Digital certificates rely upon public key cryptography to operate. Public key cryptography uses two mathematically related keys to secure data. The first key is the private key of the message recipient and the second is a public key known to everyone. For example, if you wanted to send a secure communication to your bank, then you would use the bank’s public key to encrypt the message; while your bank would use their private key to decrypt the message you sent.
Since the public key is widely known it can be impersonated by anyone with knowledge and malicious intent. That is where digital certificates come in. Digital certificates are used to verify that the freely available public keys belong to legitimate owners. A digital certificate is a public key that has been confirmed as valid by an independent third-party called a certificate authority (CA).
Usually digital certificates contain:
- The owner’s name
- The owner’s public key
- The distributor of the certificate
- The public key’s expiration date
- Digital signature of the CA
Digital certificates can also contain addresses, serial numbers, hashes and a variety of other information. The most widely used format for digital certificates is X.509.
Certificate authorities handle the administrative functions of issuing and managing certificates. The largest certificate authorities include:
One of the most critical tasks of a CA involve publishing lists of certificates that have expired or have been revoked to a central database called a certificate revocation list (CRL). This must happen quickly and continuously so that users will immediately know if a certificate is invalid.
There are many types of digital certificates including those intended for applications, servers, and personal users. However, they all have the primary purpose of associating a public key to an owner.