Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does "subject" mean in certificate? [closed]

Tags:

certificate

x509

pki

The related link is this MSDN article.

I am always confused about the term "subject", for example, sk option "Specifies the subject's key container location", sr option "Specifies the subject's certificate store location". What exactly does subject mean here? The certificate owner? The certificate issuer (e.g. the root CA which issues the certificate)? Or something else?

like image 495
George2 Avatar asked Mar 16 '09 11:03

George2

People also ask

What is subject alternative name in certificate?

The Subject Alternative Name (SAN) is an extension to the X. 509 specification that allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common name.

How do I add a Subject Alternative Name to a certificate?

To add a Subject Alternative NameSelect SSL Certificates and then select Manage for the certificate you want to change. Select Change Subject Alternative Names. For Add a domain, enter the SAN you want to add and then select Add.

How do I know if my certificate is intermediate?

We can differentiate a root certificate from an intermediate one by looking at the certificate itself. If the Issued to and Issued by fields are same then it is a root certificate, otherwise it is an intermediate. Another identification would be to look at the Certification Path.

2 Answers

The Subject, in security, is the thing being secured. In this case it could be a person's email or a website or a machine.

If we take the example of an email, say my email, then the subject key container would be the protected location containing my private key.

The certificate store usually refers to the Microsoft certificate store which contains certificates form trusted roots, machines on the network, people etc. In my case the subjects certificate store would be the place, within this store, holding my certificates.

If you are working within a Microsoft domain then the subject name will invariably hold the Distinguished Name, of the subject, which is how the domain references the subject and holds it in its directory. e.g. CN=Mark Sutton, OU=Developers, O=Mycompany C=UK

To look at your certificates on a Microsoft machine:-

Log in as you
run>mmc
Select File>add/remove snap-in and select certificates then select my user account
click Finish then close then ok.
Look in the personal area of the store.

In the other areas of the store you will see the other trusted certificates used to validate signatures etc.

like image 158
J Hunt Avatar answered Sep 30 '22 21:09

J Hunt

My typical expectation is than when "subject" is used a context like this, it means the target of the certificate. If you think of a certificate as a cryptographically secured description of a thing (person, device, communication channel, etc), then the subject is the stuff related to that thing.

It's not the thing itself. For example, no one would say "the subject takes his SmartCard and authenticates his PIN". That would be the "user".

But it usually relates to the various data items related to that that thing. For example:

  • Subject DN = Subject Distinguished Name = the unique identifier for what this thing is. Includes information about the thing being certified, including common name, organization, organization unit, country codes, etc.
  • Subject Key = part (or all) of the certificate's private/public key pair. If it's coming from the certificate, it's the public key. If it's coming from a key store in a secure location, it's probably the private key. Either part of the key is the cryptographic data used by the thing that received the certificate.
  • Subject certificate - the end point for the transaction - this is the thing requesting some secure capability - like integrity checking, authentication, privacy, etc.

Usually, it's used to distinguish between the other players in the PKI world. Namely the "issuer" and the "root". The issuer is the CA that issued the cert (to the subject), and the root is the CA that is end point of all the trust in the heirarchy. The typical relationship is root--->issuer--->subject.

like image 26
bethlakshmi Avatar answered Sep 30 '22 23:09

bethlakshmi
Sign in to Comment

Related questions

What certificates are trusted in truststore?
NodeJS & SSL - "bad password read"
Get certificate fingerprint of HTTPS server from command line?
HTTP error 403.16 - client certificate trust issue
PKIX path building failed: unable to find valid certification path to requested target
"Warning: unable to build chain to self-signed root for signer" warning in Xcode 9.2
"The credentials supplied to the package were not recognized" error when authenticating as server with certificate generated using BouncyCastle
Developing for iOS on multiple computers, testing on a single device, advice?
An error has occurred. Unable to import an item. The contents of this item cannot be retrieved. Missing .pem file
Android Studio: Server's certificate is not trusted
Get list of certificates from the certificate store in C#
key chain warning The “System Roots” keychain cannot be modified [closed]
Bouncycastle: X509CertificateHolder to X509Certificate?
heroku: set SSL certificates on Free Plan?
Signing a certificate with my CA
How to retrieve/compute an X509 certificate's thumbprint in Java?
How to renew an iPhone development certificate?
iphone app: how to renew an expired distribution certificate through the iOS provisioning portal
Sign certificate without prompt in shell-script
Xcode - iPhone - profile doesn't match any valid certificate-/private-key pair in the default keychain

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!