Digital Certificates Explained

Digital Certificates Explained

A digital certificate is a digital form of identification, like a passport. A digital certificate provides information about the identity of an entity. A digital certificate is issued by a Certification Authority (CA). Examples of trusted CA across the world are Verisign, Entrust, etc. The CA guarantees the validity of the information in the certificate.

In Understanding Digital Signatures article, it was assumed that the receiver knows the Public Key of the sender. In fact, the issue of distributing Public Key is massive, because the Public Key should be distributed in a scalable way as well as be trusted as the true Public Key of the sender. These problems are solved when a user obtains another user's Public Key from the digital certificate.

Public Key Infrastructure (PKI) consists of protocols, standards and services, that allows users to authenticate each other using digital certificates that are issued by CA. For a digital certificate to be useful, it has to be structured in a standard way so that information within the certificate can be retrieved and understood regardless of who issued the certificate. The X.509, PKI X.509 and Public Key Cryptography Standards (PKCS) are the building blocks a PKI system that defines the standard formats for certificates and their use.

A typical X.509 standard digital certificate has following format-

The Process of Obtaining a Digital Certificate

The following diagram shows the process of obtaining a Digital Certificate from a CA.

1. Generate Key-pair: User-A generates a Public and Private key-pair or is assigned a key-pair by some authority in their organization.

2. Request CA Certificate: User-A first requests the certificate of the CA Server.

3. CA Certificate Issued: The CA responds with its Certificate. This includes its Public Key and its Digital Signature signed using its Private Key.

4. Gather Information: User-A gathers all information required by the CA Server to obtain its certificate. This information could include User-A email address, fingerprints, etc. that the CA needs to be certain that User-A claims to be who she is.

5. Send Certificate Request: User-A sends a certificate request to the CA consisting of her Public Key and additional information. The certificate request is signed by CA's Public Key.

6. CA verifies User-A: The CA gets the certificate request, verifies User-A's identity and generates a certificate for User-A, binding her identity and her Public Key. The signature of CA verifies the authenticity of the Certificate.

7. CA issues the Certificate: The CA issues the certificate to User-A.