Table of Contents
2
Home » Wiki » What are Digital Certificates: Everything You Need to Know About It

What are Digital Certificates: Everything You Need to Know About It

by | SSL Certificate

What are Digital Certificates

Digital Certificates: A Beginner’s Guide

Digital certificates, also known as public key certificates, are electronic documents that help establish trust online by verifying the identity of individuals, computers, and organizations. They enable secure electronic transfer of information and provide proof of identity in electronic transactions.

Key Takeaways

  • Digital certificates are used for online identification and authentication. They help establish trust between two parties.
  • Certificates contain identity details like name, email, organization, location, etc., along with a public key.
  • The certificate is digitally signed by a Certificate Authority (CA) like Sectigo, DigiCert, GlobalSign, etc. This verifies the identity of the certificate holder.
  • Certificates secure communications and transactions through SSL/TLS protocols. The public key encrypts data that can only be decrypted by the private key holder.
  • Certificates are used to establish secure connections to websites (HTTPS), sign emails, secure documents, verify software and more.
  • Different types of certificates serve different purposes, such as domain validation, organization validation, extended validation, and code signing.
  • The validity period of certificates ranges from a few months to multiple years. Certificates need to be renewed before expiry to maintain trust.
Also Read: What are Digital Signatures in SSL/TLS?

How Do Digital Certificates Work?

Digital certificates establish trust through a process called Public Key Infrastructure (PKI). This involves the generation of a public/private cryptographic key pair and issuing a certificate binding the public key to the individual’s identity. Here are the steps:

  • The certificate applicant generates a key pair consisting of a public and private key through software like OpenSSL.
  • The applicant provides identity details to the Certificate Authority (CA) along with the public key.
  • The CA verifies the identity of the applicant through appropriate checks.
  • The CA issues a digital certificate containing the applicant’s identity details and their public key.
  • The certificate is digitally signed with the CA’s private key to prove they verified the applicant’s identity.
  • The applicant can now share their certificate containing the public key freely.
  • The applicant keeps the private key secure. It is used to decrypt data encrypted with the public key.
  • Relying parties can verify the certificate signature with the CA’s public key to authenticate the certificate holder’s identity.
  • The public key in the certificate can then be used to exchange information with the certificate holder securely.

What Information Does a Digital Certificate Contain?

A digital certificate is an electronic document that contains identity details about an entity along with its public key. The standard fields in a digital certificate include:

  • Subject: This contains identity information like the common name (domain name, organization name, or individual’s name), organization unit, organization name, locality, state, country, etc.
  • Issuer: The name of the Certificate Authority that issued the certificate.
  • Serial number: A unique serial number assigned to the certificate by the CA.
  • Validity: Certificates are valid only for a specific period mentioned by start and end dates.
  • Public key: The public key corresponding to the entity that can be used to encrypt data.
  • Signature algorithm: Algorithms like SHA-1 and SHA-256 are used by the CA to sign the certificate.
  • Signature: The digital signature added by the CA to verify the authenticity of the certificate.

Some additional fields may include:

  • Subject Alternative Name: Other identities like DNS names, IP addresses, email, etc.
  • Key Usage: Permitted uses for the public key, such as web server authentication, email signing, etc.
  • Extended Key Usage: Additional key usage scenarios like client authentication, code signing, etc.
  • Certificate Policies: Policies under which the certificate was issued.
  • Authority Information Access: Details on how to access information on the issuing CA.

What are the Different Types of Digital Certificates

There are different types of digital certificates suited for various purposes:

Domain Validation Certificates

DV SSL certificates validate the certificate applicant’s ownership of a domain name. The validation process is quick and simple, requiring the applicant to demonstrate control over the Domain.

Common uses include encrypting websites and securing basic online transactions. Examples include basic SSL certificates from CAs.

Organization Validation Certificates

OV SSL certificates provide a baseline validation of the organization identity claimed by the applicant.

The CA verifies details such as the legal entity’s name, address, status, etc., through official business documents and trusted databases.

Used for encrypting sites, S/MIME email security, document signing, etc. Example: Symantec Organization Validation (OV) certificate.

Extended Validation Certificates

EV SSL certificates involve a thorough verification process to confirm the legal, operational, and physical existence of the requesting organization. EV SSL are mostly used for e-commerce and high-assurance sites transmitting sensitive data. They are more costly than OV and DV certificates.

Code Signing Certificates

Code Signing Certificate is used to sign software code like apps, drivers, plugins, and executables to prove the software author and guarantee the code is not tampered with post-launch. Useful for countering malware.

Client Certificates

These certificates are installed on client devices/browsers to authenticate users to a server, i.e., client authentication. They may be used alongside server certificates for mutual authentication.

S/MIME Certificates

Used for encrypting, decrypting, and digitally signing emails to ensure confidentiality, integrity, and sender authenticity. S/MIME certificates can be individual or organizational certificates.

Device Certificates

Specialized certificates are installed on IoT devices to identify device attributes and enable secure machine-to-machine communication. Enables authenticating devices on the Internet of Things.

What is a Self-Signed Certificate?

A self-signed certificate is signed by its creator rather than a trusted CA. It does not provide reliable identity assurance since the entity that issued the certificate is also its subject.

Self-signed certificates are mostly suitable for internal or testing environments. They are prone to man-in-the-middle attacks in production environments.

Some uses include:

  • Testing certificate functionality in development environments
  • Securing internal communications and preserving privacy
  • Temporary certificates until official CA-signed ones are issued
  • Certain devices and platforms that only support self-signed certificates

What is a Root Certificate?

A root certificate is a self-signed certificate representing the top-most level of trust in a CA hierarchy. All certificates issued by the CA will chain up to the root certificate.

Root certificates belong to root certificate authorities like Verisign, DigiCert, GoDaddy, and GlobalSign, which are trusted by browsers and operating systems.

By installing root certificates of trusted CAs in software, users can automatically verify certificates issued by those CAs. Root certificates require highly secure storage, and their private keys are not usually used for direct signing.

What is a Certificate Chain of Trust?

A certificate chain establishes a chain of trust from a peer certificate to the root CA certificate. It allows relying parties to verify the validity of a certificate even if they don’t know the issuing CA directly.

It works as follows:

  • A CA issues a certificate binding a public key to the subscriber’s identity
  • The certificate is signed with the issuing CA’s private key
  • The issuing CA itself has a certificate issued and signed by a higher-level CA
  • This creates a certificate chain, where the certificate above it signs each certificate
  • At the top is the root CA certificate, which is self-signed
  • Browsers and apps contain root CA certificates from trusted providers
  • They can traverse this chain of certificates to the root and verify the connection

If any signature validation fails, the chain of trust breaks, and the certificate cannot be trusted.

What is an Intermediate Certificate?

Intermediate certificates are certificates issued and signed by a trusted root CA to subordinate CAs beneath them.

The subordinate CAs can then issue certificates to entities and end-users that chain up to the intermediate certificates.

Using intermediate certificates reduces the workload for the root CAs and limits the exposure of root CA keys by shifting the actual certificate issuance process to the intermediates.

Some common reasons for using intermediate certificates:

  • Compartmentalize Sub-CAs: Intermediates allow certificate issuance to be divided across subsidiaries, partners, geographies, etc.
  • Revoke Intermediates: Intermediates can be revoked without affecting the root CA or other intermediates.
  • Limit Root Exposure: The root CA keys can be kept offline and never used for direct signing.
  • Cross-sign Subsidiary CAs: Intermediates allow different root CAs to cross-sign each other’s sub-CAs for wider trust.

How are Digital Certificates Issued?

The certificate issuance process involves the following primary steps:

Application Submission

The applicant generates their public/private key pair and creates a Certificate Signing Request (CSR) containing their identity details and the public key. This CSR is submitted to the CA through their certificate issuance process.

Some ways CSRs are generated and submitted include:

  • Using the key generation tools on the CA website and pasting the CSR into the certificate request form
  • Downloading and using the CA’s CSR creation software to generate and submit the CSR
  • Using open source tools like OpenSSL to generate the CSR locally and submitting it via the CA’s API or upload form
  • Having the CSR generated on a hardware security module like an HSM if the private key needs higher security
  • For certificates on web servers, use installation agents provided by the CA that can generate and submit the CSR automatically.

The CSR contains the applicant’s details like Common Name, Organization, Country, etc. The CA will verify whether these details match the authenticated identity of the applicant.

Identity Verification

The Certificate Authority will undertake identity verification steps to validate that the entity requesting the certificate is who it claims to be. The extent of vetting depends on the certificate type.

For Extended Validation certificates, thorough offline and online checks verify the legal, operational, and physical existence of the applicant organization.

For Domain Validated certificates, automated checks like validating domain ownership records, email addresses, and WHOIS records suffice.

For personal certificates, checks like government IDs, address proof, email verification, telephone verification, etc., are done. CAs have differing verification requirements depending on the product.

Certificate Issuance

After the applicant’s identity is verified, the CA issues the certificate containing the details submitted in the CSR along with standard certificate fields like validity period, issuer details, serial number, etc.

The certificate is digitally signed using the CA’s private key to attest the binding between the subject’s identity and their public key.

The applicant can download the issued certificate and have technical staff install it on their servers, devices, or systems. This enables relying parties to authenticate and communicate securely with the certificate owner.

Installation

The certificate holder installs the digital certificate and corresponding private key on their infrastructure, such as web servers, client devices, firewalls, VPNs, code signing platforms, etc.

This enables reliance parties to authenticate and securely communicate with the certificate holder using the installed certificate.

Renewal

Digital certificates have a validity period ranging from a few months to multiple years. Once a certificate is nearing expiration, it must be renewed to maintain trust and ensure there is no disruption to secure services.

The SSL renewal process often involves reusing the existing verified identity details and generating a new key pair and certificate. CAs may revalidate credentials periodically for Extended Validation certificates.

Automated certificate lifecycle management can ease renewal before certificates expire. Allowing expiration impacts trust services until updated certificates are installed.

How is a Digital Certificate Revoked?

Certificate revocation is the process of prematurely terminating a certificate’s operational period before it expires. It is done when the certificate is deemed invalid prior to expiry.

Common revocation scenarios include:

  • The certificate holder’s private key is compromised or suspected to be compromised
  • The device containing the certificate is lost or stolen
  • Details in the certificate, like identity or domain name, are changed
  • The system administrator detects misuse of the certificate
  • The certificate holder forgets to renew the certificate, disrupting the expiry
  • The certificate holder violates the terms and conditions of certificate usage
  • The Certificate Authority determines the certificate was erroneously issued

The certificate holder or issuing CA publishes the revoked certificate’s serial number in a Certificate Revocation List (CRL). Relying parties can check the CRL to verify that certificates have not been revoked.

The Online Certificate Status Protocol (OCSP) also allows real-time verification of certificate validity. Browsers and apps check OCSP responders to identify revoked certificates and prevent their usage.

How Do Digital Certificates Expire?

Every digital certificate has a validity period ranging from a few months to a few years, as determined by the issuing Certificate Authority (CA). This validity period is specified in the certificate using “Not Before” and “Not After” dates.

When a certificate’s “Not After” date passes, the certificate expires automatically. An expired certificate should not be trusted or used to establish secure sessions.

On expiration, the binding between the subject’s identity and the public key provided by the certificate is no longer considered valid. Secure communications relying on the certificate for security will fail.

The reasons behind limited validity periods for certificates include:

  • Limit the window for identity compromise in case private keys are stolen
  • Force periodic revalidation and identity checks for extended validation certificates
  • Ensure certificates adopt new cryptography standards over time
  • Provide ongoing revenue for CAs through renewal fees
  • Reduce the impact of certificates obtained fraudulently or erroneously
  • Mitigate the consequences of broken cryptography, like factoring improvements

Why are Digital Certificates Important?

Digital certificates are a crucial element enabling trust and security on the internet. Here are some reasons why certificates are important:

  • Secure Websites: Certificates enable HTTPS and SSL/TLS to authenticate websites and encrypt connections, preventing eavesdropping and tampering. This protects sensitive user data.
  • Email Security: S/MIME encryption uses certificates to secure emails. Signing certificates also validate the email sender’s authenticity.
  • Document Security: Signing documents like contracts electronically with certificates enables tamper-detection and non-repudiation.
  • Software Verification: Code signing certificates verify software integrity and authenticate developers, protecting users from malware.
  • User Authentication; Client certificates enable strong multi-factor authentication for user login and access control.
  • IoT Security: Device identity certificates help mitigate IoT cybersecurity risks through authentication and authorization.
  • Securing VPN: Certificates secure VPN tunnels, allowing remote users to access organizational resources securely.
  • Financial Transactions: PKI helps enable secure online banking, trading, and financial transactions, preventing fraud.

Final Thoughts

Digital certificates play a crucial role in enabling trust in online identity and securing information. Understanding PKI and the different types of certificates can help individuals and organizations deploy certificates effectively for website security, email encryption, document signing, client authentication, and more.

With prevalent cyber threats and surveillance, properly managing certificates provides indispensable cryptographic assurances vital for any organization.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.

Related Articles:

What is Port 443What is Port 443 HTTPS: A Beginners Guide Why Password Salt and Hash Make for Better SecurityWhy Password Salt and Hash Make for Better Security SSH Security Best PracticesSSH Security Best Practices: Overview, Risks & Uses