Digital signatures, certificates and key rings
SSL uses digital signatures and digital certificates for establishing a trusted relationship between a sender and a receiver of information sent over a network connection.
A digital signature is a unique, mathematically computed, signature that demonstrates the authenticity of a transmission.
A digital certificate allows unique identification. It is essentially an electronic ID card, issued by a trusted third party known as a certificate authority. Digital certificates form part of the ISO authentication framework, also known as the X.509 protocol. This framework provides for authentication across networks. A digital certificate serves two purposes: it establishes the owner's identity and it makes the owner's public key available.
A digital certificate contains the following information:
- public key of the person being certified
- name and address of the person being certified, also known as the Distinguished Name (DN)
- digital signature of the certificate authority
- issue date
- expiry date
If you send your digital certificate, containing your public key, to someone else, your private key prevents that person from misusing your digital certificate and posing as you.
A digital certificate alone is not proof of an identity; it allows verification of the owner's identity, by providing the public key needed to check the owner's digital signature. Therefore, the digital certificate owner must protect the private key that belongs with the public key in the digital certificate. If the private key is stolen, anyone could pose as the legitimate owner of the digital certificate.
Certificate authority (CA)
A digital certificate is issued by a CA and has an expiry date. When requesting a digital certificate, you supply your distinguished name. The digitally signed certificate includes your distinguished name and the distinguished name of the CA. This allows verification of the CA.
To communicate securely, the receiver must trust the CA that issued the certificate that the sender is using. Therefore, when a sender signs a message, the receiver must have the corresponding CA's signer certificate and public key designated as a trusted root key. Your Web browser has a default list of signer certificates for trusted CAs. If you want to trust certificates from another CA, you must receive a certificate from that CA and designate it as a trusted root key.
A key ring is a file that contains the digital certificates, public keys, private keys, and trusted root keys used by a network communications security protocol such as SSL. Each certificate consists of a public key and a private key. A root certificate contains a trusted root key.
SSL requires access to key rings for the establishment of secure connections. The key rings used by the Java™ Secure Socket Extension (JSSE) implementation of SSL are known as KeyStores.
For information on how to create key rings, see Configuring SSL.