Introduction to X.509 Certificates

11/10/2003 12:02:54
tags: security

First, I do not suggest that this document is a thorough discussion of X.509 Certificates. It is simply a record of what I have learned so far, and that isn’t very much. I make no claims as to the accuracy of this info….

That said, it might be useful to you if you are trying to figure this stuff out. Feel free to leave comments suggesting revisions, clarifications, or questions…

First, what am I talking about? X.509 is a standard describing a system that can be used for encryption, digital signatures, etc. Basically, a certificate is like a digital ID card - it verifies that you are who you say you are, at least according to the group or individual that issued the certificate. These certificates are used for secure web browsing, and can be used for signing and/or encrypting email using a variety of email programs ( specifically in Panther, in my case ). X.509 email is used in the S/MIME standard. This is similar to, but incompatible with, PGP/MIME.

More about this later, but for now you can find the “Root” Certificate for my own CA here ( You might need to right click in order to download it) . I am using this to sign my own personal certificate, as well as those for friends and family… It’s my own form of protest against the rigid hierarchy of the X.509 system…. Unfortunately it has seemingly found it’s way into the majority of email clients out there. It’s great for corporate needs, but not so good for the individual, unlike the OpenPGP system. Using my own CA is easy for me, but difficult for those I send email to, as they have to add my Root CA certificate to authorize my personal certificate.

NOTE: You have to decide for yourself whether you trust me to sign certificates for other people. I will only sign certificates for people I know and trust, but that doesn’t necessarily mean that you should trust them…. If not, the only problem is that my email to you will show up as having a signature that could not be verified, and you will likely not be able to send me encrypted email. Since that happens very rarely, it is no great loss to anyone…

To do this, download the above file and install it into your root keychain. For Mac OS X and, you simply double click the file and choose X509Anchors from the popup list. Then you are good to go.

The more reasonable route would be to authorize my personal key itself after receiving the first email from me. Then subsequent email would be automatically verified. sort of does this, but forgets the authorized keys when you quit. This means that every time you re-open Mail, it has forgotten that you authorized my certificate. I couldn’t get Thunderbird to authorize my personal certificate until I had imported my root certificate…. What a PITA….

If you know me, and want me to issue a certificate using my Root CA, email me. Once I clean it up, I will also post the steps I took to do this, and also some easy to use shell scripts that do it for you automatically.

Similar Pages