Digital Certificate FAQ

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 10

Certifying Authority a)What is the role of Certifying Authority?

A Certifying Authority is a body entrusted to issue, revoke, renew and provide directories of Digital Certificates. A user's certificate is issued and signed by a Certifying Authority and acts as a proof . Anyone trusting the Certifying Authority can also trust the user's certificate. According to section 24 under Information Technology Act 2000 "Certifying Authority" means a person who has been granted a licence to issue Digital Signature Certificates. b) Who can be entitled to be a Certifying Authority (CA)? A prospective CA should possess required resources and infrastructure as specified by IT Act 2000 , get it audited by the auditor appointed by the office of Controller of Certifying Authorities(CCA), and based on complete compliance of the requirements, a license to operate as a Certifying Authority can be obtained. The license is issued by the Controller of Certifying Authority, Ministry of Information Technology, Government of India. c)What is the role of Registration Authority (RA)? A Registration Authority (RA) is responsible for initiating the certificate issuance process after receiving approved application request from the Local Registration Authority. Revocation requests for Digital Certificates from subscribers/ authorized representative of the subscriber are also handled by the RA. d) What is the role of Local Registration Authority (LRA)? An LRA (Local Registration Authority) is an agent of the Certifying Authority who collects the application forms for Digital Signature Certificates and related documents, for verification and approval/rejection of application based on verification. e) What are Certificate Policies (CP)? Certificate Policies define the different classes of certificates issued by the CA, the procedures to issue and revoke, term of usage of such certificates and among other things the rules governing the different uses of these certificates. Top Digital Signature Certificate a) What is a Digital Signature Certificate? Digital signature certificates (DSC) are the digital equivalent (that is electronic format) of physical or paper certificates. Examples of physical certificates are drivers' licenses, passports or membership cards. Certificates serve as proof of identity of an individual for a certain purpose; for example, a driver's license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally. b) Are Public Keys and Digital Certificates related? A certificate is an electronic document that binds a public key to a particular individual or organization. A trusted third party, called a Certifying Authority (CA), issues certificates. Before issuing a certificate, a CA will go through a series of authentication procedures to make sure that you are what you claim to be, and that the public key in the certificate really belongs to you. The certificate is then encrypted (signed) with the CA's private key. Thus, if the end users trust the CA, and have the CAs public key, he can be sure of the certificate's legitimacy. c) What is the use of Digital Signature Certificate? Like physical documents are signed manually, electronic documents, for example e-forms are required to be signed digitally using a Digital Signature Certificate.

d) Where can Digital Certificates be used? You can use Digital Certificate for secure email and web-based transactions, or to identify other participants of webbased transactions. You can use Digital Certificate to prove ownership of a domain name and establish SSL / TLS encrypted secured sessions between your website and the user for web based transaction. As a developer you can use Digital Certificate for proving authorship of a code and retain integrity of the distributed software programs. You can use Digital Certificates for signing web forms, e-tendering documents, filing income tax returns etc. e) How does a Digital Certificate function ? Certificates use the Public Key Infrastructure (PKI technology, which is a sophisticated, mathematically proven method of encrypting and decrypting information). Information can be decrypted only when both a private key and a public key match each other. The certificate contains information about a user's identity (for example, their name, email address, the date the certificate was issued and the name of the Certifying Authority that issued it.) The certificate also contains the public key. The private key is stored on the user's computer hard disk or on an external device such as a smart card. The user retains control of the private key; it can only be used with the issued password. Applying / Registering for a Digital Certificate: a) What are the different types/ classes of Digital Signature Certificates and where each is applicable?
Seven different classes of Digital Certificate for different applications and types of users. Class Category I IIa Individual Individual Supported Applications Secure E-mail Web form signing Client Authentication Secure E-Mail Other low Risk Transactions Web form signing Client Authentication Secure E-Mail Other low Risk Transactions VPN User Code Signing Web Form Signing Client Authentication Secure E-Mail VPN User Code Signing Web Form Signing Client Authentication Secured E- mail SSL Server Authentication VPN Device Authentication

IIb

Enterprises / Government Organizations or Agencies

IIIa

Individual

IIIb

Enterprises / Government Organizations or Agencies

IIIc IIId

Individual / Enterprises / Government Organizations or Agencies Individual / Enterprises / Government Organizations or Agencies

b) What is the validity period of Digital Signature Certificates? Digital Certificates are valid for one year or two years from the date of issuance. c) Can some one else apply for and use a Digital Signature Certificate for me or on my behalf?

An organization can purchase Digital Certificates for its employees with the objective of secure and authenticated web communication. But no one can utilize your Digital Certificate because (only one) your email address is attached to the Digital Certificate purchased for you and your Digital Certificate with private key is stored under your control. Please take care and avoid giving direct physical access to your important private key. d) What is the reason for rejection of my application for a Digital Signature Certificate? Refusal to issue a Digital Certificate is a result of stringent verification procedure. Incomplete application, information or wrong information are the common causes for such refusal. e) What does "Relying Party" mean? Relying party is an entity that relies on the information provided in a valid digital signature certificate.

Precautionary measures for safekeeping of Digital Certificates:


a) Is it required to keep a backup copy of my my Digital Signature Certificate? In case yours hard drive crashes or your Digital Certificate gets accidentally deleted. If you store a backup copy of your Digital Certificate on a floppy disk in a secure place, then you will always be able to re-install your Digital Certificate. If you lose your Digital Certificate and it is not backed-up, then you will lose any messages that have been encrypted for you. b) How can I protect my Digital Signature Certificate/Private Key? Protect your computer from unauthorized access by keeping it physically secure. Use access control products or operating system protection features (such as a system password). Take measures to protect your computer from viruses, because a virus may be able to attack a private key. Always chose to protect your private key with a good password. c) What is the format of Private Key? Private Keys are not easily viewed simply because they need to remain secure. They exist for the most part in an encrypted state within the registry of the Operating System. However, if specified at the time of key pair generation, it is possible to export a Private Key as a data file for backup purposes. Like any cryptographic key, Private Keys are simply long, random numbers. d) How can private key be protected? Your private key is protected in two ways: 1. It is stored on your computer's hard drive so you can control access to it. 2. When you generate your Digital Certificate's private key at collection time, the software you use (such as your browser) will probably ask you for a password. This password protects access to your private key. For Internet Explorer users, your private key is normally protected by your Windows password. A third party can access your private key only by: i. having access to the file your key is stored in (which is usually part of your system's configuration information) and ii. Knowing your private password. Some software permits you to choose to not have a password protect your private key. If you use this option, then you are trusting that no one, presently or in the future, will have unauthorized access to your computer. In general, it is far easier to use a password than to completely safeguard your computer physically. Not using a password is a bit like pre-signing all of the cheques in your chequebook and then leaving it open on your desk. e) Can Digital Certificate be recovered after being accidentally deleted from PC's hard disk drive? Once your Digital Certificate and key files have been deleted, damaged or overwritten, there is no way to reactivate your Digital Certificate. You will first need to revoke your Digital Certificate, and then enroll for a new one.

f) Can more than one person store their Digital Certificate on a computer? Yes. Netscape Communicator is set up to allow multiple people to use Netscape on the same computer using profiles. Each person uses their profile to keep their settings, preferences, bookmarks, mail messages and certificates separate from other users of Netscape on the same computer. g) How do I transfer my Digital Certificate to a new computer? (Microsoft Internet Explorer) The first step for transporting your Digital Certificate is to save ("export") it from the hard drive of the computer where it is currently held onto a floppy disk or other transport medium. When your Digital certificate has been successfully exported, you can then import it into the new location. To import your Digital Certificate into Internet Explorer: 1. From the View menu of Explorer, choose "Internet Options..." 2. Select the Content tab. 3. Select Personal from the Certificates list. 4. Click the Import button. 5. Locate your Digital Certificate from the disk and folder in which it is saved (it should have a .pfx or .p12 extension). Once you have found it, highlight it and click Open. 6. If prompted, enter the security password used to protect your Digital Certificate (this is NOT the transport password, but the security password you use each time you present your Digital Certificate). You may be prompted to enter this password multiple times (possibly as many as 20) before it takes. 7. Enter your transport password and click OK.

Web Browser Queries:


a) I deleted Microsoft Internet Explorer and installed the latest version. How do I reinstall my Digital Certificate? If you removed your old copy of Internet Explorer by deleting the application and its directory, you also deleted your Digital Certificate. You need to request for a new Digital Certificate b) I deleted Netscape Navigator and installed the latest version. How do I reinstall my Digital Certificate? If you removed your old copy of Netscape Navigator by deleting your Netscape directory, you also deleted the file that contained the private key associated with your Digital Certificate. Without that private key, you cannot reinstall your Digital Certificate. You need to request a new Digital Certificate. Upgrading Navigator with the Netscape installer preserves your personal information, including your Digital Certificate and private key. In the future, you should use this installer when upgrading Navigator. You can request a Digital Certificate when you register your copy of Navigator, or you can go directly to the Digital Certificate Center. c) Can I use my Digital Certificate with more than one browser or e-mail application (for example, with Netscape Navigator and Microsoft Internet Explorer)? Exporting From Netscape Navigator: 1. Click on the Security icon (the one that looks like a padlock) from the main toolbar. 2. Select "Certificates: Personal" from the menu on the left. 3. Select the Digital Certificate you want to move and click the Export button. 4. Choose a transport password, which you will be required to present when importing, and then click OK. 5. Select a disk drive and file name in which to save your Digital Certificate, then click Save. Importing Into Microsoft Internet Explorer:

1. From the View menu of Explorer, choose "Internet Options..." 2. Select the Content tab. 3. Select Personal from the Certificates list. 4. Click the Import button. 5. Insert the disk with your Digital Certificate into your floppy drive and choose the file name in which your Digital Certificate is stored (it should end with .pfx), then click Save. 6. Enter your transport password and click OK. Exporting Into Microsoft Internet Explorer: 1. From the View menu of Explorer, choose "Internet Options..." 2. Select the Content tab. 3. Select Personal from the Certificates list. 4. Highlight the Digital Certificate you wish to save, and then click the Export button. 5. Choose a password and a file name for your Digital Certificate. This new password protects this specific copy of your Digital Certificate--you will be required to present it when you want to import or open this copy of your Digital Certificate. Be sure to include a disk and folder location in the file name, such as a: if you want to save to a floppy disk. Click OK. 6. If prompted, enter the security password you have always used to protect your Digital Certificate. There is a bug in some versions of Internet Explorer 4.0 you may be prompted to enter this password multiple times (possibly as many as 20) before it takes. Microsoft is aware of this and is working towards a solution Import Into Netscape Navigator: NOTE: Only the later versions of Navigator 4.0 and up support importing Digital Certificates 1. Click on the Security icon (the one that looks like a padlock) from the main toolbar. 2. Click on "Yours" under "Certificates" from the menu on the left. 3. Click the Import Certificate button located near the bottom of the page. 4. If prompted, enter the password used to protect your Digital Certificate (this is NOT the transport password, but the security password you use each time you present your Digital Certificate). You may be prompted to enter this password multiple times before it takes. 5. Locate your Digital Certificate from the disk and folder in which it is saved (it should have a .pfx or .p12 extension). Once you have found it, highlight it and click Open. 6. Enter your transport password and click OK. (If your Digital Certificate shows up as a long series or numbers or letters, it should still work correctly.). d) I deleted my old Microsoft Internet Explorer or Netscape Navigator and installed the latest version. How do I reinstall my Digital Certificate? If you removed your copy of Microsoft Internet Explorer or Netscape Navigator by deleting the application and its directory, you also deleted the file that contained the private key associated with your Digital Certificate. Without that private key, you cannot reinstall your Digital Certificate. e) [Master Password] is asked when I am proceeding in the certificate acquisition for Netscape. Is Challenge Code and Master Password the same? No, it is not the same. In Netscape, there is an independent database for administering the certificates. Master Password is a password for accessing its database. Please DO NOT forget the password. Otherwise, you won't be able to backup the certificates in the database. In Internet Explorer, OS administer the certificate database, and the password is the same as your login password. f) I checked my Digital Certificate, and the following message appeared :" This certificate is not trusted.". What does this mean?

Most of the time, the root certificate which is installed improperly, causes this to happen. Please follow the instruction below for the resolution. If you are using Netscape: 1. Open up your browser, and on the [Security] menu, click [Signers]. 2. Select CA from [Certificate Signers Certificates], and then click [Edit]. 3. Check both [Accept this Certificate Authority for Certifying network sites] and [Accept this Certificate Authority for Certifying e-mail users], then click [OK]. If you are using Internet Explorer: 1. Open up your browser, and on the [Tools] menu, click [Internet Options]. 2. Select [Content] tab, press [Certificates] button, and click [Trusted Root Certification Authorities] tab. 3. Select CA in the list of root certificate, and click [Advanced...] button. 4. Make sure [Server Authentication] and [Client Authentication] is checked. (It is recommended that other option boxes are also checked.)

SSL Certificate Queries:


a) What is SSL (secure socket layer) and how does it work? Secure Socket Layer (SSL) is a technology developed by Netscape and adopted by all vendors producing related Web software. It negotiates and employs the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. This exchange between the client and server is performed using the Secure Sockets Layer (SSL). SSL 2.0 supports server authentication only; SSL 3.0 supports both client and server authentication. b) I want to utilize one web server (SSL) certificate for more than one website, can I? You will not be able to use one certificate on different websites as the certificate is tied to the exact host and domain name. c) What should users verify before trusting an SSL certified website? Before trusting any SSL certificate provided website, visitors should verify given below points: The SSL certificate must have a chain of trust back to a root CA the client trusts. The server certificate, and all the CA certificates in the certificate chain of trust, must have valid signatures. Every certificate is signed by the next-higher CA, except for a root CA, which signs its own certificate. The current date and time must be within the validity period of the server certificate, and of all the CA certificates in the certificate chain of trust. Every certificate has a validity period (a starting date and time and an ending date and time when the certificate is valid for use). The client must retrieve the CRLs from every CA in the certificate chain of trust and check to see if the server certificate or one of the subordinate CAs has been revoked by its next-higher CA.

Technology:
a) What is PKI? The PKI is a framework of policies, services, and encryption software that provides the assurances, users need before they can confidently transmit sensitive information over the Internet and other networks. At the heart of a PKI is a "Certifying Authority" which issues to each individual a Digital Certificate linking that particular person to a known public key. b) What is cryptography? Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography enables you to store

sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. In short, cryptography is science of securing data c) What is secret key cryptography? Secret-key cryptography is sometimes referred to as symmetric cryptography. It is the more traditional form of cryptography, in which a single key can be used to encrypt and decrypt a message. Secret-key cryptography not only deals with encryption, but it also deals with authentication. d) What is Public Key Cryptography? Public Key Cryptography is a method for securely exchanging messages, based on assigning two complimentary keys (one public, one private) to the individuals involved in a transaction. Public Key Cryptography is based on the science of encryption, the mathematical scrambling and unscrambling of messages. e) What is authentication? Authentication is the process of verifying a claimed identity. This includes: Establishing that a given identity actually exists; Establishing that a person or organization is the true holder of that identity; Enabling identity holders to identify themselves for the purposes of carrying out a transaction via an electronic medium. f) What is encryption? Encryption is the process of using a mathematical formula and an encryption key to scramble information so that is unintelligible to unauthorized persons. Since electronic information is in the form of a series of ones and zeroes, an encryption process can transform a particular electronic message into another sequence of ones and zeros that is uniquely related to the original message. g) What is decryption? Decryption is the process of converting the scrambled information back to its original, plain text form using the same mathematical formula and a decryption key related to the encryption key so an authorized person can understand it. h) What is non-repudiation? Non-repudiation provides proof of the origin or delivery of data in order to protect the sender against a false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. i) What is Private Key? "Private Key" means one of the key of a key pair used to create a Digital Signature. j) What is Smart Card? A plastic card like credit card with a built-in microprocessor and memory used for identification or financial transactions. When inserted into a reader, it transfers data to and from a central computer. It is more secure than a magnetic stripe card and can be programmed to self-destruct if the wrong password is entered too many times. k) What is an e-token? An e-token is a powerful and secure hardware device that enhances he security of data on public and private networks. The size of a normal house key, e-token can be used to generate and provide secure storage for passwords and Digital certificates, for secure authentication, digital signing and encryption. E-tokens are based on smart card technology but require no special readers.

l) What is key agreement protocol? A key agreement protocol, also called a key exchange protocol, is a series of steps used when two or more parties need

to agree upon a key to use for a secret-key crypto system. These protocols allow people to share keys freely and securely over any insecure medium, without the need for a previously established shared secret. m) What is a digital envelope? The digital envelope consists of a message encrypted using secret-key cryptography and an encrypted secret key. n) What is a hash algorithm? An algorithm that transforms a string of characters into a usually shorter value of a fixed length or a key that represents the original value. This is called the hash value. Hash functions are employed in symmetric and asymmetric encryption systems and are used to calculate a fingerprint/imprint of a message or document. When hashing a message, the message is converted into a short bit string - a hash value - and it impossible to re-establish the original message from the hash value. A hash value is unique in the sense that two messages cannot result in the same bit string, and any attempt to make changes to the message will negate the value and thus the signature. o) What is digital time stamping? A digital time-stamping service issues time-stamps, which associate a date and time with a digital document in a cryptographically strong way. The digital time-stamp can be used at a later date to prove that an electronic document existed at the time stated on its time-stamp. For example, a physicist who has a brilliant idea can write about it with a word processor and have the document time-stamped. The time-stamp and document together can later prove that the scientist deserves the Nobel Prize, even though an archrival may have been the first to publish. p) What are Public Key Cryptography Standards? Public Key Cryptography Standards are a set of standard protocols for the development of a public key infrastructure (PKI). These standards include RSA encryption, password-based encryption, extended certificate syntax, and cryptographic message syntax for the S/MIME secure e-mail standard. Developed in 1991 by RSA Laboratories with representatives from various computer vendors, PKCS is today widely deployed in public key cryptography systems. PKCS #1: RSA Cryptography Standard describes a method for encrypting data by using the RSA public key crypto system. Used in the construction of digital signatures and digital envelopes. PKCS #2: Has been incorporated into PKCS #1. PKCS #3: Diffie-Hellman Key Agreement Standard describes a method for implementing the Diffie-Hellman key agreement. PKCS#3 is used in protocols for establishing secure communications. PKCS #4: Has been incorporated into PKCS #1. PKCS #5: Password-based Cryptography Standard Password-based security standard. PKCS #6: Extended Certificate Syntax Standard describes a syntax for extended certificates, consisting of a certificate and a set of attributes, collectively signed by the issuer of the certificate. This extends the certification to allow for verification of other information concerning the entity. PKCS #7: Cryptographic Message Syntax Standard specifies a general format for cryptographic messages. PKCS #8: Private Key Information Syntax Standard describes syntax for private key information. Private Key information includes a private key for a public key algorithm and a set of attributes. The standard also describes syntax for encrypted private keys. PKCS #9: Selected Attribute Types defines selected attribute types for use in some of the PKCS standards. PKCS #10: Certification Request Syntax Standard specifies a standard syntax for certificate requests. PKCS #11: Cryptographic Token Interface Standard defines a technology-independent programming interface for cryptographic devices such as smart cards.

PKCS #12: Personal Information Exchange Syntax Standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets etc. PKCS #13: Elliptic Curve Cryptography Standard under development. The standard will include many aspects of elliptic key cryptography, including parameter and key generation/validation, digital signatures, public key encryption, key agreement, and ASN.1 syntax. PKCS #14: Pseudorandom Number Generation Standard under development. The standard will address many aspects of pseudorandom number generation. PKCS #15: Cryptographic Token Information Format Standard for cryptographic tokens used for identification purposes. q) What is Cryptographic Service Provider? A Cryptographic service provider is responsible for creating keys, destroying them, and using them to perform a variety of cryptographic operations. Each cryptographic service provider provide a different implementation of the crypto API, some provide stronger cryptographic algorithms, while others contain hardware components, such as smart cards. r) What is a Distinguished Name (DNs)? A unique identifier of a person or thing having the structure required by the relevant certificate profile. A distinguished name is assigned to each key holder, organization or other entity. s) What is SSL (secure socket layer)? Secured Sockets Layer is a protocol that transmits your communications over the Internet in an encrypted form. It is designed by Netscape Communications to enable encrypted, authenticated communications across the Internet. SSL ensures that the information is sent, unchanged, only to the server you intended to send it to. Online shopping sites frequently use SSL technology to safeguard your credit card information. When SSL is employed to secure your transaction, the information contained in your transaction is secretly encoded as it is sent between your computer and the computer (web server) you have linked to. Note, for an SSL transaction to work, your browser must be SSL compatible, and the web server you have linked to must be able to perform the necessary "key exchange" with your SSL compatible browser. t) What is MIME? MIME (Multipurpose Internet Mail Extensions) is a set of specifications for the interchange of text in languages with different character sets. MIME is also used to attach multimedia and rich text elements to e-mail that may be transmitted among different computer systems using Internet mail standards. The specifications define Content-Types and other conventions for the formatting of e-mail messages. S/MIME is a later standard that adds security to e-mail communication by allowing signing and encryption of messages. u) What is S/MIME? A standard that extends the MIME (Multipurpose Internet Mail Extensions) specifications to support the signing and encryption of e-mail transmitted across the Internet.

v) What do X.509 and X.500 mean? X.509: - A widely used standard for defining Digital Certificates. X.509 is actually an ITU Recommendation, which means that it has not yet been officially defined or approved for standardized usage. As a result, companies have

implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft products, and vice versa. X.500: - An ISO and ITU standard that define how global directories should be structured. X.500 directories are hierarchical with different levels for each category of information, such as country, state, and city. X.500 supports X.400 systems. w) What is Certificate Validation Mechanism? A certificate validation mechanism is a mechanism, which is used when a document or transaction is signed using a Digital Certificate, and which serves as a means of identifying the person who signed since a certificate vouches for the owner's identity or association with a particular organization. Hence a certificate validation mechanism is important to implement to ensure that it has not been revoked or has not expired. x) What is Certificate Validation? Validation refers to determining the status of a certificate - whether valid, expired or revoked. All Certificates have a fixed life (say one year), but there are various reasons for which a certificate may be invalidated before its due expiry. y) What is OCSP Validation? OCSP refers to certificate validation that occurs through the Online Certificate Status Protocol mechanism, this type of validation occurs only when the signer certificate is stamped with an AIA (Authority Information Access) extension. OCSP can be either a replacement or a supplement to checking the validity of a certificate against a Certificate Revocation List (CRL). Using OCSP, when a user attempts to access a server, OCSP sends a request for certificate status information. The server sends back a response of "current", "expired," or "unknown." z) What is CAM? The Certificate Arbitrator Module (CAM) was created to provide validation services across different vendors of the ACES program. It is an application level router that efficiently and consistently routes certificates from relying party programs to the issuing certificate authorities for validation. By interfacing directly with the CAM, a relying party application can interact seamlessly with multiple CAs.

You might also like