A digital certificate, also referred to as a public key certificate or identity certificate, is an electronic document that uses a digital signature to bind together a public key with an identity. Identity information includes the name of a person, computer, or organization. The certificate is the best way to provide non-repudiation and can be used to verify that a public key belongs to an individual.
A public key infrastructure (PKI) is a hierarchy of computers that issue and manage certificates. A Certificate Authority (CA) is the entity that issues certificates. The following process is used to request, issue, and manage certificates:
- To request a certificate, a client must first generate a public and private key pair. The key pair is generated by an application called a Cryptographic Service Provider (CSP). The CSP uses a specific algorithm for generating the key pair.
- The client requests a certificate from a CA by sending identifying information along with a copy of the public key. The certificate request is digitally signed using the private key.
- The CA uses information in the certificate request to approve or deny the certificate. How the certificate is approved is dictated by the approval policy on the CA.
- A manual policy requires an administrator to manually approve or deny all requests coming in.
- An automatic policy allows the CA to review information within the request to determine if it is valid information. Based upon that information it can approve or deny automatically.
- If the certificate request is approved, the certificate is issued to the client. Issuance policies on the CA identify the certificates that the CA is allowed to issue. For example, issuance policies can restrict a CA to:
- Only be able to issue certain types of certificates.
- Only be able to issue certificates for a particular use.
- Only issue certificates that are valid for a specific amount of time.
- Certificates are issued with a valid lifetime period. As the expiration time period approaches, certificates can be renewed by submitting a renewal request. Instead of requesting a new certificate, clients should renew existing certificates.
- If a certificate becomes compromised, such as the private key being lost or stolen, it can be revoked. This can be accomplished by going to the CA and revoking the certificate. Before accepting a certificate, a client validates that the certificate has not been revoked. Two methods exist for checking for revoked certificates:
- The Certificate Revocation List (CRL) is a list of certificates revoked by the CA. Clients download the entire CRL and check the CRL for a certificate.
- With the Online Certificate Status Protocol (OCSP), clients can submit a verification request for a specific certificate to a special server called an online responder. The online responder maintains a list of revoked certificates, and responds to certificate status requests on a certificate-by-certificate basis.
Certificates are used for proof of identity and for secure communications. The following process is an example of using SSL and certificates to secure Web transactions:
- A client with a Web browser accesses a Web server that is using HTTPS (SSL).
- The server sends the client a copy of the SSL certificate that it obtained from a CA.
- The client verifies information in the SSL certificate to decide if it trusts the certificate. The client checks:
- Does the subject name in the certificate match the URL that was typed in the Web browser?
- Has the certificate expired?
- Does the client trust the issuing CA? Every browser has a Trusted Root CA list that identifies trusted CAs on the Internet. The browser compares the signature of the issuing CA on the certificate to the list of trusted root CAs. If it does not exist in the list, it will not trust the certificate.
- If the certificate passes all three checks, the client trusts the issuing CA and trusts any certificates that the CA issues; therefore the client trusts the Web server.
The following table reviews terms you should be familiar with.
|Certificate Authority (CA)||The Certificate Authority (CA) is an entity trusted to issue, store, and revoke digital certificates.|
|Certificate Practice Statement (CPS)||The Certificate Practice Statement (CPS) is a declaration of the security that the organization is implementing for all certificates issued by the CA holding the CPS. This statement tells potential partners or others relying on the security of the PKI system how well the security of the PKI system is being managed.|
|Cryptographic Service Provider (CSP)||A Cryptographic Service Provider (CSP) resides on the client and generates the key pair.|
|Online Certificate Status Protocol (OCSP)||The Online Certificate Status Protocol (OCSP) is a protocol used for checking the status of an individual digital certificate to verify if it is good or has been revoked.|
|Certificate Revocation List (CRL)||The Certificate Revocation List (CRL) resides at the CA and consists of a list of certificates that have been previously revoked. This list can be accessed by the client to verify the validity of a digital certificate.|
|Registration Authority (RA)||A Registration Authority (RA) can be used in large, enterprise environments to offload client enrollment request processing by handling verification of clients prior to certificates being issued. The RA:
|X.509||X.509 is the official standard that identifies the format for public key certificates and certification path validation.|
|Enrollment agent||An enrollment agent is a user who is authorized to request certificates for other users. Enrollment agents are typically authorized to request certificates that are used on smart cards. These agents can request the certificate and create the smart card that the authorized user can then use.|