A certificate is a statement signed by one entity that
associates another entity with a public key. Let’s say, for
example, that Robin Hood wants to find out Will Scarlet’s
public key so that he can accept messages signed by Will. Marian has
obtained Will’s key securely; it now resides in her
javakey database. She can’t just export the
key and send a file to Robin Hood, though; the Sheriff might
intervene and give Robin Hood a bogus key. So Marian creates a
certificate, using information about herself, information about Will,
and his public key. Marian is the issuer of this
certificate, and Will is the subject.
Because the information that goes into a certificate can be lengthy,
javakey uses a directive
in addition to command-line options for
generating certificates. The directive file contains information
about Marian, who is issuing the certificate, and Will, who is the
subject of the certificate.
Certificates come in chains. Let’s consider the certificate we just talked about. It certifies that Will Scarlet’s public key has a certain value, and it is signed by Marian’s private key. To verify the certificate, we need to know Marian’s public key. How do we verify Marian’s public key? We’d have a certificate stating the value of Marian’s public key, signed by someone else. We verify that certificate using another certificate, and so on. How does this end? Eventually, we come to a self-signed certificate, issued by a Certificate Authority (CA). This is a special ...