Digital Certificates Explained
A digital certificate is a digital form of identification, like a passport. A digital certificate provides information about the identity of an entity. A digital certificate is issued by a Certification Authority (CA). Examples of trusted CA across the world are Verisign, Entrust, etc. The CA guarantees the validity of the information in the certificate.
In¬†Understanding Digital Signatures¬†article, it was assumed that the receiver knows the Public Key of the sender. In fact, the issue of distributing Public Key is massive, because the Public Key should be distributed in a scalable way as well as be trusted as the true Public Key of the sender. These problems are solved when a user obtains another user’s Public Key from the digital certificate.
Public Key Infrastructure (PKI)¬†consists of protocols, standards and services, that allows users to authenticate each other using digital certificates that are issued by CA. For a digital certificate to be useful, it has to be structured in a standard way so that information within the certificate can be retrieved and understood regardless of who issued the certificate. The¬†X.509, PKI X.509¬†and¬†Public Key Cryptography Standards (PKCS)¬†are the building blocks a PKI system that defines the standard formats for certificates and their use.
A typical X.509 standard digital certificate has following format-
The Process of Obtaining a Digital Certificate
The following diagram shows the process of obtaining a Digital Certificate from a CA.
1. Generate Key-pair:¬†User-A generates a Public and Private key-pair or is assigned a key-pair by some authority in their organization.
2. Request CA Certificate:¬†User-A first requests the certificate of the CA Server.
3. CA Certificate Issued:¬†The CA responds with its Certificate. This includes its Public Key and its Digital Signature signed using its Private Key.
4. Gather Information:¬†User-A gathers all information required by the CA Server to obtain its certificate. This information could include User-A email address, fingerprints, etc. that the CA needs to be certain that User-A claims to be who she is.
5. Send Certificate Request:¬†User-A sends a certificate request to the CA consisting of her Public Key and additional information. The certificate request is signed by CA’s Public Key.
6. CA verifies User-A:¬†The CA gets the certificate request, verifies User-A’s identity and generates a certificate for User-A, binding her identity and her Public Key. The signature of CA verifies the authenticity of the Certificate.
7. CA issues the Certificate:¬†The CA issues the certificate to User-A.