Professional Documents
Culture Documents
Definitions
Definitions
A set of data that uniquely identifies a public key (which has a corresponding
private key) and an owner that is authorized to use the key pair. The certificate
contains the owner’s public key and possibly other information and is digitally
signed by a Certification Authority (i.e., a trusted party), thereby binding the
public key to the owner.
Sources:
FIPS 186-5 under Cer
tificate
What is a public key certificate?
A public key certificate is a digitally signed document that serves to validate the
sender's authorization and name. It uses a cryptographic structure that binds a
public key to an entity, such as a user or organization. The digital document is
generated and issued by a trusted third party called a certification authority.
Public key certificates, which are also known as digital certificates, include the
public key, identity information about the owner and the name of the issuing
certificate authority (CA). The CA, a trusted third party, issues digital
certificates that verify the identity of parties in an exchange of information over
the internet. A digital certificate provides assurance of a person's identity, and
the CA establishes that assurance by validating the identity of the person who
requests the certificate.
Serial number. This number distinguishes the certificate from other certificates.
Algorithm information. The issuer uses this algorithm to sign the certificate.
Issuer. This is the name of the CA that issued the certificate.
Validity period of the certificate. These are the start and end dates that define
when the certificate is valid.
Subject distinguished name. This is the name of the identity to which the
certificate is issued.
Subject public key information. This is the public key that is associated with the
identity.
What are the different types of certificates?
Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates. These
certificates are the core of transport layer security (TLS) protocol, which is an
updated version of SSL. These digital files contain a public encryption key that is
used to validate server identity and a digital signature to ensure the integrity
and the source of data and other information transmitted online. These certificates
facilitate the exchange of encryption keys between web servers and browsers, which
enable a secured connection.
The chain of trust, trust path or trust chain is a sequence of certificates that a
web browser must traverse to verify that a particular website is authentic and,
therefore, secure. A chain of trust typically includes a root certificate, an
intermediate certificate and a leaf certificate.
Domain validation (DV) certificates. These certificates are typically the most
basic and most affordable type of certificate web browsers trust. DV certificates
require that the domain name of an organization is verified by the issuing CA
before they are issued. These certificates can be issued within minutes and do not
require the website owner to prove their identity. When a browser sees a DV
certificate, it trusts that the owner of the domain is indeed the owner of the
certificate and that the certificate is only meant for that specific domain.
Organization validation (OV) certificates. An OV certificate is one of the ways
that organizations can be validated for quality assurance through a formal and
accredited process. Organization validation is a process of validating the identity
of the root certificate authority, followed by a validation of the business or
organization requesting the certificate.
Individual validation (IV) certificates. These are certificates that are issued to
individuals -- not organizations -- making them popular choices among consumers,
particularly for securing email.
Extended validation (EV) certificates. These certificates are issued after an
extensive vetting process by both a CA and the CA's reputation partners. Under the
EV guidelines established by the CA/Browser Forum, in addition to meeting the
validity requirements, the applicant must submit proof of their identity, and the
organization must pass an independent audit. The combination of these factors helps
to provide an extra layer of trust in the identity of the site owner. Companies
issuing EV certificates are also required to pass an independent audit.
While less common than server certificates, client certificates authenticate the
identity of the user who wants to connect to a TLS service, rather than a device
seeking a connection.
EMV certificate. EMV payment cards have an embedded microchip containing a card
issuer certificate. The embedded microchip enables the EMV payment card to generate
a unique code for each transaction. EMV stands for Europay, MasterCard and Visa,
the organizations that constitute the certificate authority.
Leaf certificate. A leaf certificate, or an end entity, is the endpoint for the
signing and encrypting of data and cannot be used to sign other certificates. These
include TLS/SSL, email and code-signing certificates.
The biggest disadvantage of public key certificates is a lack of control over the
encryption key. This means that if the certificate is compromised, it cannot be
revoked. Someone could hack into the server to steal the certificate and use the
public key in the certificate to decrypt any information that was encrypted with
the public key. A fraudulent root certificate can be installed, and a browser does
not provide warning when a web certificate is changed.
Before buying a digital certificate, review this buyer's handbook to learn how they
work, which features are a must and how to evaluate the available options