@page
@copyrightstart
-Copyright (c) 1994-2008 Kungliga Tekniska Högskolan
+Copyright (c) 1994-2019 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
@menu
* Introduction::
-* What is X.509 ?::
+* What are X.509 and PKIX ?::
* Setting up a CA::
* CMS signing and encryption::
* Certificate matching::
@end detailmenu
@end menu
-@node Introduction, What is X.509 ?, Top, Top
+@node Introduction, What are X.509 and PKIX ?, Top, Top
@chapter Introduction
-The goals of a PKI infrastructure (as defined in
-<a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>) is to meet
-@emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
+A Public Key Infrastructure (PKI) is an authentication mechanism based on
+entities having certified cryptographic public keys and corresponding private
+(secret) keys.
+
+The ITU-T PKI specifications are designated "x.509", while the IETF PKI
+specifications (PKIX) are specified by a number of Internet RFCs and are based
+on x.509.
+The goals of a PKI (as stated in
+<a href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280</a>) is to meet
+@emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
The administrator should be aware of certain terminologies as explained by the aforementioned
RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
Certificate Authority
@item RA
Registration Authority, i.e., an optional system to which a CA delegates certain management functions.
+@item Certificate
+A binary document that names an entity and its public key and which is signed
+by an issuing CA.
@item CRL Issuer
An optional system to which a CA delegates the publication of certificate revocation lists.
@item Repository
and serves as a means of distributing these certificates and CRLs to end entities
@end itemize
-hx509 (Heimdal x509 support) is a near complete X.509 stack that can
+hx509 (Heimdal x509 support) is a near complete X.509/PKIX stack that can
handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT)
and basic certificate processing tasks, path construction, path
validation, OCSP and CRL validation, PKCS10 message construction, CMS
hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded
files.
-@node What is X.509 ?, Setting up a CA, Introduction, Top
-@chapter What is X.509, PKIX, PKCS7 and CMS ?
+hx509 consists of a library (libhx509) and a command-line utility (hxtool), as
+well as a RESTful, HTTPS-based service that implements an online CA.
+
+@node What are X.509 and PKIX ?, Setting up a CA, Introduction, Top
+@chapter What are X.509 and PKIX, PKIX, PKCS7 and CMS ?
-X.509 was created by CCITT (later ITU) for the X.500 directory
+X.509 was created by CCITT (later ITU-T) for the X.500 directory
service. Today, X.509 discussions and implementations commonly reference
the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate
standard, as specified in RFC 3280.
Name or Key Identifier, and tries to find that certificate while at the
same time evaluting any policies in-place.
-@node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
+@node Setting up a CA, Creating a CA certificate, What are X.509 and PKIX ?, Top
@chapter Setting up a CA
Do not let information overload scare you off! If you are simply testing
@c $Id$
-@node What is Kerberos?, Building and Installing, Introduction, Top
+@node What is Kerberos?, What is PKIX?, Introduction, Top
@chapter What is Kerberos?
@quotation
These documents can be found on our web-page at
@url{http://www.pdc.kth.se/kth-krb/}.
+
+@node What is PKIX?, What is a Certification Authority (CA)?, What is Kerberos?, Top
+@chapter What is PKIX?
+
+PKIX is the set of Internet standards for Public Key Infrastructure (PKI),
+based on the ITU-T's x.509 standads. PKI is an authentication mechanism based
+on public keys (the 'PK' in 'PKI').
+
+In PKIX we have public keys "certified" by certification authorities (CAs). A
+"relying party" is software that validates an entity's certificate and, if
+valid, trusts the certified public key to "speak for" the entity identified by
+the certificate.
+
+In a PKI every entity has one (or more) certified public/private key pairs.
+
+@node What is a Certification Authority (CA)?, What is kx509?, What is PKIX?, Top
+@chapter What is a Certification Authority (CA)?
+
+A Certification Authority (CA) is an entity in a PKI that issues certificates
+to other entities -- a CA certifies that a public key speaks for a particular,
+named entity.
+
+There are two types of CAs: off-line and online. Typically PKI hierarchies are
+organized such that the most security-critical private keys are only used by
+off-line CAs to certify the less security-critical public keys of online CAs.
+
+Heimdal has support for off-line CAs using its Hx509 library and hxtool
+command.
+
+Heimdal also has an online CA with a RESTful, HTTPS-based protocol.
+
+@node What is kx509?, What is bx509?, What is a Certification Authority (CA)?, Top
+@chapter What is kx509?
+
+kx509 is a kerberized certification authority (CA). Heimdal implements this
+protocol in its KDC. The protocol is specified by <a
+href="http://www.ietf.org/rfc/rfc6717.txt">RFC 6717</a>, though Heimdal has
+implemented a number of extensions as well. A client is implemented by the
+heimtools command's kx509 sub-command.
+
+@node What is bx509?, Building and Installing, What is kx509?, Top
+@chapter What is kx509?
+
+bx509 is an online CA, like kx509, but the protocol is based on HTTPS.
+
+Heimdal's bx509d implementation of bx509 implements two authentication bridges:
+a "/bx509" end-point that allows clients to trade bearer tokens (including
+Negotiate/Kerberos) and CSRs for certificates, and a "/bnegotiate" end-point
+allowing clients to trade bearer tokens (including Negotiate/Kerberos) for
+Negotiate tokens to HTTP servers.