Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

BSI TR-02103 X.509 certificates and certification path validation

X.509 certificates are an important pillar of IT security as they enable the realisation of public key infrastructures. The technical guideline TR-02103 contains the most important points that must be observed when using X.509 certificates.

Background

In digital communication, certificates are used for authentication and verification of public keys. These certificates bind the public key to the identity of its owner within a public key infrastructure. The most commonly used standard for digital certificates is X.509v3. An X.509 certificate has the function of verifying the public key of a holder as authentic and confirming that it belongs to the holder. This is done via the so-called certification path. This can be used to establish a connection to a trust anchor by verifying each issued certificate in the path with the public key of the previous one using a cryptographic signature. Furthermore, each certificate contains important information.

This can be, for example, references to the owner or information that restricts the intended use or validity of the certificate. As the associated fields are also included in the calculation of the cryptographic signature of the certificate generated by the issuer, these values are also trustworthy as part of the certificate verification.
TR-02103

Contents and download of TR-02103

The information contained in the technical guideline relates to the choice of certificate content when creating them and the correct and secure verification of the validity of a certificate or a certification path in certain application contexts. These instructions are based on RFC 5280 and other application-specific specifications. However, they go
beyond these.

BSI Technische Richtlinie TR-02103: X.509-Zertifikate und Zertifizierungspfadvalidierung

Delimitation

In connection with the generation and use of certificates, there are a whole range of other security-relevant aspects that are not covered by TR-02103. This includes, for example

  • reliable identification of entities as a prerequisite for issuing certificates
  • secure generation and storage of the associated secret keys
  • appropriate user action to enable the signing function (e.g. PIN or password entry)
  • Compliance with recommendations regarding the use of cryptographic algorithms

Further information on the last point can be found in the following technical guidelines::

BSI TR-02102-1 "Kryptographische Verfahren: Empfehlungen und Schlüssellängen" Version: 2024-01

BSI TR-02102-2 "Kryptographische Verfahren: Verwendung von Transport Layer Security (TLS)" Version: 2024-1

BSI TR-02102-3 "Kryptographische Verfahren: Verwendung von Internet Protocol Security (IPsec) und Internet Key Exchange (IKEv2)" Version: 2024-01

Similar topics

Back to Technical Guidelines

Short URL:
https://www.bsi.bund.de/dok/TR-02103-en