What is a digital certificate? (2023)

What is a digital certificate?

A digital certificate, also known asPublic Key Certificate, is used to cryptographically associate ownership of a public key with the owning entity. Digital certificates are used to share public keys used for encryption and authentication.

Digital certificates include the public key to be certified, identifying information about the entity holding the public key, metadata related to the digital certificate, and afirma digitalthe public key created by the issuer of the certificate.

The distribution, authentication and revocation of digital certificates are the main functions of the public key infrastructure (PKI), the system that distributes and authenticates the public keys.

Public key cryptography is based on key pairs: oneprivate keyto be retained by the owner and used for signing and decrypting, and a public key that can be used to encrypt data sent to the public key owner or to authenticate data signed by the certificate holder. The digital certificate allows entities to share their public key so that it can be authenticated.

Digital certificates are most commonly used in public-key cryptographic functions to initialize the Secure Sockets layer (SSL) Connections between web browsers and web servers. Digital certificates are also used to share keys used for public key encryption and authentication with digital signatures.

Digital certificates are used by all major web browsers and web servers to ensure that unauthorized persons have not modified any published content and to share keys to encrypt and decrypt web content. Digital certificates are also used in other contexts, online and offline, to provide cryptographic security and privacy.

Digital certificates compatible with mobile operating environments, laptops, tablets,Internet of Things (IoT) devicesand networking applications and software help protect websites, wireless networks, and virtual private networks.

How are digital certificates used?

Digital certificates are used in the following ways:

• Credit and debit cards use digital certificates embedded in chips that connect to merchants and banks to ensure transactions are secure and authentic.
• Digital payment companies use digital certificates to authenticate their ATMs, kiosks, and point-of-sale devices on-premises with a centralized server in their data center.
• Websites use digital certificates for domain validation to prove they are trustworthy and authentic.
• Digital certificates are used in secure email to identify one user to another and can also be used to sign electronic documents. The sender digitally signs the email and the recipient verifies the signature.
• Computer hardware manufacturers build digital certificates into cable modems to prevent theft of broadband services through device cloning.

As cyber threats increase, more organizations are considering attaching digital certificates to all IoT devices operating at the perimeter and within their organizations. The goals are to defend against cyber threats andprotect intellectual property.

Who can issue a digital certificate?

An entity can create its own PKI and issue its own digital certificates, creating a self-signed certificate. This approach can be useful when an organization manages its own PKI to issue certificates for its own internal use. But certification authorities (CA)—which are considered trusted third parties in the context of a PKI—issue most digital certificates. By using a trusted third party to issue digital certificates, users can extend their trust in the CA to the digital certificates it issues.

Digital Certificates vs. Digital Signatures

Public key cryptography supports several different functions, including encryption and authentication, and allows for a digital signature. Digital signatures are generated using data-signing algorithms so that a recipient can irrefutably confirm that the data was signed by a specific public key holder.

Digital signatures are generated byHashishthe data to be signed with a one-way cryptographic hash; the result is then encrypted with the signer's private key. The digital signature contains this encrypted hash, which can only be authenticated or verified by using the sender's public key to decrypt the digital signature and then running the same one-way hash algorithm on the signed content. The two hashes are then compared. If they match, it proves that the data hasn't changed since it was signed and that the sender owns the public key pair used to sign it.

A digital signature may depend on the distribution of a public key in the form of a digital certificate, but the public key need not be transmitted in this form. However, digital certificates are digitally signed and should not be trusted unless the signature can be verified.

What types of digital certificates are there?

Web servers and web browsers use three types of digital certificates to authenticate themselves on the Internet. These digital certificates are used to link a domain's web server to the person or organization that owns the domain. They are often referred to asSSL CertificatesAlthoughtransport-layer securityThe protocol has replaced SSL. The three types are as follows:

1. Domain Validated (DV) SSLCertificates offer the least certainty about the certificate holder. Applicants for DV SSL Certificates only need to prove that they are authorized to use the domain name. While these certificates can guarantee that the certificate holder is sending and receiving data, they offer no guarantees as to who that entity is.
2. Organisationsvalidiertes (OV) SSLCertificates offer additional security via the certificate holder. You confirm that the applicant has the right to use the domain. Applicants for the OV SSL Certificate are also subject to additional confirmation of their ownership of the domain.
3. extended validation (VE)SSLCertificates are only issued after the applicant has proven their identity to the satisfaction of the certification authority. The verification process verifies the existence of the entity requesting the certificate, ensures that the identity matches official records and is authorized to use the domain, and confirms that the domain owner authorized the certificate to be issued.

The exact methods and criteria that CAs follow to deploy these types of SSL Certificates to web domains are evolving as the CA industry adapts to new conditions and applications.

There are also other types of digital certificates that are used for different purposes:

• Code Signing Certificatesmay be issued to organizations or individuals that publish software. These certificates are used to share public keys that sign software code, including software patches and updates. Code signing certificates certify the authenticity of the signed code.
• Client Certificates, also calleddigital identification, are issued to individuals to bind their identity to the public key in the certificate. Users can use these certificates to digitally sign messages or other data. They can also use their private keys to encrypt data that recipients can decrypt using the public key in the client's certificate.

Advantages of the digital certificate

Digital certificates offer the following advantages:

• Privacy.When you encrypt communications, digital certificates protectsensitive informationand prevent information from being viewed by persons who are not authorized to view it. This technology protects companies and individuals with large amounts of sensitive data.
• Easy to use.The digital certification process is largely automated.
• cost effectiveness.Compared to other forms of encryption and certification, digital certificates are cheaper. Most digital certificates cost less than $100 per year.
• Flexibility.Digital certificates do not have to be purchased from a CA. For organizations interested in creating and managing their own internal set of digital certificates, a do-it-yourself approach to creating digital certificates is feasible.

Limitations of Digital Certificates

Digital certificate limitations include:

• Security.Like any other security deterrent, digital certificates can be hacked. The most logical route for a mass attack is if the issuing digital certificate authority is hacked. This gives attackers an entry point to break into the repository of digital certificates that the agency hosts.
• slow performance.It takes time to authenticate and encrypt and decrypt digital certificates. The wait can be frustrating.
• Integration.Digital certificates are not a standalone technology. To be effective, they must be properly integrated into systems, data, applications, networks, and hardware. This is not an easy task.
• Management.The more digital certificates a company uses, the greater the need to manage and track those that expire and need to be renewed. Third parties can provide these services, or companies can choose to do the work themselves. But it can get expensive.

Learn how timing attacks can be usedDecrypt encryption key.