Digital certificates and certificate authorities

Trusted parties, called certificate authorities (CA), issue digital certificates to verify the identity of an entity, such as a client or a server.

The digital certificate serves the following purposes:
  • Verify the identity of the owner.
  • Make the public key of the owner available.

The certificate authority issues the certificate with an expiration date, after which the certificate is no longer guaranteed by the certificate authority.

To obtain a digital certificate, you send a request to the CA of your choice; for example, Verisign or RSA. The request includes your distinguished name, your public key, and your signature. A distinguished name (DN) is a unique identifier for each user or host for which you are applying for a certificate. The CA checks your signature using your public key and performs some level of verification of your identity. (The verification process varies between CAs). After verification, the CA sends you a signed digital certificate that contains your distinguished name, your public key, the distinguished name of the CA, and the signature of the CA. You store this signed certificate in your key database.

When you send this certificate to a receiver, the receiver does the following steps to verify your identity:
  1. Uses your public key that comes with the certificate to check your digital signature.
  2. Verifies that the CA that issued your certificate is legitimate and trustworthy. To do this, the receiver needs the public key of the CA. The receiver might already hold an assured copy of the public key of the CA in their key database, but if not, the receiver must acquire an additional digital certificate to obtain the public key of the CA. This certificate might in turn depend on the digital certificate of another CA; there might be a hierarchy of certificates issued by multiple CAs, each depending on the validity of the next. Eventually, however, the receiver needs the public key of the root CA. The root CA is the CA at the top of the hierarchy. To trust the validity of the digital certificate of the root CA, the public-key user must receive that digital certificate in a secure manner, such as through a download from an authenticated server, or with preloaded software received from a reliable source, or on a securely delivered diskette.

Many applications that send a digital certificate also send all of the CA digital certificates necessary to verify the hierarchy of certificates up to the root CA certificate. For a digital certificate to be entirely trustworthy, the owner of the digital certificate must protect the private key, for example, by encrypting it on their computer's hard drive. If their private key has been compromised, an imposter could misuse their digital certificate.

You can use self-signed digital certificates for testing purposes. A self-signed digital certificate contains your distinguished name, your public key, and your signature.