public key certificate

What is a public key certificate?

A public key certificate is a digitally signed document that serves to validate the sender's authorization and name. It uses a cryptographic structure that binds a public key to an entity, such as a user or organization. The digital document is generated and issued by a trusted third party called a certification authority.

Public key certificates, which are also known as digital certificates, include the public key, identity information about the owner and the name of the issuing certificate authority (CA). The CA, a trusted third party, issues digital certificates that verify the identity of parties in an exchange of information over the internet. A digital certificate provides assurance of a person's identity, and the CA establishes that assurance by validating the identity of the person who requests the certificate.

How does a public key certificate work?

Public key certificates form a part of a public key infrastructure (PKI) system that uses encryption technology to secure messages and data. A public key certificate uses a pair of encryption keys, one public and one private. The public key is made available to anyone who wants to verify the identity of the certificate holder, while the private key is a unique key that is kept secret. This enables the certificate holder to digitally sign documents, emails and other information without a third party being able to impersonate them. The four main components of PKI are public key encryption, trusted third parties such as the CA, the registration authority and the certificate database or store.

four components of a public key infrastructure
The fundamental elements of a public key infrastructure.

There are different types of public key certificates for different functions, such as authorization for a specific type of action. The following are common fields found in digital certificates:

  • Serial number. This number distinguishes the certificate from other certificates.
  • Algorithm information. The issuer uses this algorithm to sign the certificate.
  • Issuer. This is the name of the CA that issued the certificate.
  • Validity period of the certificate. These are the start and end dates that define when the certificate is valid.
  • Subject distinguished name. This is the name of the identity to which the certificate is issued.
  • Subject public key information. This is the public key that is associated with the identity.

What are the different types of certificates?

Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates. These certificates are the core of transport layer security (TLS) protocol, which is an updated version of SSL. These digital files contain a public encryption key that is used to validate server identity and a digital signature to ensure the integrity and the source of data and other information transmitted online. These certificates facilitate the exchange of encryption keys between web servers and browsers, which enable a secured connection.

The chain of trust, trust path or trust chain is a sequence of certificates that a web browser must traverse to verify that a particular website is authentic and, therefore, secure. A chain of trust typically includes a root certificate, an intermediate certificate and a leaf certificate.

There are multiple types of TLS/SSL certificates:

  • Domain validation (DV) certificates. These certificates are typically the most basic and most affordable type of certificate web browsers trust. DV certificates require that the domain name of an organization is verified by the issuing CA before they are issued. These certificates can be issued within minutes and do not require the website owner to prove their identity. When a browser sees a DV certificate, it trusts that the owner of the domain is indeed the owner of the certificate and that the certificate is only meant for that specific domain.
  • Organization validation (OV) certificates. An OV certificate is one of the ways that organizations can be validated for quality assurance through a formal and accredited process. Organization validation is a process of validating the identity of the root certificate authority, followed by a validation of the business or organization requesting the certificate.
  • Individual validation (IV) certificates. These are certificates that are issued to individuals -- not organizations -- making them popular choices among consumers, particularly for securing email.
  • Extended validation (EV) certificates. These certificates are issued after an extensive vetting process by both a CA and the CA's reputation partners. Under the EV guidelines established by the CA/Browser Forum, in addition to meeting the validity requirements, the applicant must submit proof of their identity, and the organization must pass an independent audit. The combination of these factors helps to provide an extra layer of trust in the identity of the site owner. Companies issuing EV certificates are also required to pass an independent audit.

While less common than server certificates, client certificates authenticate the identity of the user who wants to connect to a TLS service, rather than a device seeking a connection.

Email certificate. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for sending encrypted email. RSA security created it to resolve the problem of sending encrypted email without the need to exchange a public key. It is commonly used within an organization that has its own CA.

EMV certificate. EMV payment cards have an embedded microchip containing a card issuer certificate. The embedded microchip enables the EMV payment card to generate a unique code for each transaction. EMV stands for Europay, MasterCard and Visa, the organizations that constitute the certificate authority.

Code-signing certificate. Code-signing certificates are used in software development and IT operations to digitally sign the software or firmware of an application or device. This provides recipients with assurance about who created the code and the integrity of the code.

Root certificate. A root certificate is a digital certificate that is used to sign other digital certificates. It is sometimes referred to as a trust anchor because it is at the top of a hierarchy of digital certificates that are used to verify other digital certificates. The hierarchy starts with a root certificate, which is the highest level of certificate. The root certificate is verified by a second-level certificate, which is verified by a third-level certificate, and so on.

Intermediate certificate. The intermediate certificate is used to sign other certificates and is best used as a bridge between a root CA and a subordinate CA. An intermediate certificate is used to sign end-user certificates that a website or a local server uses. The root certificates verify the identity of the intermediate certificate, which in turn verifies the end-user certificates.

Leaf certificate. A leaf certificate, or an end entity, is the endpoint for the signing and encrypting of data and cannot be used to sign other certificates. These include TLS/SSL, email and code-signing certificates.

Self-signed certificate. A self-signed certificate is a certificate that is signed by the same entity to whom it is assigned. Most certificates can be self-signed and are verified by their own public key. They are not signed by a CA, which means they might be perceived as less trustworthy.

Advantages and disadvantages of public key certificates

The main advantage of using public key certificates is that they enable secure authentication. The integrity of the public key certificate is guaranteed by the CA. Further, this type of certificate prevents man-in-the-middle attacks, which occur when a malicious third party intercepts the communication between two entities and relays the message between them. Lastly, public key certificates are supported by many enterprise networks and applications, and the process is transparent and efficient.

The biggest disadvantage of public key certificates is a lack of control over the encryption key. This means that if the certificate is compromised, it cannot be revoked. Someone could hack into the server to steal the certificate and use the public key in the certificate to decrypt any information that was encrypted with the public key. A fraudulent root certificate can be installed, and a browser does not provide warning when a web certificate is changed.

Before buying a digital certificate, review this buyer's handbook to learn how they work, which features are a must and how to evaluate the available options.

This was last updated in June 2021

Continue Reading About public key certificate

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing