What is a Digital Certificate?
A digital certificate is a tool much like a password. In Public Key Infrastructure digital certificates confirm the identity of network traffic. A digital certificate proves that you are who you say you are when operating within a network.
Digital certificates ensure encryption of end to end communication. For instance, preventing malicious users from accessing the information sent through your packets. Certificates also provide non-repudiation services. Thus ensuring a user cannot deny they signed a certificate.
How do Certificates work?
A digital signature ensures the authenticity of a document, email, or other data. This relies on key pairs. Decryption requires a private key pair.
To receive linked keys, you need a digital certificate. The certificate allows you to access both the public and private keys in question.
The role of the Digital Certificate Authority
The Certificate Authority or CA acts as a trusted third-party. Then the CA verifies the identity of those generating key pairs. Those applying for a certificate submit a Certificate Signing Request or CSR. The CSR is a file with the information included in the certificate. This will be the domain name, organisation and other information.
A trusted Public Key Infrastructure requires a certificate in the X.509 V3 format. These certificates specialise in the inclusion of data known as ‘extensions’. Browsers might choose to ignore invalid, non-critical extensions, but must process critical extensions.
Digital Certificate Validation Process
Cryptographic signatures make use of a private key to sign certificates, providing non-repudiation. Browsers will act by validating a certification path for X.509 certificates. Using the root certificate, a browser will confirm the certificate path
There are two types of confirmation for certificate revocation and identification. CRL’s (Certificate Revocation Lists). A Certificate Revocation List provides a time-stamped list of revoked certificates. However, in most cases the OSCP (Online Certificate Status Protocol) has replaced CRL’s.
OSCP is an online protocol designed to check the validity of a certificate via an OCSP client. In most cases the client is a browser. The browser will allow a client to query the issuing CA via the OSCP server. The server will respond telling the client if the certificate is valid and why.