@chapter Certificate authentication
@cindex certificate authentication
-@menu
-* Introduction::
-* X.509 certificates::
-* OpenPGP certificates::
-* Digital signatures::
-@end menu
-
-@node Introduction
-@section Introduction
-
The most known authentication method of @acronym{TLS} are certificates.
The PKIX @xcite{PKIX} public key infrastructure is daily used by anyone
using a browser today. @acronym{GnuTLS} supports both
@acronym{X.509} certificates @xcite{PKIX} and @acronym{OpenPGP}
certificates using a common API.
+@menu
+* X.509 certificates::
+* OpenPGP certificates::
+* Digital signatures::
+@end menu
+
@node X.509 certificates
@section @acronym{X.509} certificates
@cindex X.509 certificates
@chapter More on certificate authentication
@cindex certificate authentication
+Certificates are not the only structures involved in a public key
+infrastructure. Several other structures that are used for certificate
+requests, encrypted private keys, revocation lists, GnuTLS abstract key
+structures, etc., are discussed in this chapter.
+
@menu
* PKCS 10 certificate requests::
* PKIX certificate revocation lists::
* Managing encrypted keys::
* The certtool application::
-* Hardware tokens::
+* Smart cards and HSMs::
* Abstract key types::
@end menu
Transferring or storing private keys in plain might not be a
good idea. Any access on the keys becomes a fatal compromise.
-Storing the keys in hardware tokens (see @ref{Hardware tokens})
+Storing the keys in hardware security modules (see @ref{Smart cards and HSMs})
could solve the storage problem but it is not always practical
or efficient enough. This section describes alternative ways
that involve encryption of the private keys to store and
@end example
-@node Hardware tokens
-@section Security modules
+@node Smart cards and HSMs
+@section Smart cards and HSMs
@cindex PKCS #11 tokens
@cindex hardware tokens
@cindex hardware security modules
@cindex smart cards
-@menu
-* Introduction on security modules::
-* PKCS11 Initialization::
-* Reading objects::
-* Writing objects::
-* Using a PKCS11 token with TLS::
-* The p11tool application::
-@end menu
-
-@node Introduction on security modules
-@subsection Introduction
-In this section we present the smart-card and hardware security module support
+In this section we present the smart-card and hardware security module (HSM) support
in @acronym{GnuTLS} using @acronym{PKCS} #11 @xcite{PKCS11}. Hardware security
modules and smart cards provide a way to store private keys and perform
operations on them without exposing them. This allows decoupling cryptographic
@caption{PKCS #11 module usage.}
@end float
+@menu
+* PKCS11 Initialization::
+* Reading objects::
+* Writing objects::
+* Using a PKCS11 token with TLS::
+* The p11tool application::
+@end menu
+
@node PKCS11 Initialization
@subsection Initialization
To allow all the @acronym{GnuTLS} applications to access @acronym{PKCS} #11 tokens
and security modules that support the PKCS #11 API. It requires
individual PKCS #11 modules to be loaded either with the
@code{--provider} option, or by setting up the GnuTLS configuration
-file for PKCS #11 as in @ref{Hardware tokens}.
+file for PKCS #11 as in @ref{Smart cards and HSMs}.
@example
p11tool help
-v, --version prints the program's version number
@end example
-@menu
-* Example client PSK connection::
-@end menu
-
-@node Example client PSK connection
-@subsection Example client PSK connection
+@subheading Example client PSK connection
@cindex PSK client
To connect to a server using PSK authentication, you need to enable
-v, --version prints the program's version number
@end example
-@menu
-* Setting up a test HTTPS server::
-@end menu
-
-@node Setting up a test HTTPS server
-@subsection Setting up a test HTTPS server
+@subheading Setting up a test HTTPS server
@cindex HTTPS server
@cindex debug server