iTP Secure WebServer System Administrator's Guide (Version 7.0)

Security Concepts

iTP Secure WebServer System Administrator’s Guide—523346-012

D-6

Using Certificates

information. Most important, certificates contain the digital signature of the certificate

issuer.

A CA issues the certificate and signs it with its private key.

Using Certificates

Public key certificates generate confidence in the legitimacy of the public keys to which

the certificates are bound. Recipients of these certificates can use them to verify not

only the signature of the certificate owner but also the certificate itself. This level of

verification strongly ensures against any possibility of forgery or false representation.

Two or more certificates can be enclosed with the same message such that one

certificate testifies to the authenticity of the previous certificate. Such a hierarchy of

authentication is called the certificate chain. At the end of such a chain is a top-level

CA that is trusted without a certificate from any other CA (see Figure D-3).

The most secure form of authentication involves enclosing multiple public key

certificates with every signed message sent. However, the more familiar the sender is

(or becomes) to the receiver of a message, the less need there is to enclose multiple

certificates. For example, Juliet might send Romeo multiple certificates with her first

message to him but only a single certificate thereafter, after Romeo has had a chance

to verify all the certificates accompanying her first message.

The best practice is probably to enclose a certificate chain of sufficient length so that

the issuer of the highest-level certificate in the chain is well-known to the receiver.

Figure D-3. Certificate Chain

Top Level (Trusted) CA

CA CA

Sender

VST022.vsd