X.509
X.509 is an ITU standard defining the format of public key certificates.
Peridio leverages this standard when authenticating device certificates via mutual TLS and just-in-time provisioning devices based on the signing CA certificate.
Private and Public Keys
Every X.509 certificate has a public key within it. The public key is derived from a private key. When considered together they are referred to as an asymetric key pair. Generally, this field is refered to as public-key cryptography or asymmetric cryptography.
To create an asymmetric key pair, one must first decide on a public key algorithm to use, this choice dictates:
- The cryptographic properties of the keys and in turn their capabilities and security guarantees.
- The processes required to create and interact with the keys.
This guide will use the ECDSA public key algorithm, but RSA and DSA are other common choices.
Effective security requires keeping the private key private; the public key can be openly distributed without compromising security.
To inspect a private key with openssl:
openssl ecparam \
-in key.pem \
-text \
-noout
Certificates
To inspect a certificate signing request with openssl:
openssl req \
-in certificate-signing-request.pem \
-text \
-noout
To inspect a certificate with openssl:
openssl x509 \
-in certificate.pem \
-text \
-noout
Root
A root certificate authority is a certificate that:
- is self-signed
- is capable of signing certificates
Intermediate
An intermediate certificate authority is a certificate that:
- is not self signed
- is signed either by an intermediate certificate authority or a root certificate authority
- is capable of signing certificates
End-entity
An end-entity certificate is a certificate that:
- is not self signed
- is signed by either an intermediate certificate authority or a root certificate authority
- is not capable of signing certificates
Security
- Require TLS to enforce encrypted communications.
- Provide HMAC-SHA256 request signatures.
- Provide published at data to prevent replay attacks.