Definitions:

A digital document issued and digitally signed by the private key of a

certification authority that binds an identifier to a cardholder through a public
key. The certificate indicates that the cardholder identified in the certificate
has sole control and access to the private key.
Sources:
FIPS 201-3 under Public Key Certificate from RFC 5280 - adapted

A set of data that uniquely identifies a public key (which has a corresponding
private key) and an owner that is authorized to use the key pair. The certificate
contains the owner’s public key and possibly other information and is digitally
signed by a Certification Authority (i.e., a trusted party), thereby binding the
public key to the owner.
Sources:
FIPS 186-5 under Cer
tificate
What is a public key certificate?
A public key certificate is a digitally signed document that serves to validate the
sender's authorization and name. It uses a cryptographic structure that binds a
public key to an entity, such as a user or organization. The digital document is
generated and issued by a trusted third party called a certification authority.

Public key certificates, which are also known as digital certificates, include the
public key, identity information about the owner and the name of the issuing
certificate authority (CA). The CA, a trusted third party, issues digital
certificates that verify the identity of parties in an exchange of information over
the internet. A digital certificate provides assurance of a person's identity, and
the CA establishes that assurance by validating the identity of the person who
requests the certificate.

How does a public key certificate work?

Public key certificates form a part of a public key infrastructure (PKI) system
that uses encryption technology to secure messages and data. A public key
certificate uses a pair of encryption keys, one public and one private. The public
key is made available to anyone who wants to verify the identity of the certificate
holder, while the private key is a unique key that is kept secret. This enables the
certificate holder to digitally sign documents, emails and other information
without a third party being able to impersonate them. The four main components of
PKI are public key encryption, trusted third parties such as the CA, the
registration authority and the certificate database or store.

four components of a public key infrastructure

The fundamental elements of a public key infrastructure.
There are different types of public key certificates for different functions, such
as authorization for a specific type of action. The following are common fields
found in digital certificates:

Serial number. This number distinguishes the certificate from other certificates.
Algorithm information. The issuer uses this algorithm to sign the certificate.
Issuer. This is the name of the CA that issued the certificate.
Validity period of the certificate. These are the start and end dates that define
when the certificate is valid.
Subject distinguished name. This is the name of the identity to which the
certificate is issued.
Subject public key information. This is the public key that is associated with the
identity.
What are the different types of certificates?
Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates. These
certificates are the core of transport layer security (TLS) protocol, which is an
updated version of SSL. These digital files contain a public encryption key that is
used to validate server identity and a digital signature to ensure the integrity
and the source of data and other information transmitted online. These certificates
facilitate the exchange of encryption keys between web servers and browsers, which
enable a secured connection.

The chain of trust, trust path or trust chain is a sequence of certificates that a
web browser must traverse to verify that a particular website is authentic and,
therefore, secure. A chain of trust typically includes a root certificate, an
intermediate certificate and a leaf certificate.

There are multiple types of TLS/SSL certificates:

Domain validation (DV) certificates. These certificates are typically the most
basic and most affordable type of certificate web browsers trust. DV certificates
require that the domain name of an organization is verified by the issuing CA
before they are issued. These certificates can be issued within minutes and do not
require the website owner to prove their identity. When a browser sees a DV
certificate, it trusts that the owner of the domain is indeed the owner of the
certificate and that the certificate is only meant for that specific domain.
Organization validation (OV) certificates. An OV certificate is one of the ways
that organizations can be validated for quality assurance through a formal and
accredited process. Organization validation is a process of validating the identity
of the root certificate authority, followed by a validation of the business or
organization requesting the certificate.
Individual validation (IV) certificates. These are certificates that are issued to
individuals -- not organizations -- making them popular choices among consumers,
particularly for securing email.
Extended validation (EV) certificates. These certificates are issued after an
extensive vetting process by both a CA and the CA's reputation partners. Under the
EV guidelines established by the CA/Browser Forum, in addition to meeting the
validity requirements, the applicant must submit proof of their identity, and the
organization must pass an independent audit. The combination of these factors helps
to provide an extra layer of trust in the identity of the site owner. Companies
issuing EV certificates are also required to pass an independent audit.
While less common than server certificates, client certificates authenticate the
identity of the user who wants to connect to a TLS service, rather than a device
seeking a connection.

Email certificate. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a

standard for sending encrypted email. RSA security created it to resolve the
problem of sending encrypted email without the need to exchange a public key. It is
commonly used within an organization that has its own CA.

EMV certificate. EMV payment cards have an embedded microchip containing a card
issuer certificate. The embedded microchip enables the EMV payment card to generate
a unique code for each transaction. EMV stands for Europay, MasterCard and Visa,
the organizations that constitute the certificate authority.

Code-signing certificate. Code-signing certificates are used in software

development and IT operations to digitally sign the software or firmware of an
application or device. This provides recipients with assurance about who created
the code and the integrity of the code.

Root certificate. A root certificate is a digital certificate that is used to sign

other digital certificates. It is sometimes referred to as a trust anchor because
it is at the top of a hierarchy of digital certificates that are used to verify
other digital certificates. The hierarchy starts with a root certificate, which is
the highest level of certificate. The root certificate is verified by a second-
level certificate, which is verified by a third-level certificate, and so on.

Intermediate certificate. The intermediate certificate is used to sign other

certificates and is best used as a bridge between a root CA and a subordinate CA.
An intermediate certificate is used to sign end-user certificates that a website or
a local server uses. The root certificates verify the identity of the intermediate
certificate, which in turn verifies the end-user certificates.

Leaf certificate. A leaf certificate, or an end entity, is the endpoint for the
signing and encrypting of data and cannot be used to sign other certificates. These
include TLS/SSL, email and code-signing certificates.

Self-signed certificate. A self-signed certificate is a certificate that is signed

by the same entity to whom it is assigned. Most certificates can be self-signed and
are verified by their own public key. They are not signed by a CA, which means they
might be perceived as less trustworthy.

Advantages and disadvantages of public key certificates

The main advantage of using public key certificates is that they enable secure
authentication. The integrity of the public key certificate is guaranteed by the
CA. Further, this type of certificate prevents man-in-the-middle attacks, which
occur when a malicious third party intercepts the communication between two
entities and relays the message between them. Lastly, public key certificates are
supported by many enterprise networks and applications, and the process is
transparent and efficient.

The biggest disadvantage of public key certificates is a lack of control over the
encryption key. This means that if the certificate is compromised, it cannot be
revoked. Someone could hack into the server to steal the certificate and use the
public key in the certificate to decrypt any information that was encrypted with
the public key. A fraudulent root certificate can be installed, and a browser does
not provide warning when a web certificate is changed.

Before buying a digital certificate, review this buyer's handbook to learn how they
work, which features are a must and how to evaluate the available options