Reputation: 2733
In x509, what is the difference between the key-pair and the certificate?
I've generated a key-pair using keytool -genkeypair command. I presume this create a pair of private key and public key.
I've also generated a CSR out of this key-pair using the keytool -certreg command. I got it signed by our CA (or whatever they call it) and I got another certificate in return along with it is its thumbprint.
My question is, what am I going to use that certificate for or what is its purpose? I'm still able to generate a JWT just using the private key.
Upvotes: 2
Views: 2204
Answers (1)
Reputation: 95888
A key is a set of mathematical parameters describing how to initialize certain algorithms for cryptographic operations, e.g. for signing/verification or for encryption/decryption.
A key pair merely is a pair of such keys where each key can verify what the other one has signed or where each key can decrypt what the other one has encrypted.
One key in such a pair is declared the public key and the other one the private key. (This choice is not completely arbitrary, there can be different extra requirements to a private key than to a public one.)
There is nothing in these keys declaring that they are bound to a specific person, to a specific issuer, to a specific purpose, to a specific accountability, etc.
This is where X.509 certificates come into the picture: A X.509 certificate is a structure that bundles the public key of a key pair with extra information like the name of the holder of the key pair, the name of an issuer of the certificate, validity time spans, and much more.
This structure furthermore contains a signature of all those other data in the structure. This signature is generated using the private key of the issuer of the certificate.
The information in the certificate in particular allows you to determine the issuer of it. If you trust organization of the issuer to only issue certificates to persons whose identity they checked, and if you successfully validated that the certificate signature is valid and created by the issuer, you can trust the identity of the holder of the key pair of a given certificate.
Thus,
My question is, what am I going to use that certificate for or what is its purpose? I'm still able to generate a JWT just using the private key.
you provide your certificate publicly to allow people to be sure of your identity when they use the contained public key to validate your signatures or encrypt information they send to you. Without a mechanism like the certificates you'd have to give people your public key in person for them to be sure of that.
Upvotes: 3
Related Questions
- X.509: Private / Public Key
- What is an X509 certificate profile?
- Difference between Entry Type "keyEntry" and "trustedCertEntry" in a keystore
- Difference between key pair and self signed certificate using keytool?
- What is the difference between X509Certificate2 and X509Certificate in .NET?
- Where Key pair is generated (At Registration Authority Side or Certificate Authority Side )if i want Certificate with PKCS 12 certificate format
- What does "paired" Certificate & Key look like in a keystore?
- X.509 Self Signed Certificates
- Why certificate is needed for signing instead of just private/public key pair?
- What is the difference between the x.509 V3 extensions Basic Constraints and Key Usage to create a CA certificate?