15 Certificate details

Contents

15 Certificate details

In Chapter 7.3, you have already seen the detailed dialog for the certificate you generated. It contains a lot of information about your certificate. The following section provides a more detailed overview of the most important points, with brief information on the differences between OpenPGP and X.509 certificates, including:

• user ID
• fingerprints
• key ID
• validity
• trust in certificate holders (OpenPGP only)
• authentications (OpenPGP only)

The user ID

consists of the name and e-mail address which you entered during the certificate creation process, e.g.
Heinrich Heine <heinrich@gpg4win.de>

For OpenPGP certificates, you can use Kleopatra to add additional user IDs to your certificate using the menu Certificates -> Add user ID... menu item. This makes sense if, for example, you wish to use the same certificate for another e-mail address.

Please note: Kleopatra only allows you to add user IDs for OpenPGP certificates, but not X.509.

Fingerprints

are used to differentiate multiple certificates from each other. You can use fingerprints to look for (public) certificates, which are stored on a globally available OpenPGP certificate server (key server) or an X.509 certificate server. You can read more about certificate servers in the next chapter.

The key ID

consists of the last eight characters of the fingerprint and fulfils the same function. While less characters make it easier to handle key IDs, they also increase the risk of multiple hits (different certificates with the same ID).

The validity

of certificates describes the duration of their validity and their expiry date, if applicable.

In the case of OpenPGP certificates, the validity is usually set to Indefinite . You can change this in Kleopatra by clicking on [Change expiry date] in the certificate details - or select the Certificates -> Change expiry date and enter a new date. This means that you can declare the certificate valid for a limited time period, e.g. in order to issue it to outside employees.

The validity of X.509 certificates is defined by the certificate authority when the certificate is issued, and cannot be changed by the user.

Trust in the certificate holder

your own subjective confidence that the owner of the OpenPGP certificate is real (authentic) and that he will also correctly authenticate other OpenPGP certifictes. You set the trust with [Change trust in certificate holder] in the certificate details, or via the menuCertificates -> Change trust status menu item.

The trust status is only relevant for OpenPGP certificates. No such method exists for X.509 certificates.

Authentications

include the user IDs of those certificate holders who are convinced of the authenticity of your certificate and have thus authenticated it. Trust in the authenticity of your certificate increases with the number of authentications you receive from other users.

Authentications are only relevant to OpenPGP certificates. This type of trust mechanism does not exist for X.509 certificates.

You do not necessarily have to know the certificate details to use Gpg4win on a daily basis, but they do become relevant when you want to receive or change new certificates.

You already learnt how to inspect and authenticate someone else's certificate and about the "Web of Trust" in Chapter 11.

15 Certificate details

Contents