Glossary #
- CA #
A certificate authority (CA) responsible for issuing digital certificates that authenticate the identity of individuals, organizations or servers on the Internet. It can be either a publicly trusted CA, such as Let's Encrypt, or a private CA in which case you sign the certificate yourself.
- CSR #
To have a certificate signed by a CA, you need to generate a public key and send it to the CA for signing. This process is called a certificate signing request (CSR).
- DH key exchange #
Diffie–Hellman key exchange (DH) is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols. It was named after cryptologists Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange based on a private key and a corresponding public key.
- ECDSA #
Elliptic curve digital signature algorithm (ECDSA) is a cryptographic algorithm used to generate digital signatures based on the mathematics of elliptic curves. It is widely used for digital signature generation and verification in cryptographic protocols and applications, including TLS for secure communication over the Internet.
- end-entity certificate #
TLS certificates issued to individual entities such as Web sites, servers or clients. These certificates are signed by subordinate CAs and are used to authenticate and encrypt communication between clients and servers.
- Openssl #
An open-source software library that provides cryptographic functions and utilities to secure communication. It is used in SLES for implementing secure protocols, such as TLS.
- PEM #
A privacy enhanced mail (PEM) file is a commonly used file format for storing cryptographic objects such as certificates, private keys and certificate signing requests.
- PFS #
Perfect forward secrecy (PFS) is a feature of specific key-agreement protocols assuring that session keys are not compromised even if long-term secrets—such as the private key of the server—used in the session key exchange are compromised.
- PKI #
The public key infrastructure (PKI) is a set of policies, processes, software and hardware used to create, manage, distribute, use, store and revoke digital certificates. PKI enables secure communication and authentication over insecure networks, such as the Internet.
- private key #
A counterpart to the public key in asymmetric cryptography. It is kept secret and known only to the owner of the key pair. When a client connects to a server over TLS, the server sends its digital certificate with a public key. The client uses it to encrypt data, ensuring that only the server's private key can decrypt it.
- public key #
A part of a TLS certificate which acts as a digital identity for the server. When a client connects to the server over TLS, it requests the server's certificate, which contains the public key. The public key is freely distributable and is used for data encryption.
- root CA #
A trusted entity at the top of the certificate chain. It signs subordinate CAs and end-entity CAs. Root certificates are preinstalled in SLES to establish trust.
- SSL #
Secure socket layer (SSL) was the predecessor of the TLS protocol. SSL version 3.0 was replaced by TLS 1.0 in 1999 to address existing vulnerabilities.
- subordinate CA #
CAs that live between the root and end-entity certificates and are used to sign other certificates, including end-entity certificates. Their main purpose is to define and authorize the types of certificates that can be requested from the root CA. For example, there can be different subordinate CAs for different locations, or encryption key types.
- TLS #
Transport layer security (TLS) is a protocol that provides secure communication between client-server applications. TLS uses asymmetric cryptography with a pair of private and public keys. TLS is the successor to the SSL (Secure Sockets Layer) protocol.
- TLS certificate #
A digital X.509 certificate that helps to secure communication within a client-server system. Using TLS certificate, the client can authenticate the identity of the server and encrypt their mutual communication. The certificate usually includes information about its issuer (CA), identity of its holder, the associated public key, digital signature, and its validation period.
- TLS certificate chain #
A series of certificates used to establish the authenticity and trustworthiness of a particular certificate. A certificate chain can consist of the following certificate types: root CA, subordinate CA and end-entity certificate.
- TLS handshake #
A series of messages exchanged between the client and the server to establish a secure connection. The process involves negotiating cryptographic parameters, authenticating identities, and agreeing on encryption keys before secure communication can begin.
- Trust anchor #
Trust anchor is a root certificate that is inherently trusted by a system or application. This root certificate is used to verify the signatures of other certificates in the certificate chain.
- X.509 #
A standard that defines the format of public key certificates.