What are digital certificates and where do we use them?
Today we will try to explain what digital certificates are, where, and how we can use them.
The digital certificate represents a digital document that contains the following information:
- Serial number
- Subject (common name, organization, organizational unit, locality, state, country)
- Period of validity
- Date of issue
- Public key
- Digital signature
- Signature algorithm
This list is incomplete and some versions of digital certificates may contain some additional information. The current standard for digital certificates is X.509.
There are three different types of digital certificates.
The first type of digital certificate is SSL certificate. Once an SSL certificate is installed on the server, we are able to configure HTTPS for our website. In this case, subject name is domain name. The certificate can be expanded with some information about associated subdomains. You can find more about HTTPS in some of our previous blogs.
The second type is the client certificate. For example, digital certificates can be issued to an employee of a company to verify the identity of a particular user. In this case, the subject name might be the employee’s email address.
A code signing certificate is the third type of digital certificate. They can be used to digitally sign software.
Who is the issuer?
Anyone can issue a self-signed certificate. The problem with self-signed certificates is that they are not reliable and as such cannot find global use. With that in mind, certificate authorities appear.
A digital certificate is issued by a certificate authority (CA). CA is a trusted third party that has built a reputation over the years (e.g., Symantec, Comodo, GoDaddy). They also offer the purchase of certificates through which we can sign other certificates and as such we could act as root or intermediate CA.
A couple of companies offer free SSL certificates, signed by trusted CA (e.g., LetsEncrypt).
Advantages of purchased over free certificates:
- A longer period of validity
- Customer support
Where to store digital certificates?
Certificates should never be kept as plain text. For example, we can store them in JKS (Java key store) and gain access by providing JKS password.
Man in the middle attack?
As we said before, each certificate has a unique serial number, so if someone tries to pass their certificate, the serial number we requested will be different from the provided one and that would trigger an alarm.
Each certificate change also affects the unique hash of the certificate. If someone tries to change certificates’ public key it will also change the unique hash of the certificate.
The certificate is not valid anymore?
Each certificate has an expiration date. Besides that, the certificate may be revoked if the owner of the certificate behaves inappropriately. There are 2 mechanisms for checking if the certificate is revoked:
- CRL (Certificate revocation list)
- OCSP (Online Certificate Status Protocol).
Digital certificates must always be stored in a secure manner. Once the certificate expires, it should be removed, not only logically but also physically.