Digital Certificate

Digital certificates are files incorporating user identity information, certifying authority information, a public key, and a digital signature.

All of the elements needs to orchestrate the deployment of digital certificates are called public key infrastructure (PKI). The X.509 standard of the ITU-T specifies PKI requirements. Although digital certificates can be self-generated by any entity, the more typical model is for certificates to be furnished by one of several certificate authorities (CA). This creates a situation in which the identity of a certificate holder is assured by a neutral third party. Essential steps in the creation and deployment of digital certificates include:

1. An entity applies to a CA.
2. The applicant sends documents for proof of identity.
3. The applicant creates a public/private key pair.
4. The applicant sends the public key to the CA.
5. The CA assembles the applicant's identity information, other information (like certificate expiration date), and the applicant's public key. This is the certificate.
6. A digital signature of the certificate is made with the CA's private key, from a public/private key pair managed by the CA.
7. The CA's digital signature is appended to the certificate.
8. The CA's public key is widely distributed so as to be well known.

Anyone wishing to check the validity of the certificate can use the CA's public key to verify that the certificate was issued by the CA. In effect then, any question of trusting the certificate owner is been pushed back one level, making the new operative trust question, how reliable is the CA?

References:

http://support.microsoft.com/kb/195724

http://www.verisign.com.au/repository/tutorial/digital/intro1.shtml