Cisco Cisco Web Security Appliance S170 사용자 가이드
188
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
D I G I T A L C E R T I F I C A T E S
A digital certificate is an electronic document that identifies and describes an organization,
and that has been verified and signed by a trusted organization. A digital certificate is similar
in concept to an identification card, such as a driver’s license or a passport. The trusted
organization that signs the certificate is also known as a certificate authority.
and that has been verified and signed by a trusted organization. A digital certificate is similar
in concept to an identification card, such as a driver’s license or a passport. The trusted
organization that signs the certificate is also known as a certificate authority.
Certificates allow a client to know that it is talking to the organization it thinks it is talking to.
When a server certificate is signed by a well-known or trusted authority, the client can better
assess how much it trusts the server.
When a server certificate is signed by a well-known or trusted authority, the client can better
assess how much it trusts the server.
X.509 is a standard example of a public key infrastructure (PKI). X.509 specifies standards for
certificates and an algorithm for validating certification paths. The Web Security appliance
uses the X.509 standard.
certificates and an algorithm for validating certification paths. The Web Security appliance
uses the X.509 standard.
X.509 certificates contain the following information:
• Subject’s identity, such as the name of a person, server, or organization
• Certificate validity period
• Certificate authority who is vouching for the certificate
• Digital signature of the certificate created by the certificate authority using its private key
• Public key of the subject
For an example digital certificate you can view from a web browser, see “Working with Root
Certificates” on page 193.
Certificates” on page 193.
Although anyone can create a digital certificate, not everyone can get a well-respected
certificate authority to vouch for the certificate’s information and sign the certificate with its
private key. For more information about validating the certificate authority in a digital
certificate, see “Validating Certificate Authorities” on page 188.
certificate authority to vouch for the certificate’s information and sign the certificate with its
private key. For more information about validating the certificate authority in a digital
certificate, see “Validating Certificate Authorities” on page 188.
Validating Certificate Authorities
The X.509 standard allows certificate authorities to issue digital certificates that are signed by
other certificate authorities. Due to this system, there is a hierarchy of certificate authorities in
a tree structure.
other certificate authorities. Due to this system, there is a hierarchy of certificate authorities in
a tree structure.
The top-most certificate authorities in the tree structure are called root certificates. Root
certificates are not signed by a separate certificate authority because they are at the top of the
tree structure. Therefore, by definition, all root certificates are self-signed certificates. The
certificate authority listed in the root certificate is the certificate creator.
certificates are not signed by a separate certificate authority because they are at the top of the
tree structure. Therefore, by definition, all root certificates are self-signed certificates. The
certificate authority listed in the root certificate is the certificate creator.
All certificates below the root certificate inherit the trustworthiness of the root certificate. For
example, if CertificateAuthorityABC is a trusted certificate authority and it signs the certificate
for certificate authority CertificateAuthorityXYZ, then CertificateAuthorityXYZ is
automatically a trusted certificate authority.
example, if CertificateAuthorityABC is a trusted certificate authority and it signs the certificate
for certificate authority CertificateAuthorityXYZ, then CertificateAuthorityXYZ is
automatically a trusted certificate authority.
Figure 10-2 shows the certification path for a certificate viewed in a web browser.