Help
Skip Navigation Links.

What are Certificates?

Digital certificates are electronic credentials that are used to certify the identities of individuals, computers, and other entities on a network.

Digital certificates are similar to identification cards such as passports and ID Cards. For example, passports and ID Cards are issued by recognized government authorities, whereas digital certificates are issued by recognized certification authorities (CAs).

When someone requests a passport or ID Card, the government authority verifies the identity of the requester, certifies that the requester meets all requirements to receive the card, and then issues the card. Before a certificate can be issued, a CA or CA administrator must verify the requester's identity, determine that they meet all requirements to receive the certificate, and then issue the certificate.

Like an identification card such as a ID Card or passport, a digital certificate can be used to verify the identity of its owner. When the certificate is presented to others, it allows to identify its owner.

A certificate tipically contains:

  • Personal information that helps identify the owner.
  • The signature of the issuing authority. For digital certificates, the issuing authority is the CA.
  • Information needed to identify and contact the issuing authority.

In addition, the quality of a certificate is enhanced if it:

  • Is designed to be tamper-resistant and difficult to counterfeit.
  • Is issued by an authority that can revoke the certificate at any time (for example, if the employee to whom the certificate was issued is no longer employed by the organization).
  • Can be checked for revocation by contacting the issuing authority.

Uses of Certificates

Private and public networks are being used with increasing frequency to communicate sensitive data and complete critical transactions. This has created a need for greater confidence in the identity of the person, computer, or service on the other end of the communication. In addition, these valuable communications must be protected while they are on the network. Although accounts and passwords provide a certain level of assurance in the identity of the entity on the other end of the network, they offer little or no protection while data is in transit. In comparison, digital certificates and public key encryption provide an enhanced level of authentication and privacy to digital communications.

Certificates and certificate services from several vendors are being used to strengthen the security of a variety of applications and user scenarios. CERN Certificate Services make possible strong security based on public key encryption that can enhance a variety of internal and external applications, including:

  • Authentication.
  • Encryption.
  • Data integrity.

Authentication

Authentication is crucial to secure and reliable communication. Each party to a communication must be able to prove their own identity to those with whom they communicate, and in turn must be able to verify the identity of the parties at the other end of the communication.

This process can be challenging when both parties are in the same location. Authentication of identity on a network can be even more difficult because the communicating parties do not physically meet as they communicate. This makes it potentially easier for an unethical person to intercept messages that are meant to be private or to pretend that they are another person or entity.

Digital certificates and public key encryption provide an enhanced means of verifying identity, which makes it difficult for an entity to impersonate another entity. Digital certificates help verify identity because the data in a certificate includes the public cryptographic key from the certificate subject's public and private key pair. A message signed with its sender's private key can be verified by the message's recipient as authentic by using the sender's public key, which can be found on a copy of the sender's certificate. Verifying a signature by using a public key from a certificate proves that the signature was produced using the certificate subject's private key. If the sender has been vigilant and has kept the private key secret, the receiver can be confident in the identity of the message sender.

A few of the ways certificates are used to provide authentication are:

  • Authentication of a user to a secure Web site via the Transport Layer Security (TLS) or the Secure Sockets Layer (SSL) protocol.
  • Authentication of a server to a user via TLS.
  • Logging on to a Windows Server 2003 domain (NICE Authentication).
  • Authentication of a client on a wireless network.
  • Authentication of a client across the Internet to create a virtual private network (VPN).
  • Internet Protocol security (IPSec).

Encryption

Communications over a network, such as the Internet, are subject to possible monitoring by unknown and, perhaps, malicious users. Public networks are treacherous for unencrypted sensitive information because anyone can access the network and analyze the data being transmitted between two points. Even private local area networks (LANs) are vulnerable to determined efforts by intruders to acquire physical access to the network. Consequently, if sensitive information is transmitted between computing devices on any type of network, users will almost certainly want to use some sort of encryption to keep their data private.

Encryption is the process of disguising a message or data in such a way as to hide its substance. It can be thought of as locking something valuable into a strongbox with a key. Conversely, decryption can be compared to opening the box and retrieving the valuable item. On computers, sensitive data in the form of e-mail messages, files on a disk, and files being transmitted across the network can be encrypted by using a key. Encrypted data and the key used to encrypt data are both unintelligible.

Public key encryption is not used to encrypt large amounts of data; instead, data is typically protected with a private key and that private key in turn is encrypted with the public key of the recipient of the data. The encrypted secret key will then be transmitted to the recipient along with the encrypted data. The recipient will use the private key to decrypt the secret key. The secret key will then be used to decrypt the message itself.

Certificates enable privacy for data that is transmitted using a number of different methods. Some of the commonly used privacy-enabling protocols that use certificates are:

  • Secure Multipurpose Internet Mail Extensions (S/MIME).
  • TLS.
  • Encrypting File System (EFS).

Data Integrity

An increasing number of digital documents require strong evidence that the data has not been altered since it was signed and confirmation of the identity of the person or entity who signed the data. A digital signature helps ensure the integrity and origin of data, which are essential for secure e-commerce transactions.

Digital signatures are typically used when data is distributed in plaintext, or unencrypted, form. In these cases, although the sensitivity of the message itself might not warrant encryption, there could be a compelling reason to ensure that the data is in its original form and has not been sent by an impostor. In a distributed computing environment, plaintext can conceivably be read or altered by anyone on the network who has access to it, whether authorized or not.

Created: 10/12/2015
Last reviewed: 11/2/2015
Tools:
Send the page Send  |  Printable version Print