24, 2023 14.0.0.0 Jul 24, 2023 13.0.0.0 Jun 21, 2023 12.0.0.0 May 25, 2023 11.0.0.0 Apr 13, 2023 10.0.0.0 | 10.0.0.1 Mar 13, 2023 | Mar 20, 2023 9.0.0.0 | 9.0.0.1 Feb 13, 2023 8.0.0.0 Jan 12, 2023 7.0.0.0 Releases Prior to 2023 Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0, 6.0.16.0, 6.0.17.0, 6.0.17.1, 6.0.17.2
5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
What Is a Valid Certificate?
When importing a certificate or after import, errors may be reported when accessing an application over a secure connection with TLS (such as an HTTPS enabled web page). These errors broadly fall into two categories:
- Errors with the actual certificate on the server.
- Errors with the client configuration accessing the server.
When diagnosing problems, it helps to understand what constitutes a valid certificate as seen from the server and also the client. Below is a simplified description of the most common components in a certificate that both the server and the client expect to be valid.
Distinguished Name (DN)
| AKA: | Issued to, Subject |
| Description: | Is a name in x.500 format that is unique to the certificate. The DN may contain multiple fields. By convention, the most significant field is the Common Name (CN) which is the hostname used by the client to access the server. This should match the hostname a client will use in the address exactly. For example, if the client accesses http://www.myhost.com/index.html, then the CN must be www.myhost.com. Neither myhost or myhost.com are correct matches. |
| Valid: | The CN matches the hostname or FQDN exactly as shown in the address bar URL of the web browser. |
| Invalid: | The CN does not match the address URL. |
| Scope: | Client |
NOTE: The validity checks for the DN are generally superseded on modern web browsers by the Subject Alternative Names validation check.
Subject Alternative Name (SAN)
| AKA: | - |
| Description: | This is a repeating field in a certificate and, when used for HTTPS, most modern web browsers will expect the hostname or FQDN in the address URL to exactly match one of the SANs. |
| Valid: | The address URL is an exact match for one of the SANs. |
| Invalid: | None of the SAN entries match the address URL. |
| Scope: | Client |
Alias
| AKA: | Friendly Name |
| Description: | For keystore files only (JKS, PKCS#12, and PFX) this is a label attached to certificate so that an importing application can identify the correct certification from a file containing more than one. |
| Valid: | The end-entity (HTTPS or DSP) certificate in the file has an alias. |
| Invalid: | No alias is given to the end-entity certificate. |
| Scope: | Server |
Validity period
| AKA: | Start time, Not before, Valid from, End time, Not after, Valid until |
| Description: | These are timestamps that indicate two points in time between which the certificate is usable. Before the earliest timestamp, the certificate is not yet valid. After the latest timestamp, the certificate is expired. |
| Valid: | The current real time is between the two timestamps. |
| Invalid: | The current real time is outside of the time period of the timestamps. |
| Scope: | Server & Client |
Certificate Chain
| AKA: | Issuer, Issued by |
| Description: | Every certificate is issued by another certificate (Certificate Authority or CA certificate) until a special certificate that is issued by itself (a self-signed certificate where the Issued to and Issued by fields are identical) called the "root" CA certificate. A certificate chain must include all certificates down to the root certificate. Because a root certificate could also be an end-entity certificate, a chain could be just one single certificate. Usually, a chain will be one root CA certificate, one or more intermediate CA certificates, and the end entity certificate. |
| Valid: | An unbroken chain of certificates linking the Issued by field of the end entity certificate all the way back to the root CA certificate. |
| Invalid: | One or more certificates missing resulting in a broken chain. |
| Scope: | Server |
Trusted Certificate
| AKA: | - |
| Description: | A certificate is trusted if it or the issuing intermediate CA and root CA certificates exist in the client's truststore. Operating systems like Microsoft Windows and Apple OSX come preloaded with CA certificates from the most trusted global Certificate Authorities. But operating systems will not have lesser known or corporate CA certificates installed unless you explicitly install them. For example, when a website's HTTPS certificate's issuing CA certificate is not in the operating system's truststore, a web browser will report that the page is not secure or the site is not trusted. |
| Valid: | The CA certificates exist in the operating system's truststore. |
| Invalid: | The CA certificates do not exist in the operating system's truststore. |
| Scope: | Client |
Key Length
| AKA: | Server key length, Private key length, Public key length |
| Description: | The number of bits used in the cryptographic public and private key pair. A client application may require a minimum length to consider a certificate as meeting minimum security requirements. |
| Valid: | The key length is equal to or longer than the minimum required by the application. |
| Invalid: | The key length is shorter than the minimum required by the application. |
| Scope: | Client & Server |
The majority of certificate related errors are going to be based on the invalid state of one or more of the above characteristics.
Related Articles
The following articles may provide more information or related information to this article:
- How To Investigate Certificates (UNIX/Linux) (KBA10528)
- How To Investigate Certificates (Windows) (KBA10541)