Digital Certificate – Attachment to an electronic message used for security purposes. The most common use is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
A digital certificate, also known as a public key certificate, is used to cryptographically link ownership of a public key with the entity that owns it. Digital certificates are for sharing public keys to be used for encryption and authentication. Digital certificates include the public key being certified, identifying information about the entity that owns the public key, metadata relating to the digital certificate and a digital signature of the public key created by the issuer of the certificate.
The distribution, authentication and revocation of digital certificates are the primary purposes of the public key infrastructure (PKI), the system by which public keys are distributed and authenticated.
Public key cryptography depends on key pairs: one a private key to be held by the owner and used for signing and decrypting, and one a public key that can be used for encryption of data sent to the public key owner or authentication of the certificate holder’s signed data. The digital certificate enables entities to share their public key in a way that can be authenticated.
Digital certificates are used in public key cryptography functions; they are most commonly used for initializing secure SSL connections between web browsers and web servers. Digital certificates are also used for sharing keys to be used for public key encryption and authentication of digital signatures.
Digital certificates are used by all major web browsers and web servers to provide assurance that published content has not been modified by any unauthorized actors, and to share keys for encrypting and decrypting web content. Digital certificates are also used in other contexts, both online and offline, for providing cryptographic assurance and privacy of data.
Who can issue a digital certificate
While it is possible for an entity to create its own PKI and issue its own digital certificates — and in some cases this approach might be reasonable, for example when an organization maintains its own PKI to issue certificates for its own internal use — the vast majority of digital certificates are issued by a certificate authority (CA). CAs are considered trusted third parties in the context of a PKI; using a trusted third party to issue digital certificates enables individuals to extend their trust in the CA to the trustworthiness of the digital certificates that it issues.
Difference between digital certificate and digital signature
Public key cryptography enables a number of different functions, including both encryption and authentication. A digital signature is another one of those functions enabled by public key cryptography; digital signatures are generated using algorithms for signing of data, with the result that a recipient can irrefutably confirm that the data was signed by the holder of a particular public key.
Digital signatures are generated by hashing the data to be signed with a one-way cryptographic hash; the result is then encrypted with the signer’s private key. The digital signature incorporates this encrypted hash, which can only be authenticated (verified) by using the sender’s public key to decrypt the digital signature, and then running the same one-way hashing algorithm on the content that was signed. The two hashes can then be compared, and if they match it proves that the data was unchanged from when it was signed — and that the sender is the owner of the public key pair used to sign it.
In general, a digital signature can depend on the distribution of a public key in the form of a digital certificate — but it is not mandatory that the public key be transmitted in that form. However, digital certificates themselves are signed digitally, and they should not be trusted unless the signature can be verified.
Types of digital certificates
There are three different types of digital certificates used by web servers and web browsers to authenticate over the internet. These digital certificates are used to link a web server for a domain to the individual or organization that owns the domain.
« Back to Glossary Index