What Is a Digital Certificate? Definition and Examples
Digital certificates, also known as identity certificates or public key certificates, are a form of electronic password using the public key infrastructure (PKI) that allows individuals and organizations to exchange data over the internet in a secure manner.
A digital certificate uses cryptography and a public key to prove the authenticity of a server, device, or user, ensuring that only trusted devices can connect to an organization’s network. They can also be used to confirm the authenticity of a website to a web browser.
A website, organization, or individual can request a digital certificate that will then need to be validated by a publicly trusted certificate authority (CA).
Digital certificates can help to keep communications, data, and websites secure on the internet. There are some potential weaknesses for exploitation with digital certificates, but websites secured by these public key certificates are considered more secure than those that are not.
What is a digital certificate?
A digital certificate is a form of electronic credential that can prove the authenticity of a user, device, server, or website. It uses PKI to help exchange communications and data securely over the internet.
This form of authentication is a type of cryptography that requires the use of public and private keys to validate users.
Public key certificates are issued by trusted third parties, a CA, who signs the certificate, thus verifying the identity of the device or user that is requesting access. To ensure validity, the public key will be matched with a corresponding private key that only the recipient has knowledge of. Digital certificates have a specific key pair that they are associated with: one public and one private.
A digital certificate contains the following identifiable information:
- User’s name
- Company or department of user
- IP (internet protocol) address or serial number of device
- Copy of the public key from a certificate holder
- Duration of time the certificate is valid for
- Domain certificate is authorized to represent
Benefits of digital certification
Digital certification can offer a level of security that is increasingly important in this digital age. In fact, cybersecurity has been named one of the top priorities of the U.S. Government by the Department of Homeland Security (DHS). Cybercrime is a major threat to businesses and individuals.
Digital certificates can provide the following benefits:
- Security: Digital certificates can keep internal and external communications confidential and protect the integrity of the data. It can also provide access control, ensuring only the intended recipient receives and can access the data.
- Authentication: With a digital certificate, users can be sure that the entity or person they are communicating with is who they say they are and makes sure that communications reach only the intended recipient.
- Scalability: Digital certificates can be used across a variety of platforms for individuals and large and small businesses alike. They can be issued, renewed, and revoked in a matter of seconds. They can be used to secure a range of user devices and be managed through one centralized system.
- Reliability: A digital certificate can only be issued by a publicly trusted and rigorously vetted CA, meaning that they cannot be easily tricked or faked.
- Public trust: The use of a digital certificate proves authenticity of a website, documents, or emails. It can assure users and clients that the company or individual is genuine and respects privacy and values security.
Different types of digital certification
There are three main types of public key certificates: TLS/SSL (Transport Layer Security/Secure Sockets Layer) certificates, client certificates, and code signing certificates. There are also variations within each type of certificate.
- TLS/SSL certificates: The TLS/SSL certificate is used to secure communications between a computer and the server, and it is hosted by the server. When a client computer seeks to access the server, the server will present the digital certificate to prove that it is authentic and the desired destination.
The HTTPS (Hypertext Transfer Protocol Secure) designation at the beginning of a web address or URL (Uniform Resource Locator) indicates the presence of a digital certificate.
When a client computer is presented with the digital certificate from the server, it will then run a certification path validation to ensure that the subject of the certificate matches the host name. Within the subject field of the certificate, a primary host name, or Common Name, must be identified. There can be multiple host names in the case of Subject Alternative Name (SAN) certificates and Unified Communications Certificates (UCCs).
Public web servers, or internet-facing servers, are required to have a digital certificate signed by a trusted CA. The TLS/SSL certificates can be domain validated, which is used for websites, or organization validated, which is used for light business authentication.
The extended validation provides full business authentication. It can offer the highest amount of security, trust, and authentication.
- Client certificates: This is a form of a digital ID that can identify one machine to another — a specific user to another user. This can be used to allow a user to access a protected and secure database and also for email.
With email, often the S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol is used, which works for communications within an organization. Both parties will need to have copies of the digital certificate before communicating.
Email messages can be both encrypted and message integrity validated through use of a client certificate. Each user will need to send a digitally signed message and import the sender’s certificate ahead of time.
- Code signing certificates: This type of digital certificate involves software or files. The publisher or developer of software will sign it to validate its authenticity to users downloading it.
This can be highly beneficial when software is downloaded through a third-party, ensuring that it is what it should be and has not been tampered with by malicious actors. This can confirm that files or software downloaded from the internet are valid and authentic.
Where digital certificates are used
Public certificate authorities are required to adhere to a set of baseline requirements. Most web browsers are set up to trust a pre-selected list of CAs, which are set by the browser itself or the operating system of the device. The verification of a digital certificate often happens behind the scenes and quickly, without a user even being aware of the process.
Websites use digital certificates to create the HTTPS connection, authenticating their validity by being signed by a trusted CA. This can help a browser to know it is visiting the real website it is seeking and not a fake or fraudulent one.
Digital certificates are also used in e-commerce to protect sensitive, identification, and financial information. Online shopping, stock trading, banking, and gaming all use digital certificates. Digital certificates can be used for electronic credit card holders and merchants to protect the financial transaction.
Another common use for digital certificates is for email communication. Email can also frequently contain a digital signature, which sends encrypted messages using a hashing approach.
Criticisms of digital certificates
While digital certificates are designed to invoke public trust and prove security and validity, they are not infallible. Digital certificates do have potential weaknesses that bad actors have exploited.
Organizations can be breached, for example, and cybercriminals can steal certifications and private key information, allowing them to then distribute malware. An illegitimate certificate can configure an infected system to trust it, opening the door to attack.
The MITM (man-in-the-middle) attack has also been known to intercept SSL/TLS traffic to gain access to sensitive information by either creating a fake root CA certificate or installing a rogue certificate that can then bypass security protocols. Overall, however, the use of digital certificates to secure websites is considered to be more secure than not using them.
Key takeaways
Digital certificates work like passwords to protect data and communications, often between websites and browsers. They can serve to authenticate a website, telling the browser that it is safe to connect and distribute information.
Digital certification uses the PKI to move data between users, devices, and servers. A digital certificate uses a key pair, which includes both the public key and the private key to help encrypt and decrypt information as it is passed between a sender and recipient.
A digital certificate can be trusted since they can only be signed by a public certificate authority that must pass rigorous vetting. Most operating systems and browsers have built-in lists of trusted digital certificates, so the certification process is often seamless and quick.
Digital certificates are also highly scalable and a vital aspect of cybersecurity.
References
What Is Federated Identity? (2013). Federated Identity Primer.
Cybersecurity. (October 2021). Department of Homeland Security (DHS).
S/MIME for Message Signing and Encryption in Exchange Online. (December 2021). Microsoft.
Baseline Requirement Documents (SSL/TLS Server Certificates). CA/Browser Forum.
Certificates. CIO.gov.
On the Security of SSL/TLS-Enabled Applications. (January 2014). Applied Computing and Informatics.