Digital certificates
A digital certificate consists of the public portion of a private/public key pair and metadata values that identify the holder of the certificate (name, company name, certificate expiry date, etc.). A certificate is said to be ‘signed’ when a CA or individual uses a private key to encrypt a hash of a message.
Signing of digital certificates
The hash can be decrypted only by someone who has the public portion of the private/public key pair. Decrypting the hash proves that the sender (or holder of the certificate) is trusted by the signer and that secure communication can begin.
In the following diagram, the receiver of a signed message is verifying the identity of the signer. Authentication is done by comparing a hash of the certificate that the receiver creates with a similar hash that the signer created and then encrypted using their private key. The receiver uses the signer's public key to decrypt the signer's signature to expose the original hash of the certificate.
The certificate chain
Your certificate might in turn depend on the digital certificate of another CA; there might be a hierarchy of certificates that are issued by multiple CAs, each depending on the validity of the next. However, the receiver needs the public key of the root CA, eventually. The root CA is the CA at the top of the hierarchy, and this hierarchy, or dependency, is known as a certificate chain.
To trust the validity of the digital certificate of the root CA, the user must receive that digital certificate in a secure manner. Examples of secure transfer include downloading from an authenticated server, or with preinstalled software received from a reliable source. Applications that send a digital certificate to a receiver send not just their own certificate: They also all the CA digital certificates necessary to verify the hierarchy of certificates up to the root CA certificate.
For a digital certificate to be entirely trustworthy, the owner of the digital certificate must be careful to protect their private key in their keystore. If their private key has been compromised, an imposter could misuse their digital certificate.
Distributing a signed certificate
When you receive your signed certificates from a CA, you can use IBM Global Security Kit (GSKit) to add (receive) them to a keystore and to import them to a certificate file. You can then distribute the certificate file to the Db2® servers and clients within your network. This process allows receiving clients and servers to validate a sending server's certificate against the one that they added to their local keystore. Once the certificate is validated, the client and server can establish encrypted communication.