Security certificates

A brief introduction to Security Certificates.

Digital Certificate

Digital certificates are digital documents that form an unforgeable cryptographic binding between a security Principal's identity (the X.509v3 'subject', that is, who the certificate is issued to) and a public key from a public/private asymmetric key pair. Digital certificates that are used within an IBM Cloud Object Storage System are compliant with the ITU-T’s X.509v3 specification, which defines a standard for managing public keys through a Public Key Infrastructure (PKI). In the context of IBM Dispersed Storage System®, Cloud Object Storage System certificate 'subjects' are Slicestor® devices, Accesser® devices, or manager hosts within a Cloud Object Storage System. These X.509 certificates are endorsed and signed by a certificate authority (CA), which is deployed on the Cloud Object Storage manager host. The corresponding digital signatures can be used by a Cloud Object Storage system administrator or host to verify that the certificate is real. Identity claims are usually understandable by humans, and use the Cloud Object Storage System host machine Fully Qualified Domain Name (FQDN) or DN. A certificate has a limited valid lifetime, which is indicated in its signed contents.

Key Fingerprints

Fingerprinting algorithms are used to map a large data item to a unique string, referred to as fingerprint, which identifies the original data. For example, some cryptographic hash functions are used as fingerprint functions. An important objective is to minimize the likelihood of collision, that is, two data items that are mapped to the same fingerprint. In addition, when used to address file integrity, fingerprinting algorithms must be secure so that modification of a file does not result in the same fingerprint as the original file.

Signed Cloud Object Storage System Certificate

The security certificate for a specific device. This information was used to initially configure the device at installation, and cannot be changed through the manager. Any changes on the device via the setup utility cause this certificate to be reissued by the manager and these fields to be updated.

Subject
Identifies the entity that is associated with the public key. For Cloud Object Storage System hosts, the Subject field is populated by each respective hosts' DN (distinguished name).
Key Fingerprint
A public key fingerprint (or thumbprint) is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function to a digital certificate. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks.
Validity Dates
Specifies the beginning and ending validity dates for each certificate. For Cloud Object Storage System hosts, it represents the date that the key pair was signed and the date by which the key pair must be renewed. The validity period for signed Cloud Object Storage System hosts certificates is one year.