tags:

views:

709

answers:

4
Q: 

what means subject in certificate?

Hi guys,

The related link is this MSDN article.

I am always confused about the term "subject", for example, sk option "Specifies the subject's key container location", sr option "Specifies the subject's certificate store location". What exactly mean subject? The certificate owner? The certificate issuer (e.g. the root CA which issues the certificate)? Or something else?

regards, George

+2  A: 

Subject is the certificate's common name and is a critical property for the certificate in a lot of cases if it's a server certificate and clients are looking for a positive identification.

As an example on an SSL certificate for a web site the subject would be the domain name of the web site.

sipwiz  2009-03-16 11:26:39
Thanks sipwiz! Could I treat is as certificate holder's name? Or better treat it as a friendly name for a certificate?
George2  2009-03-16 11:28:46
You can really treat it however you like as it depends on the certificate's purpose. If it's for a web site it must be the domain name, if it's for email identification it must be the email address and so on.
sipwiz  2009-03-16 11:56:02
A: 

Hi

The Subject, in security, is the thing being secured. In this case it could be a persons email or a website or a machine.

If we take the example of an email, say my email, then the subject key container would be the protected location containing my private key.

The certificate store usually refers to Microsoft certificate store which contains certificates form trusted roots, machines on the network, people etc. In my case the subjects certificate store would be the place, within this store, holding my certificates.

If you are working within a microsoft domain then the subject name will invariably hold the Distinguished Name, of the subject, which is how the domain references the subject and holds it in its directory. e.g. CN=Mark Sutton, OU=Developers, O=Mycompany C=UK

To look at your certificates on a microsoft machine:-

Log in as you run>mmc Select File>add/remove snap-in and select certificates then select my user account click Finish then close then ok. Look in the personal area of the store.

In the other areas of the store you will see the other trusted certificates used to validate signatures etc.

Mark Sutton
http://www.blacktipconsulting.com
http://twitter.com/msutton

Mark Sutton  2009-03-16 14:58:06
A: 

My typical expectation is than when "subject" is used a context like this, it means the target of the certificate. If you think of a certificate as a cryptographically secured description of a thing (person, device, communication channel, etc), then the subject is the stuff related to that thing.

It's not the thing itself. For example, no one would say "the subject takes his SmartCard and authenticates his PIN". That would be the "user".

But it usually relates to the various data items related to that that thing. For example:

  • Subject DN = Subject Distinguished Name = the unique identifier for what this thing is. Includes information about the thing being certified, including common name, organization, organization unit, country codes, etc.
  • Subject Key = part (or all) of the certificate's private/public key pair. If it's coming from the certificate, it's the public key. If it's coming from a key store in a secure location, it's probably the private key. Either part of the key is the cryptographic data used by the thing that received the certificate.
  • Subject certificate - the end point for the transaction - this is the thing requesting some secure capability - like integrity checking, authentication, privacy, etc.

Usually, it's used to distinguish between the other players in the PKI world. Namely the "issuer" and the "root". The issuer is the CA that issued the cert (to the subject), and the root is the CA that is end point of all the trust in the heirarchy. The typical relationship is root--->issuer--->subject.

bethlakshmi  2009-04-03 15:28:00
A: 

Is Subject the content of certificate?

and what content of Subject is used for IKE V2?

 2010-05-17 12:17:46

related questions

Install certificates in to the Windows Local user certificate store in C#
How to automate importing certificates on a Windows CE device?
XMPP Server-to-Server for Gmail.com/Jabber.org
Signing a Windows exe file
Code Signing Certificate Options
Who sells the cheapest EV SSL certificate?
How can I deploy an iPhone Application from Xcode to real iPhone device
Where does makecert store the private key if -sv is not specified?
Tool for Viewing X.509 Certificates?
Cannot find the X.509 Certificate using the following search criteria:
How can I convert a SSL certificate from PEM to DER and keep the private key?
IE: Choose a digital certificate from a blank, empty list
Is it possible to use ServicePointManager with Webbrowser control?
How to disable "Security Alert" window in Webbrowser control
Cheapest Java Code Signing Certificate? (not self-signed)
Security implications of disabling the Common Name check for HTTPS
XPI signing linux no gui
How do you sign your Firefox extensions?
How do I sign a Java applet using a certificate in my Mac keychain?
WCF Routing Message Security
Enumerating Certificate Fields in C#
Why is this X.509 certificate considered invalid?
Custom X509SecurityTokenManager ignored
C# utility to create a CA
Java Code Signing Certificates...same as SSL Certificate?