Since the last time, I’ve add information about OIDs, OCSP Must-Staple, CP and CPS.
I think the PR is ready to be merged exept if anybody have last-minute correction?
Here is a preview:
Last updated: December 30, 2018 | See all Documentation
Authority Information Access (AIA): A certificate property, used to indicate to web-clients how to obtains information about the issuer of the certificate. It may specify the OCSP URI (OID 1.3.6.1.5.5.7.48.1) or the Certificate Authority Issuer (OID 1.3.6.1.5.5.7.48.2). Let’s Encrypt certificates provide these information. OID 1.3.6.1.5.5.7.1.1
Automatic Certificate Management Environment (ACME): The protocol implemented by Let’s Encrypt. Softwares compatibles with that protocol can use it to communicate with Let’s Encrypt to ask for a certificate. ACME draft 16 - Wikipedia
ACME Client: A software capable to communicate with an ACME server to ask for a certificate.
ACME Server: An ACME-compatible server capable to generate certificates. Let’s Encrypt software, Boulder, is ACME-compatible. Boulder divergences from ACME
Boulder: The software implementing ACME, developed and used by Let’s Encrypt. GitHub
Canonical Name record (CNAME): A DNS entry which maps one domain name to another, referred to as the Canonical Name. Wikipedia
Certificate Authority (CA): An organization that issues certificates. Let’s Encrypt and IdenTrust are Certificate Authorities. Wikipedia
Certificate Authority Authorization (CAA): A DNS record that allows specifying which CAs are allowed to issue certificate for the corresponding domain. Let’s Encrypt does check and respects CAA records. https://letsencrypt.org/docs/caa/ - Wikipedia
Certification Authority Browser Forum: Also known as CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications. Let’s Encrypt is a member of the CA/Browser Forum. Wikipedia
Certificate Authority Issuer (CAI): Information about the issuer of the certificate. If may be useful when the web server didn’t provide a trusted certificate chain. OID 1.3.6.1.5.5.7.48.2
Certificate chain: To determine if a system trust a certificates, it must have a chain of trust ending on a root present on it’s certificate store. The chain is the list of intermediate leading to that root: the lead certificate is always signed by a intermediate (which can be signed by another intermediate and so on) with is sign by a root. Note: the path it not always unique, and when a website present a certificate chain leading to one root, the web client may decide to use another chain, ending in another root, to validate the certificate (This is especially important for Public Key Pinning). Wikipedia
Certificate Policy (CP): A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. ISRG Certificate Policy - RFC 3647 - Wikipedia
Certification Practice Statement (CPS): A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. ISRG Certification Practice Statement - RFC 3647 section 3.4 Wikipedia
Certificate Revocation List (CRL): A method to inform about the revocation status of a certificate. Wikipedia
Certificate Signing Request (CSR): A signed file containing the needed information required by the CA to generated a certificate. Relevant information for Let’s Encrypt are the Common Name and Subject Alternative Names. Wikipedia
Certificate Store: A certificate store contains the list of trusted roots. Operating systems (such as Windows, Android or Debian) and web browsers (such as Firefox) maintains a certificate store. Browsers without one rely on the one of the operation system. Certificates provided by Let’s Encrypt are trusted by those certificates stores: https://letsencrypt.org/certificates/.
Certificate Transparency (CT): To improve security, to be valid certificates (or precertificates) must be published in Certificate Transparency Logs: https://www.certificate-transparency.org/. Let’s Encrypt generate and publish a precertificates and include in the definitive certificates the proof of publication. Wikipedia
Common name (CN): An attribute of a certificate. For roots and intermediates it’s the name of the certificate. For leaf certificate it’s one of the Subject Alternative Name of the certificate. Note: The common name is limited to 63 characters. OID 2.5.4.3
Cross Signing: An intermediate certificate may be signed by more than one root. For example, Let’s Encrypt intermediates are cross signed by IdenTrust, initially because the Let’s Encrypt root was not yet trusted by certificate stores. Technically, it’s two intermediates, using the same Common Name and the same Key-pair, one signed by the private key of a Let’s Encrypt root and the other signed by the private key of the IdenTrust’s root: https://letsencrypt.org/certificates/. Wikipedia
Delegation Name record (DNAME): A DNS record that creates an alias for an entire subtree of the domain name tree. In contrast, the CNAME record creates an alias for a single name and not its subdomains. Wikipedia
Digital Signature Algorithm (DSA): The algorithm used to sign certificates. Wikipedia
DNS - based Authentication of Named Entities (DANE): A mechanism using DNS to indicate how to verity the authenticity of the certificate presented. Wikipedia
Domain Name System Security Extensions (DANE): A mechanism to authenticate DNS response. Wikipedia
Domain-validated certificate: Certificates where the applicant have only proven the control over the domain (and not it’s identity, unlike OV and EV certificates ). Let’s Encrypt offers only DV certificates (not OV nor EV ): FAQ. OID 2.23.140.1.2.1 and 1.3.6.1.4.1.44947.1.1.1 - Wikipedia
ECC certificates: Certificates using an Elliptic Curve Key-pair.
Edwards-curve Digital Signature Algorithm (EdDSA): A digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. Let’s Encrypt doesn’t provide EdDSA certificates. Wikipedia
Elliptic Curve Cryptography (ECC): An approach to public-key cryptography based on elliptic curves. ECC requires smaller keys compared to non-EC cryptography to provide equivalent security. Wikipedia
Elliptic Curve Digital Signature Algorithm (ECDSA): A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. Wikipedia. Let’s Encrypt supports ECDSA for end-user certificates but not yet for the chain: https://letsencrypt.org/upcoming-features/
Extended Validation (EV): Certificates for which the CA has verified the legal entity controlling the website. They contains information about that entity. Controls from the CA are more stricts than for OV certificates. Let’s Encrypt doesn’t offer EV certificates. Wikipedia
Fully qualified domain name (FQDN): The complete domain name of a website. For example, www.example.org
is a FQDN , .org
is its TLD and example.com
the public suffix. Wikipedia
IdenTrust: A Certificate Authority. IdenTrust has cross-signed Let’s Encrypt intermediates: https://letsencrypt.org/certificates/. Wikipedia
Intermediate certificate: A certificate, signed by the private key of a root or another intermediate. It’s private key is used to sign intermediates or leaf certificates. They are used to allow the signature of leaf certificates while keeping the private key of root certificate to be kept offline. They allow cross signing too. Wikipedia
Internationalized Domain Names for Applications (IDNA): See internationalized domain name. RFC 5890 - RFC 5891
internationalized Domain Name (IDN): Domains with characters others than a
to z
, 0
to 9
and -
. They can for example contain Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics or ligatures. The encoded representation of an IDN domains starts with xn--
. IDN is supported by Let’s Encrypt: https://letsencrypt.org/2016/10/21/introducing-idn-support.html. Wikipedia
Internet Security Research Group (ISRG): The organization behind Let’s Encrypt: https://www.abetterinternet.org/about/. Wikipedia
Key-pair: The couple private-key / public-key used to sign or encrypt. The public key is used to encrypt or verify the signature. The private key is used to decrypt data (encrypt by the public key) or signed data. Wikipedia
Leaf certificate (end-user certificate): A certificate signed by a trusted intermediate, valid for a set of domains. Wikipedia
Let’s Encrypt (LE): The Certificate Authority controlled by ISRG. Wikipedia
Mixed content: When a webpage using https loads sub-resources (such as Javascript, CSS or images) using http, browsers may remove the secure indication, or display an insecure logo: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
OCSP Must-Staple: Is the certificate property OID 1.3.6.1.5.5.7.1.24, informing the web client that the web server must use OCSP stapple. It’s used to ensure that the revocation status of the certificate is checked. Let’s Encrypt can provide certificate with the OCSP Must-Staple property. Mozilla Security Blog
OCSP stapling: also known as TLS Certificate Status Request extension , is a way for a Web server to send to the Web client to send an OCSP response signed by the Certificate Authority, so the Web client doesn’t needs to contact the CA to check the validity of the certificate, improving speed and privacy. Wikipedia
Object identifiers (OID): Hierarchical identifiers standardized by the International Telecommunications Union (ITU) and ISO/IEC. Certificate policy and Certification Practice Statement define OIDs usage by Certificate Authorities. Wikipedia
Online Certificate Status Protocol (OCSP): A method to check the Revocation of a certificate. Wikipedia
Organization Validation (OV): Certificates for which the CA has verified the legal entity controlling the website. They contain information about that entity. Let’s Encrypt doesn’t offer OV certificates. OID 2.23.140.1.2.2 - Wikipedia
Personal Information Exchange Files (.pfx): A file that may contain a leaf certificate, its chain up to the root and the private key of the leaf. See also https://en.wikipedia.org/wiki/PKCS_12. Microsoft Hardware Dev Center
Precertificate: Precertificates are certificates identical to the final certificate with an additional critical poison extension. They are used for certificate transparency. RFC 6962 Section 3.1
Public Key Cryptographic Standards (PKCS): A group of public-key cryptography standards devised and published by RSA Security. Wikipedia
Public Key Infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. Wikipedia
Public Key Pinning (PKP): A security mechanism consisting to pin the private key (or certificate). The pinned one can be the leaf, an intermediate of the chain or the root. That mechanism must be handled very carefully because it may prevent even the owner of the website to use a valid certificate. Wikipedia
Public Suffix List (PSL): A list of Public Suffix maintained by Mozilla. Let’s Encrypt use that list for rate-limits: https://letsencrypt.org/docs/rate-limits/. https://publicsuffix.org/
Revocation: A certificate is valid until its expiration date, expect if the CA says it’s been revoked. The certificate may be revoked for various reasons such as the compromising of the private key. Browsers can check if a certificate is revoked using CRL or OCSP but Let’s Encrypt only supports the OCSP method. https://letsencrypt.org/docs/revoking/
Root certificate: A self-signed certificate, controlled by a certificate authority, used to signed its intermediates certificates and included in certificates stores. Wikipedia
RSA: A public-key algorithm used to signed certificates. Wikipedia
Self-signed certificate: A certificate signed by its own private key. Root certificates are self-signed. Wikipedia
Server Name Indication (SNI): When connecting to a web server, a client may specify during the TLS handshake which domain it wants to connect to, in order for the server to answer with the appropriate certificate when multiple domains are hosted behind the same IP. SNI is not encrypted, but it’s successor, ESNI, is. Wikipedia
Signed Certificate Timestamp (SCT): A proof of publication of a certificate, signed by a Certificate Transparency log. The proof of the publication of a precertificate may be included in the corresponding final certificate. Let’s Encrypt certificates do include the required SCTs. https://www.certificate-transparency.org/how-ct-works
Staging: Let’s Encrypt provide a staging API to test the certificate request without impacting rates-limits. Certificates generated by the staging environment are not publicly trusted. https://letsencrypt.org/docs/staging-environment/
Subject Alternative Name (SAN): That field of a certificate is used to indicate for which domain(s) that certificate is valid. It replaces the usage of the Common Name, only now provided for compatibility reasons. SAN 2.5.29.17 (RFC 5280) - Wikipedia
Top-Level Domain (TLD): Highest level in the hierarchical Domain Name System, such as country-code top-level domains (ccTLD) for example .de
(Germany), .cn
(China) and generic top-level domains (gTLD) for example .com
, .org
. Wikipedia
Unified Communications Certificate (UCC): See Subject Alternative Name (SAN)
Web browser: A web client used to displays web pages. Example: Mozilla Firefox , Google Chrome or Internet Explorer . Wikipedia
Web client: Software capable to communicate with a Web server. Example: a web Browser or cURL.
Web server: Software serving web pages (or by extension, the hardware server hosting it). Wikipedia
Wildcard Certificates: Certificates valid for any subdomains (but for only one level): a certificate containing a SAN for *.example.com
is valid for anything.example.com
(but not for something.anything.example.com
nor example.com
). Let’s Encrypt does provide Wildcards certificates. Wikipedia
X.509: The standard defining the format of public key certificates. Wikipedia