Terminology for TLS Certificates

The following defines the security terms associated with TLS certificates and communication sessions. The terms are listed in alphabetical order.

CA-signed certificate

Digital document issued by a certificate authority that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. An identity certificate issued by a CA is digitally signed with the private key of the certificate authority.

Certificate (also known as digital certificate, public key certificate, digital ID, or identity certificate)

Signed certificate that is obtained from a certificate authority by generating a certificate signing request (CSR). It typically contains: (1) distinguished name and public key of the server or client; (2) common name and digital signature of the certificate authority; (3) period of validity (certificates expire and must be renewed); and (4) administrative and extended information. The certificate authority analyzes the CSR fields, validates the accuracy of the fields, generates a certificate, and sends it to the requester.

A certificate can also be self-signed and generated by any one of many tools available, such as OpenSSL. These tools can generate a digital certificate file and a private key file in PEM format, which you can combine using any ASCII text editor to create a key certificate file.

Certificate authority (CA)

An organization that issues digitally-signed certificates. The certificate authority authenticates the certificate owner's identity and the services that the owner is authorized to use, issues new certificates, renews existing certificates, and revokes certificates belonging to users who are no longer authorized to use them. The CA digital signature is assurance that anybody who trusts the CA can also trust that the certificate it signs is an accurate representation of the certificate owner.

Certificate signing request (CSR)

Message sent from an applicant to a CA in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a directory name in the case of an X.509 certificate), and the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.

Cipher suite

A cryptographic key exchange algorithm that enables you to encrypt and decrypt files and messages with the TLS protocol.

Client authentication

A level of authentication that requires the client to authenticate its identity to the server by sending its certificate.

Key certificate file

File that contains the encrypted private key and the ID (public key) certificate. This file also contains the certificate common name that can be used to provide additional client authentication.


Passphrase used to access the private key.

Private key

String of characters used as the private, “secret” part of a complementary public-private key pair. The symmetric cipher of the private key is used to sign outgoing messages and decrypt data that is encrypted with its complementary public key. Data that is encrypted with a public key can only be decrypted using its complementary private key.

The private key is never transmitted and should never be shared with a trading partner.

Public key

String of characters used as the publicly distributed part of a complementary public-private key pair. The asymmetric cipher of the public key is used to confirm signatures on incoming messages and encrypt data for the session key that is exchanged between server and client during negotiation for a TLS session. The public key is part of the ID (public key) certificate. This information is stored in the key certificate file and read when authentication is performed.

Self-signed certificate

Digital document that is self-issued, that is, it is generated, digitally signed, and authenticated by its owner. Its authenticity is not validated by the digital signature and trusted key of a third-party certificate authority. To use self-signed certificates, you must exchange certificates with all your trading partners.

Session key

Asymmetric cipher used by the client and server to encrypt data. It is generated by the SSL software.

Trusted root certificate file (also known as root certificate file

File that contains one or more trusted root certificates used to authenticate ID (public) certificates sent by trading partners during the IBM Connect:Direct® protocol handshake.