Skip to content

PKI and Certificate Management

Public key infrastructure (PKI) is based on an encryption technique that uses two keys: a public key and a private key. Public keys can be used to encrypt messages that can only be decrypted using the private key. This technique is referred to as asymmetric encryption, as opposed to symmetric encryption, in which a single secret key is used by both parties.

Digital Certificates

The goal of a digital certificate is to authenticate its sender. It is analogous to a paper document that contains personal identification information and is signed by an authority, for example a notary or government agency. With digital certificates, a cryptographic key is used to create a unique digital signature. A digital certificate is valid for specified period of time.

Trusted Authorities

A chain of signed certificates, anchored by a root CA, can be used to establish a sender's authenticity. Each link in the chain is certified by a signed certificate from the previous link, with the exception of the root CA. This way, trust is transferred along the chain, from the root CA through any number of intermediate authorities, ultimately to the agent that needs to prove its authenticity.

Obtaining Certificates

Signed certificates are typically obtained from well-known CAs, such as Verisign, Inc. This is done by submitting a certificate request for a CA, typically for a fee. The CA will sign the certificate request, producing a certificate/key combo: the certificate contains the identity of the owner and the public key, and the private key is available separately for use by the owner.

As an alternative to acquiring a signed certificate from a CA, you can act as your own CA and create self-signed certificates. This is often done for testing scenarios, and sometimes for closed environments where the expense of a CA-signed root certificate is not necessary.

Certificate Format

Certificates and private keys can be stored in several file formats, including PKCS12, DER and PEM. The certificate and key can be in the same file or in separate files. Additionally, the key can either be encrypted with a password or left in the clear. The xPico 600 only accepts separate PEM files, with the key unencrypted. Several utilities exist to convert between the formats. Keys in other formats will need to be converted before being used with the xPico 600 device.

For information on how to configure a TLS credential, see Creating a TLS Credential.