Certificate Server

From Wikipedia, the free encyclopedia
  (Redirected from Certificate server)
Jump to: navigation, search

Certificate Server is a generic term used to describe a server that issues (and typically validates) Public Key Certificates as part of a Public Key Infrastructure.

To be a Certificate Server, the server in question must be either a:

Even if a Certificate Server is only issuing a Self-Signed Certificate for its own use, it is still the Root Certificate Authority for that certificate.

X.509 Description[edit]

The certificates and roles described above are defined in the ITU X.509 Standard and Internet Engineering Task Force RFC 2459,[1] entitled "Internet X.509 Public Key Infrastructure Certificate and CRL Profile". These standards describe both the format of the X.509 v3 certificate and X.509 v2 Certificate revocation list as the processes by which a Certificate Authority may issue and revoke digital certificates.

According to the RFC, "The goal of this specification is to develop a profile to facilitate the use of X.509 certificates within Internet applications for those communities wishing to make use of X.509 technology. Such applications may include WWW, electronic mail, user authentication, and IPsec."

In Plain English, digital certificates (and their associated Public Key Infrastructure) allow an electronic message to be encrypted in such a way that:

  • The message cannot be intercepted and read in transit
  • The message can be proven to come from a known, specific source, and cannot be counterfeited
  • The source of the message can be verified as to their actual identity via a known, trusted third-party

Implementation using Microsoft IIS[edit]

Microsoft's Certificate Services on IIS allows a server to issue or revoke digital certificates. The specific implementation requires a dedicated certificate server in one of four configurations as Certificate authorities.

  • Enterprise root CA
  • Enterprise subordinate CA
  • Stand-alone root CA
  • Stand-alone subordinate CA

Management of Certificate Services is done via a Microsoft Management Console snap-in, and a web based application. These programs can be used to view revoked, issued, pending, and failed requests for certificates.[2]

Privacy concerns with Microsoft certificates[edit]

Certificate authentication is built into recent versions of IE and cannot be turned off. Automatic checking of the validity of certificates at Microsoft's certificate authority may provide Microsoft with a database of sites visited, files downloaded, the unique ID of the user's computer, the user's IP address and other information. As such, use of this automated security feature may represent a considerable privacy concern (which may also conflict with existing EU regulations regarding privacy). Most users may be unaware that their identity and specific web browsing habits are being stored centrally via Microsoft's browser and may be subject to subsequently being resold or subpoenaed.

Open source implementations[edit]

There exist several open source implementations of certificate servers, commonly referred to as a CA or certificate authority. Common for all is that they provide the services to issue, revoke and manage digital certificates.

Some well known open source implementations are:

  • OpenCA
  • OpenSSL, it is really an SSL/TLS library, but comes with tools to use it as a simple certificate authority.
  • FreeIPA, which includes Dogtag CA.

Implementation using Apache + mod_ssl[edit]

Apache can use a certificate server to get certificates used to provide secure communications with the SSL/TLS protocol.

The server based implementation of the Apache HTTP Server is "mod_ssl", a derivation of Apache-SSL based on the functionality of OpenSSL. Mod_ssl features support for SSLv2, SSLv3, and TLSv1, with X.509 client/server based authentication and certificate revocation. This is accomplished via three packages: the mod_ssl package, an extended API, and an SSL/TLS implementation toolkit such as OpenSSL.[3]

See also[edit]


  1. ^ Internet Engineering Task Force, Network Working Group (January 1999). "Internet X.509 Public Key Infrastructure Certificate and CRL Profile". Retrieved 2016-07-18. 
  2. ^ Microsoft, Inc. (2009). "Managing Microsoft Certificate Services and SSL". Retrieved 2009-04-21. 
  3. ^ ApacheCon, Santa Clara (2001-04-04). "Security Solutions with SSL". Retrieved 2009-04-23.