Certificates provide the foundation of a public key infrastructure (PKI). These are electronic credentials, issued by a certification authority (CA), that are associated with a public and private key pair.
A certificate is a digitally signed collection of information roughly 2 to 4 KB in size. A certificate typically includes the following:
■ Information about the user, computer, or network device that holds the private key corresponding to the issued certificate. The user, computer, or network device is referred to as the subject of the certificate.
■ Information about the issuing CA.
■ The public key of the certificate's associated public and private key pair.
■ The names of the encryption and/or digital signing algorithms supported by the certificate.
■ A list of X.509 version 3 extensions included in the issued certificate.
■ Information for determining the revocation status and validity of the certificate.
The CA must ensure the identity of the requestor before issuing a certificate. Identity validation can be based on the user's security credentials or require an in-person interview to validate requestor identity. Once identity is confirmed, the CA issues the certificate and digitally signs the certificate with its private key to prevent content modification.
Note It is nearly impossible for another user, computer, network device, or service to impersonate the subject of a certificate because impersonation requires access to the certificate holder's private key. Impersonation is not possible if an attacker has access to the certificate only.
Three versions of digital certificates can be used in a PKI:
■ X.509 version 1 certificates
■ X.509 version 2 certificates
■ X.509 version 3 certificates
Was this article helpful?