X.509 Self Signed Certificates

Question

I'm trying to understand more about X.509 Digital Certificates. There seems to be lots of contradiction around. I am using Bouncy Castle to generate a key pair, using

public static void SaveToFile(X509Certificate newCert, AsymmetricCipherKeyPair kp, string filePath, string certAlias, string password)
{
    var newStore = new Pkcs12Store();
    var certEntry = new X509CertificateEntry(newCert);
    newStore.SetCertificateEntry(certAlias, certEntry);
    newStore.SetKeyEntry(certAlias, 
          new AsymmetricKeyEntry(kp.Private), new[] { certEntry });

    using (var certFile = File.Create(filePath))
        newStore.Save(certFile, password.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator()));
}

This saves the generated certificate to disk. Some articles tell us there is no need to password protect the certificate as there is no PRIVATE KEY stored in there. Then this article says the certificate does indeed contain the PRIVATE KEY.

I guess I have two questions that will hopefully help me understand this:

1. If I generate my keys in this way, should the password be the SAME as the passphrase for the PRIVATE KEY?
2. Do I distribute the X.509 certificate to prove the PUBLIC KEY is mine (being paired to my name in the certificate) or should the certificate be kept as safe and secret as the PRIVATE KEY and what use is a self-signed certificate?

Answer 1

A PKCS#12 file can contain both the certificate and the private key. They are, however, stored as separate, distinct objects. The certificate itself has the public key embedded within it. Since the certificate only contains the public key, it is considered "public" as well. You can feel free to distribute the certificate, as it does not contain the private key, which should be kept confidential. This is the basis of the security in asymmetric cryptography.

Because a PKCS#12 file contains both items, it is encrypted with a password to protect the private key within it. That said, you would use the private key to prove that the certificate you distribute belongs to you. For example, through the use of a digital signature on a document.

Hope that helps!

Answer 2

Certificate is actually the block of information which binds your identity (i.e. your name, email, whatever else) to some public key. It is public so everyone can know that this key belongs to you. So when you will sign something they will know that actually you signed this. The other thing is validating certificate - that's for what trusted root certificates are used.

Private key is your own secret information, and MUST be kept secret.