(plural digital certificates)
- (computing) a public key certificate
An encrypted and digitally signed attachment that authenticates a user on the Internet or an intranet.A digital certificate is issued by a certificate authority (CA), and attests to the legitimacy of an online transfer of information, funds, or other sensitive materials through the use of encryption. A digital certificate includes the sender's name, a serial number, expiration dates, a copy of the certificate holder's public key, and the digital signature of the issuing CA. A digital certificate holder has both a private key and a public key. The private key is held only by the user and is for signing outgoing messages and decrypting incoming messages. The public key is available to anyone for encrypting data to send to the holder of that public key, who then uses the private key to decrypt the message. Many digital certificates conform to the X.509 standard. See also authentication, CA, encryption, Internet, intranet, PKI, private key encryption, public key encryption, and X.509.
The digital equivalent of an ID card used in conjunction with a public key encryption system. Also called a "digital ID," "digital identity certificate," "identity certificate" and "public key certificate," digital certificates are issued by a trusted third party known as a "certification authority" (CA) such as VeriSign (www.verisign.com) and Thawte (www.thawte.com). The CA verifies that a public key belongs to a specific company or individual (the "subject"), and the validation process it goes through to determine if the subject is who it claims to be depends on the level of certification and the CA itself. Creating the Certificate After the validation process is completed, the CA creates an X.509 certificate that contains CA and subject information, including the subject's public key (details below). The CA signs the certificate by creating a digest (a hash) of all the fields in the certificate and encrypting the hash value with its private key. The encrypted digest is called a "digital signature," and when placed into the X.509 certificate, the certificate is said to be "signed." The CA keeps its private key very secure, because if ever discovered, false certificates could be created. See HSM. Verifying the Certificate The process of verifying the "signed certificate" is done by the recipient's software, which is typically the Web browser. The browser maintains an internal list of popular CAs and their public keys and uses the appropriate public key to decrypt the signature back into the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the certificate is assumed to be the valid public key of the subject. Then What... At this point, the subject's identity and the certificate's integrity (no tampering) have been verified. The certificate is typically combined with a signed message or signed executable file, and the public key is used to verify the signatures (see digital signature and code signing). The subject's public key may also be used to provide a secure key exchange in order to have an encrypted two-way communications session (see SSL). See PKI. Major Data Elements in an X.509 Certificate Version number of certificate format Serial number (unique number from CA) Certificate signature algorithm Issuer (name of CA) Valid-from/valid-to dates Subject (name of company or person certified) Subject's public key and algorithm Digital signature created with CA's private key