Security.com

digital certificate

By Mary E. Shacklett

What is a digital certificate?

A digital certificate, also known as a public key certificate, is used to cryptographically link ownership of a public key with the entity that owns it. Digital certificates are for sharing public keys to be used for encryption and authentication.

Digital certificates include the public key being certified, identifying information about the entity that owns the public key, metadata relating to the digital certificate and a digital signature of the public key the certificate issuer created.

The distribution, authentication and revocation of digital certificates are the primary functions of the public key infrastructure (PKI), the system that distributes and authenticates public keys.

Public key cryptography depends on key pairs: one private key to be held by the owner and used for signing and decrypting and one public key that can be used for encrypting data sent to the public key owner or authenticating the certificate holder's signed data. The digital certificate enables entities to share their public key so it can be authenticated.

Digital certificates are used in public key cryptography functions most commonly for initializing Secure Sockets Layer (SSL) connections between web browsers and web servers. Digital certificates are also used for sharing keys used for public key encryption and authentication of digital signatures.

All major web browsers and web servers use digital certificates to provide assurance that unauthorized actors have not modified published content and to share keys for encrypting and decrypting web content. Digital certificates are also used in other contexts, online and offline, for providing cryptographic assurance and data privacy.

Digital certificates that are supported by mobile operating environments, laptops, tablet computers, internet of things (IoT) devices, and networking and software applications help protect websites, wireless networks and virtual private networks.

How are digital certificates used?

Digital certificates are used in the following ways:

As cyberthreats increase, more companies are considering attaching digital certificates to all of the IoT devices that operate at the edge and within their enterprises. The goals are to prevent cyberthreats and protect intellectual property.

Who can issue a digital certificate?

An entity can create its own PKI and issue its own digital certificates, creating a self-signed certificate. This approach might be reasonable when an organization maintains its own PKI to issue certificates for its own internal use. But certificate authorities (CAs) -- considered trusted third parties in the context of a PKI -- issue most digital certificates. Using a trusted third party to issue digital certificates enables individuals to extend their trust in the CA to the digital certificates it issues.

Digital certificates vs. digital signatures

Public key cryptography supports several different functions, including encryption and authentication, and enables a digital signature. Digital signatures are generated using algorithms for signing data so a recipient can irrefutably confirm the data was signed by a particular public key holder.

Digital signatures are generated by hashing the data to be signed with a one-way cryptographic hash; the result is then encrypted with the signer's private key. The digital signature incorporates this encrypted hash, which can only be authenticated, or verified, by using the sender's public key to decrypt the digital signature and then running the same one-way hashing algorithm on the content that was signed. The two hashes are then compared. If they match, it proves that the data was unchanged from when it was signed and that the sender is the owner of the public key pair used to sign it.

A digital signature can depend on the distribution of a public key in the form of a digital certificate, but it is not mandatory that the public key be transmitted in that form. However, digital certificates are signed digitally, and they should not be trusted unless the signature can be verified.

What are the different types of digital certificates?

Web servers and web browsers use three types of digital certificates to authenticate over the internet. These digital certificates are used to link a web server for a domain to the individual or organization that owns the domain. They are usually referred to as SSL certificates even though the Transport Layer Security protocol has superseded SSL. The three types are the following:

  1. Domain-validated (DV) SSL certificates offer the least amount of assurance about the holder of the certificate. Applicants for DV SSL certificates need only demonstrate that they have the right to use the domain name. While these certificates can ensure the certificate holder is sending and receiving data, they provide no guarantees about who that entity is.
  2. Organization-validated (OV) SSL certificates provide additional assurances about the certificate holder. They confirm that the applicant has the right to use the domain. OV SSL certificate applicants also undergo additional confirmation of their ownership of the domain.
  3. Extended validation (EV) SSL certificates are issued only after the applicant proves their identity to the CA's satisfaction. The vetting process verifies the existence of the entity applying for the certificate, ensures that identity matches official records and is authorized to use the domain, and confirms that the domain owner has authorized issuance of the certificate.

The exact methods and criteria CAs follow to provide these types of SSL certificates for web domains is evolving as the CA industry adapts to new conditions and applications.

There are also other types of digital certificates used for different purposes:

Digital certificate benefits

Digital certificates provide the following benefits:

Digital certificate limitations

Some limitations of digital certificates include the following:

Learn how timing attacks can be used to crack encryption keys.

23 Sep 2021

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement