For more information on digital certificate, visit Britannica.com.
Public key certificate
| Britannica Concise Encyclopedia: digital certificate |
| 5min Related Video: Public key certificate |
| Computer Desktop Encyclopedia: digital certificate |
The digital equivalent of an ID card used in conjunction with a public key encryption system. Also called a "digital ID," "digital identity certificate," "identity certificate" and "public key certificate," digital certificates are issued by a trusted third party known as a "certification authority" (CA) such as VeriSign www.verisign.com) and Thawte www.thawte.com).
The CA verifies that a public key belongs to a specific company or individual (the "subject"), and the validation process it goes through to determine if the subject is who it claims to be depends on the level of certification and the CA itself.
Creating the Certificate
After the validation process is completed, the CA creates an X.509 certificate that contains CA and subject information, including the subject's public key (details below). The CA signs the certificate by creating a digest (a hash) of all the fields in the certificate and encrypting the hash value with its private key. The encrypted digest is called a "digital signature," and when placed into the X.509 certificate, the certificate is said to be "signed."
The CA keeps its private key very secure, because if ever discovered, false certificates could be created. See HSM.
Verifying the Certificate
The process of verifying the "signed certificate" is done by the recipient's software, which is typically the Web browser. The browser maintains an internal list of popular CAs and their public keys and uses the appropriate public key to decrypt the signature back into the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the certificate is assumed to be the valid public key of the subject.
Then What...
At this point, the subject's identity and the certificate's integrity (no tampering) have been verified. The certificate is typically combined with a signed message or signed executable file, and the public key is used to verify the signatures (see digital signature and code signing). The subject's public key may also be used to provide a secure key exchange in order to have an encrypted two-way communications session (see SSL). See PKI.
Major Data Elements in an X.509 Certificate Version number of certificate format Serial number (unique number from CA) Certificate signature algorithm Issuer (name of CA) Valid-from/valid-to dates Subject (name of company or person certified) Subject's public key and algorithm Digital signature created with CA's private key
 |
Download Computer Desktop Encyclopedia to your iPhone/iTouch
| Wikipedia: Public key certificate |
 |
This article relies largely or entirely upon a single source. Please help improve this article by introducing appropriate citations of additional sources. (June 2009) |
In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
For provable security this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.[1]
Certificates can be created for Unix-based servers with tools such as OpenSSL's ssl-ca.[2] or SuSE's gensslcert. Similarly, Microsoft Windows 2003 contains Certificate Authority for the creation of digital certificates. In Windows Server 2008 the capability is in Active Directory Certification Authority.
Contents |
Contents of a typical digital certificate
Serial Number: Used to uniquely identify the certificate.
Subject: The person, or entity identified.
Signature Algorithm: The algorithm used to create the signature.
Issuer: The entity that verified the information and issued the certificate.
Valid-From: The date the certificate is first valid from.
Valid-To: The expiration date.
Key-Usage: Purpose of the public key (encryption, verifying signatures, or both).
Public Key: The public key to encrypt a message to the named subject or to verify a signature from the named subject.
Thumbprint Algorithm: The algorithm used to hash the certificate.
Thumbprint: The hash itself to ensure that the certificate has not been tampered with.
Classes
VeriSign introduced the concept of classes of digital certificates[citation needed]:
- Class 1 for individuals, intended for email
- Class 2 for organizations, for which proof of identity is required
- Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority
- Class 4 for online business transactions between companies
- Class 5 for private organizations or governmental security
Certificates and web site security
The most common use of certificates is for HTTPS-based web sites. A web browser validates that an SSL (Transport Layer Security) web server is authentic, so that the user can feel secure that their interaction with the web site has no eavesdroppers and that the web site is who it claims to be. This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate provider with a certificate signing request. The certificate request is an electronic document that contains the web site name, contact email address, and company information. The certificate provider signs the request, thus producing a public certificate. This public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site. Before issuing a certificate, the certificate provider will request the contact email address for the web site from a public domain name registrar, and check that published address against the email address supplied in the certificate request. Therefore, an https web site is only secure to the extent that the end user can be sure that the web site is operated by someone in contact with the person that registered the domain name.
As an example, when a user connects to https://www.example.com/ with their browser, if the browser gives no certificate warning message, then the user can be theoretically sure that interacting with https://www.example.com/ is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.
See also
References
- ^ Ran Canetti: Universally Composable Signature, Certification, and Authentication. CSFW 2004, http://eprint.iacr.org/2003/239
- ^ OpenSSL: Contribution, Misc
External links
- RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)
Learn More
 | digital certificate (technology) |
| code signing (technology) |
| Self-certifying key |
Help us answer these
Post a question - any question - to the WikiAnswers community:
Copyrights:
 |
 | Britannica Concise Encyclopedia. Britannica Concise Encyclopedia. © 2006 Encyclopædia Britannica, Inc. All rights reserved. Read more |
 |
| Computer Desktop Encyclopedia. THIS COPYRIGHTED DEFINITION IS FOR PERSONAL USE ONLY. All other reproduction is strictly prohibited without permission from the publisher. © 1981-2009 Computer Language Company Inc. All rights reserved. Read more |
 |
| Wikipedia. This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article "Public key certificate". Read more |
Related answers
- What will the certificate of public enemies be?
- What is a Certificate of public convenience and necessity?
- What a public key cryptography?
ADVERTISEMENT
Answer these
- The certificates are used for preventing of spurious fake public key?
- Where can you find Paypal's public certificate?
Mentioned in
- digital certificate (technology)
- code signing (technology)
- Self-certifying key
- SSL (technology)
