Java Cryptography by Jonathan Knudsen

A certificate is a statement signed by one entity that associates another entity with a public key. Let’s say, for example, that Robin Hood wants to find out Will Scarlet’s public key so that he can accept messages signed by Will. Marian has obtained Will’s key securely; it now resides in her javakey database. She can’t just export the key and send a file to Robin Hood, though; the Sheriff might intervene and give Robin Hood a bogus key. So Marian creates a certificate, using information about herself, information about Will, and his public key. Marian is the issuer of this certificate, and Will is the subject.

Because the information that goes into a certificate can be lengthy, javakey uses a directive file in addition to command-line options for generating certificates. The directive file contains information about Marian, who is issuing the certificate, and Will, who is the subject of the certificate.

Certificates come in chains. Let’s consider the certificate we just talked about. It certifies that Will Scarlet’s public key has a certain value, and it is signed by Marian’s private key. To verify the certificate, we need to know Marian’s public key. How do we verify Marian’s public key? We’d have a certificate stating the value of Marian’s public key, signed by someone else. We verify that certificate using another certificate, and so on. How does this end? Eventually, we come to a self-signed certificate, issued by a Certificate Authority (CA). This is a special ...