Understanding Digital Certificates and Certificate Authorities
The ISO X.509 protocol defines a mechanism called a certificate that contains a user’s public key that is signed by a trusted entity called a certificate authority (CA).
Certificates contain information used to establish identities over a network in a process called authentication. Like a driver’s licence, a passport, or other forms of personal identification, certificates enable servers and clients to authenticate each other before establishing a secure connection.
Certificates are valid only for a specified time period; when a certificate expires, a new one must be issued. The issuing authority can also revoke certificates.
To establish an SSL/TLS connection, you require a server certificate at one end of the connection and a root certificate of the CA that issued the server certificate at the other end.
- Server certificate
- A server certificate certifies the identity of a server. The type of digital certificate that is required by the Secure Gateway is called a server certificate
- Root certificate
- A root certificate identifies the CA that signed the server certificate. The root certificate belongs to the CA. This type of digital certificate is required by a client device to verify the server certificate.
When establishing an SSL connection with a Web browser on a client device, the server sends its certificate to the client.
When receiving a server certificate, the Web browser (for example, Internet Explorer) on the client device checks to see which CA issued the certificate and if the CA is trusted by the client. If the CA is not trusted, the Web browser prompts the user to accept or decline the certificate (effectively accepting or declining the ability to access this site).
When User A receives a message from User B, the locally stored information about the CA that issued the certificate is used to verify that it did indeed issue the certificate. This information is a copy of the CA’s own certificate and is referred to as a root certificate.
Certificates generally have a common format, usually based on International Telecommunication Union (ITU) standards. The certificate contains information that includes the:
- The organization that issues the certificates.
- The party that is identified by the certificate.
- Period of validity
- The certificate’s start date and expiration date
- Public key
- The subject’s public key used to encrypt data.
- Issuer’s signature
- The CA’s digital signature on the certificate used to guarantee its authenticity.
A number of companies and organizations currently act as CAs, including VeriSign, Baltimore, Entrust, and their respective affiliates.