Cisco Cisco Web Security Appliance S170 사용자 가이드
A-5
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Appendix A HTTPS Reference
Digital Certificates
Digital Certificates
A digital certificate is an electronic document that identifies and describes an organization, and that has
been verified and signed by a trusted organization. A digital certificate is similar in concept to an
identification card, such as a driver’s license or a passport. The trusted organization that signs the
certificate is also known as a certificate authority.
been verified and signed by a trusted organization. A digital certificate is similar in concept to an
identification card, such as a driver’s license or a passport. The trusted organization that signs the
certificate is also known as a certificate authority.
Certificates allow a client to know that it is talking to the organization it thinks it is talking to. When a
server certificate is signed by a well-known or trusted authority, the client can better assess how much it
trusts the server.
server certificate is signed by a well-known or trusted authority, the client can better assess how much it
trusts the server.
X.509 is a standard example of a public key infrastructure (PKI). X.509 specifies standards for
certificates and an algorithm for validating certification paths. The Web Security appliance uses the
X.509 standard.
certificates and an algorithm for validating certification paths. The Web Security appliance uses the
X.509 standard.
X.509 certificates contain the following information:
•
Subject’s identity, such as the name of a person, server, or organization
•
Certificate validity period
•
Certificate authority who is vouching for the certificate
•
Digital signature of the certificate created by the certificate authority using its private key
•
Public key of the subject
For an example digital certificate you can view from a web browser, see
Although anyone can create a digital certificate, not everyone can get a well-respected certificate
authority to vouch for the certificate’s information and sign the certificate with its private key. For more
information about validating the certificate authority in a digital certificate, see
authority to vouch for the certificate’s information and sign the certificate with its private key. For more
information about validating the certificate authority in a digital certificate, see
.
Validating Certificate Authorities
The X.509 standard allows certificate authorities to issue digital certificates that are signed by other
certificate authorities. Due to this system, there is a hierarchy of certificate authorities in a tree structure.
certificate authorities. Due to this system, there is a hierarchy of certificate authorities in a tree structure.
The top-most certificate authorities in the tree structure are called root certificates. Root certificates are
not signed by a separate certificate authority because they are at the top of the tree structure. Therefore,
by definition, all root certificates are self-signed certificates. The certificate authority listed in the root
certificate is the certificate creator.
not signed by a separate certificate authority because they are at the top of the tree structure. Therefore,
by definition, all root certificates are self-signed certificates. The certificate authority listed in the root
certificate is the certificate creator.
All certificates below the root certificate inherit the trustworthiness of the root certificate. For example,
if CertificateAuthorityABC is a trusted certificate authority and it signs the certificate for certificate
authority CertificateAuthorityXYZ, then CertificateAuthorityXYZ is automatically a trusted certificate
authority.
if CertificateAuthorityABC is a trusted certificate authority and it signs the certificate for certificate
authority CertificateAuthorityXYZ, then CertificateAuthorityXYZ is automatically a trusted certificate
authority.
Figure A-2
shows the certification path for a certificate viewed in a web browser.