A certificate, or a digital certificate, is a tamperproof set of data that can be used to verify a person's identity, a web site's identity, or any other entityís identity. Certificates are based on public key cryptography as they also provide of method of transporting public keys. A digital certificate is a document with a specific format (currently the X.509v3 structure, an Internet standard). The information contained in the certificate allows the recipient to validate the certificate and therefore the identity of the owner of the certificate. The information contained in a certificate is: the subject's name and identifying information, the subjects public key, the issuer's name (a CA), the issuerís digital signature, expiration date, and a unique serial number. The issuer of a digital certificate is called a CA, or Certification Authority. The most important parts of the certificate are the digital signature of the CA and the CA's name because these are used to verify the authenticity of the individual and the authenticity of the certificate.
Please read about CA's now as CA's are integral to understanding certificates and the certificate authentication process.
Verifying certificates is the process which an entityís identity is validated. When you read about SSL you understand how certificates get sent and why certificates must be validated. However, the validation process is a way to be sure that the person presenting you with the certificate is actually that person. For now, just assume you sent your certificate to someone else and they need to verify your identity.
As I said before a certificate will holds some information about the CA such as the CA name and a digital signature. These are the two fields that will be used to authenticate the certificate. The CA name on the certificate will have to be a trusted CA and the digital signature must be valid. The first step is finding out if the CA is a trusted CA. The CA name is taken from the certificate and compared to a list of trusted CAís. This list of trusted CAís is a list that the individual trying to validate you trusts. If the CA name is found to be a trusted CA, half of the authentication process is complete. If the CA is not a trusted CA then the person authenticating you will have to try to find a trusted CA. The trusted CA is found by looking at the CA's certificate and seeing if this certificate was issued by a trusted CA. This step only takes place if the CA that issued your certificate is part of a CA hierarchy as described in the CA section. The person will continue trying to get the next level CA's certificate until he finds a CA that he trusts, finishing that half of the authentication process, or he finds the end of the chain without a finding a trusted CA. If no trusted CA is found you will not be authenticated and the process ends here. A message will then be sent back to you saying that your identity could not be validated.
The next step in the process is to validate the digital signature on your certificate. The digital signature is a probabilistically unique, shortened version of the certificate itself. The digital signature has nothing to do with digital signatures created with public key cryptography, but rather a hash function. A hash function is a one way function that takes a message and reduces it to a unique string. To validate the digital signature person authenticating the certificate will take the message of the certificate and then uses the same hash algorithm. If the two hashes match then the digital signature is valid and the certificate is authenticated. If the two hashes do not match then the certificate has been changed since it was issued and the certificate cannot be authenticated. To prove that the certificate has not changed or been tampered with the digital signature on certificate will match the one created when the certificate is being authenticated.
The final steps to validating the certificate are looking at the expiration date and seeing that the certificate is valid. The final step is to request some information from the CA which would make sure that the CA has not revoked the certificate. These last two step are optional and may not always be used in the validation process.
Once a certificate is authenticated the identity of the owner of the certificate has been authenticated.
To go back to main page click here or to proceed to the page describing SSL, click here
Send your comments and sugestions to