Certificate content, certificate store and certificate file format
The specific fields included in a certificate varies from one Certificate Authority to another. Here is a list of information that is included in virtually all personal certificates of the type PKI X.509 (CILogon and OSG certificates are X.509 certificates):
- Subject of the certificate (the person or other entity to whom it was issued)
- Subject's public key
- Issuer (the Certificate Authority)
- Serial number (an integer that is unique to all certificates signed by the CA that issued this certificate)
- Extensions (subject's email address, subject type, policy information, etc.)
- Validity Period (start and end dates)
- Signature algorithm (the name of the algorithm used for signing; this is used to test for tampering)
- Netscape Cert Type (e.g. SSL client, SSL server and S/MIME)
- Key usage (what uses can the certificate be applied to)
When your certificate is imported into a browser, it is put in a location called a "certificate store". Depending on your operating system, your browser and your email client, your email client may access the certificate from the same certificate store. The following pairs of applications share a certificate store:
- Microsoft Internet Explorer and Outlook use system-wide security store
- OSX native email clients and browsers use the keychain files
Firefox and Thunderbird do not share a store. However, Firefox and Thunderbird use the same code to manage their separate certificate stores so there is a great deal of commonality in their user interfaces. Chrome also uses the system security store under Windows and the Keychain on the Mac.
Certificate file format
.pfx PKCS#12 format binary file on Windows, multi-part, contains certificate and private key
.p12 PKCS#12 format binary file on Unix/Linux/Windows, multi-part, contains certificate and private key
.key often a binary file containing a private key
.pem a Base-64 encoded (PEM format) file which may be a private key or an X.509 certificate, or some combination.
.der a binary encoded (DER format) file which may be a private key or an X.509 certificate, or some combination.
.cer and .crt usually binary format certificate file, sometimes either is used for a PEM format file
.cert certificate in either binary format or, more usually, text dump of certificate usually with PEM-format certificate attached
Browsers require a binary certificate format called PKCS#12 whereas grid software, Globus in particular, uses PEM format. CILogon and OSG issue certificates in PKCS#12 format. The PKCS#12 file contains both your certificate and your encrypted private key. The file extension is typically .p12 if obtained through a browser on UNIX and .pfx if obtained through a browser on Windows. If you plan to use grid software, you need to convert the format to PEM format; instructions are specific to the CA.
Within your certificate, you are identified uniquely by your "distinguished name" or DN. A DN has several components which identify the issuing CA, your organization, you and possibly other entities.
The CILogon certificate format has Subject DNs of the form:
/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Lab/OU=People/CN=<your name> /CN=UID:<your_username>
e.g. /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Lab/OU=People/CN=Joe Blow /CN=UID:joeblow
The OSG certificate format has Subject DNs of the form:
/DC = com/DC = DigiCert-Grid/O = Open Science Grid/OU = People/ CN = <your name> <some number>
e.g. /DC = com/DC = DigiCert-Grid/O = Open Science Grid/OU = People/ CN = Joe Blow 123