Certificates – Zilog EZ80F91AZA User Manual

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

40

however, the ZTP Network Security SSL Plug-In does not currently recognize extended
cipher suites that employ 1024-bit public keys.

Certificates

Before describing where certificates are configured in the ZTP Network Security SSL
Plug-In, you can review the role of certificates in SSL.

Background

During the establishment of a session, X.509 certificates are mainly used to authenticate
the server, and are optionally used to authenticate the client. The SSLv3 and TLSv1 speci-
fications also define a set of anonymous cipher suites in which neither party is authenti-
cated. The ZTP Network Security SSL Plug-In does not support client authentication, nor
does it support anonymous cipher suites. Therefore, only SSL servers are required to pos-
sess an X.509 certificate.

X.509 certificates contain information that identifies the entity for which the certificate
was issued (referred to as the subject of the certificate) and information about the entity
that issued the certificate (the issuer). Certificates are valid only for a certain period of
time. Each certificate contains two time stamps. The first time stamp specifies the start of
a certificate’s validity period. The second time stamp identifies the time at which the cer-
tificate expires. Certificates used outside this time period are to be treated as invalid. For
the purpose of establishing an SSL session, the two most important items in the certificate
are the server’s public key and the certificate signature.

When a certificate is created, the issuer asserts that the subject of the certificate is in pos-
session of a private key corresponding to the public key in the certificate. The issuer also
asserts that it has performed some level of verification (indeed, perhaps none) of the sub-
ject’s identity. The exact information required by an issuer to verify a subject’s identity
will vary between issuers. This scenario is analogous to various certificates used by peo-
ple, such as a library card or a passport. The background checks performed by the respec-
tive issuers are not necessarily identical. Therefore, when presenting either of these
certificates to prove one’s identity, one of these certificates may be more accepted (i.e.,
trusted) because the issuer has more credibility.

Trust relationships form the basis of SSL authentication. When an SSL server presents a
client with its digital certificate, the client performs basic integrity checks on the certifi-
cate (for example, it may check whether the entity presenting the certificate is the same as
the subject, or if the certificate has expired). However, a forged certificate could easily
pass these basic integrity checks. Therefore, every X.509 certificate is signed by the issuer
(using the issuer’s private key). A client that is in possession of the issuer’s certificate can
use the issuer’s public key to verify the authenticity of the certificate presented by the sub-
ject (i.e., the SSL server). Therefore, if the client trusts the issuer, it can be assured of the
server’s identity. Conversely, if the client does not know the issuer of the subject’s certifi-
cate, then it can obtain the certificate of the issuer that issued the issuer’s certificate. This