| Administrator's Guide Red Hat Certificate System |
| Previous |
Contents |
Index |
Next |
Appendix F
Certificate Download Specification
This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments.
This appendix contains the following sections:
- "Data Formats," on page 721
- "Importing Certificate Chains
- "Importing Certificates into Communicator," on page 723
- "Importing Certificates into Red Hat Servers," on page 724
- "Object Identifiers," on page 724
Data Formats
Red Hat products can accept certificates in several formats. Although the format can vary, the certificates themselves are X.509 version 1, 2, or 3.
Binary Formats
The Red Hat certificate loader recognizes several binary formats, as follows.
This is a PKCS #7 SignedData object. The only significant field in the SignedData object is the certificates. In particular, the signature and the contents are ignored. In future versions of the software, the CRLs will also be used. The PKCS #7 format allows multiple certificates to be downloaded at once. See "Importing Certificate Chains," on page 722 for more information about handling multiple certificates.
This is a simpler format for downloading certificate chains. It consists of a PKCS #7 ContentInfo structure, wrapping a sequence of certificates. The value of the contentType field should be redhat-cert-sequence (see "Object Identifiers," on page 724), while the content field has the following structure:
CertificateSequence ::= SEQUENCE OF CertificateThis format allows multiple certificates to be downloaded at once. See "Importing Certificate Chains," on page 722 for more information about handling multiple certificates.
Text Formats
Any of the above binary formats can also be imported in text form. The text form begins with the following line:
-----BEGIN CERTIFICATE-----Following this line is the certificate data, which can be in any of the binary formats just described. This data should be base 64 encoded as described by RFC 1113. The data is followed by this line:
-----END CERTIFICATE-----Importing Certificate Chains
Several of the supported formats can contain multiple certificates. When the Red Hat certificate decoder encounters a collection of certificates, it handles them as follows:
- The first certificate is processed in a context-specific manner, which varies according to how it is being imported. For Communicator, this handling depends upon the MIME content type that is used on the object being downloaded. For Red Hat servers, it depends upon the options selected in the server administration interface.
- Subsequent certificates are all treated the same. If the certificates contain the SSL-CA bit in the redhat-cert-type certificate extension and do not already exist in the local certificate database, they are added as untrusted CAs. In this way they can be used for certificate chain validation as long as there is a trusted CA somewhere along the chain.
Importing Certificates into Communicator
Communicator imports certificates via HTTP. There are several MIME content types that are used to indicate to Communicator what type of certificate is being imported. These MIME types are as follows:
The certificate being downloaded is a user certificate belonging to the user operating Communicator. If the private key associated with the certificate does not exist in the user's local key database, then Communicator generates an error dialog and the certificate is not imported. If a certificate chain is being imported, then the first certificate in the chain must be the user certificate, and any subsequent certificates will be added as untrusted CA certificates to the local database.
The certificate being downloaded represents a certificate authority. When it is downloaded, a sequence of dialogs guides the user through the process of accepting the Certificate Authority and deciding whether to trust sites certified by the CA.
- If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates.
The certificate being downloaded is a user certificate belonging to another user for use with S/MIME. If a certificate chain is being imported, the first certificate in the chain must be the user certificate, and Communicator adds any subsequent certificates to the local database as untrusted CA certificates. This process allows people or CAs to post their email certificates on web pages for download by other users who want to send them encrypted mail.
Importing Certificates into Red Hat Servers
Server certificates are imported via the server administration interface. Certificates are pasted into a text input field in an HTML form, and then the form is submitted to the administration server. Since the certificates are pasted into text fields, only the text formats described above are supported for servers.
The type of certificate being imported is specified by the server administrator by selections made on the administration pages. If a certificate chain is being imported, then the first certificate in the chain must be the server or CA certificate, and the server adds any subsequent certificates to the local database as untrusted CA certificates.
Object Identifiers
The base of all Red Hat object IDs is
redhat OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }The hexadecimal byte value of this OID, when DER-encoded, is
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42The following OIDs are mentioned in this document:
redhat-data-type OBJECT IDENTIFIER :: = { redhat 2 } redhat-cert-sequence OBJECT IDENTIFIER :: = { redhat-data-type 5 }
| Previous |
Contents |
Index |
Next |