What are Digital Certificates?

A digital certificate (DC) is a digital file that certifies the identity of an

individual or institution, or even a router seeking access to computer- based
information. It is issued by a Certification Authority (CA), and serves the
same purpose as a driver’s license or a passport.

What are Certification Authorities?

Certification Authorities are the digital world’s equivalent to passport

offices. They issue digital certificates and validate holders’ identity and
authority.

They embed an individual or institution’s public key along with other

identifying information into each digital certificate and then
cryptographically sign it as a tamper-proof seal verifying the integrity of the
data within it, and validating its use.

What is the Process of obtaining a certificate?

1.Subscriber (sender) generates a public\private key pair. Applies

to CA for digital certificate with the public key.

2.CA verifies subscriber's identity and issues digital certificate

containing the public key.

3.CA publishes certificate to public, on-line repository.

4.Subscriber signs message with private key and sends message to

second party.

5.Receiving party verifies digital signature with sender's public key

and requests verification of sender's digital certificate from CA's
public repository.

6.Repository reports status of subscriber's certificate.

What is the Process in obtaining a certificate?

Types of Digital Certificates :

 There are four main types of digital certificates :-

 Server Certificates

 Personal Certificates

 Organization Certificates

 Developer Certificates

What Does a Digital Certificate Contain?

It contains your name, a serial number, expiration date, a copy of the

certificate-holder's public key (used for encrypting messages and digital
signatures), and the digital signature of the certificate-issuing authority so
that a recipient can verify that the certificate is real. Some digital
certificates conform to the X.509 standard.

Why are they Used?

There are four(4) main uses:

1. Proving the Identity of the sender of a transaction

2. Non Repudiation – the owner of the certificate cannot deny partaking

in the transaction

3. Encryption and checking the integrity of data - provide the receiver

with the means to encode a reply.
 4. Single Sign-On - It can be used to validate a user and log them into
various computer systems without having to use a different password
for each system

Public & Private Keys

Public and Private Key pairs comprise of two uniquely related cryptographic
keys.

Public key is made accessible to everyone, whereas Private key remains

confidential to its respective owner. Since both keys are
mathematically related only the corresponding private key can decrypt their
corresponding public key.

How do You Obtain An Individual’s Public Key?

 When Alice wants Bob’s public key:

• Alice gets Bob’s certificate (from Bob or elsewhere).

• apply CA’s public key to Bob’s certificate, get Bob’s public

key

Where are Digital Certificates Used?

 In a number of Internet applications that include:

 1.Secure Socket Layer (SSL) developed by Netscape Communications

Corporation
  2. Secure Multipurpose Internet Mail Extensions (S/MIME) Standard for
securing email and electronic data interchange (EDI).

 3. Secure Electronic Transactions (SET) protocol for securing electronic

payments

 4. Internet Protocol Secure Standard (IPSec) for authenticating

networking devices

How Digital Certificates are Used for Message Encryption

In Conclusion

 Public Key Cryptography is used in message authentication and key

distribution.
  Key management is achieved by Digital Certificates, which are a
mechanism that enables distribution of keys to participants
exchanging information. They ensure the Confidentiality of these
messages and the Authentication of the participants.

 The strength of Digital Certificates through X.509 lies, inter alia, in the
fact that they have been standardized by the ITU-T.

 This makes for security in investment and training, as it is assured

Digital Certificates will be maintained in the future.

Certificate chains

Certificate authority (CA) hierarchies are reflected in certificate chains. A

certificate chain traces a path of certificates from a branch in the hierarchy
to the root of the hierarchy.

Figure 1 shows a certificate chain leading from a certificate that identifies

an entity through two subordinate CA certificates to the CA certificate for
the root CA. This example is based on Figure 1 shown in Hierarchies.

Figure 1. A certificate chain

In a certificate chain, the following occurs:

Each certificate is followed by the certificate of its issuer.

Each certificate contains the distinguished name (DN) of that certificate's

issuer. This is the same as the subject name of the next certificate in the
certificate chain. In this figure, CA Six contains the DN of CA Three, which
issued that certificate. The DN for CA Three is also the subject name of the
next certificate in the chain.

Each certificate is signed with the private key of its issuer. The signature
can be verified with the public key in the issuer's certificate, which is the
next certificate in the certificate chain. In this figure, the public key in the
certificate for CA Three can be used to verify the CA Three's digital
signature on the certificate for CA Six.

Certificate chain verification

Verifying a certificate chain is the process of ensuring that a specific certificate chain is
well-formed, valid, correctly signed, and trustworthy.

The following procedure forms and verifies a certificate chain, beginning with the
certificate that is presented for authentication:
The issuer's certificate is located. The source can be the verifier's local certificate
database on that client or server, or the certificate chain that is provided by the subject.

The certificate signature is verified using the public key in the issuer's certificate.

The validity period for the certificate is verified against the current time provided by the
verifier's system clock.

If the issuer's certificate is trusted by the verifier, verification is successful and stops
here. Otherwise, the issuer's certificate is checked to ensure that it contains the
appropriate subordinate certificate authority (CA) and verification of the certificate chain
begins again with step 1 with the new certificate.

Figure 1 shows what occurs when only a root CA is included in the verifier's local
database.

Figure 1. Verifying a certificate chain to the root CA

If a certificate for one of the immediate CAs shown in Figure 1, such as CA Two, is found
in the verifier's local database, verification stops with that certificate as shown in Figure
2.

Figure 2. Verifying a certificate chain to an immediate CA

If any of the following events occur at any point in the certificate chain, authentication
will fail:

The validity dates are expired.

A signature that is not valid is found.

A certificate for the issuing CA is not found.

Figure 3 shows a certificate chain that cannot be verified.

Figure 3. A certificate chain that cannot be verified