Digital Certificates

Digital certificates, also known as public key certificates or identity certificate.

When I explain what a digital certificate to someone without a strong IT background I like to compare it with a seal ring, like the ones used in medieval times of Western countries. These seal rings had two functions:

  1. Identify the holder. Because of its unique pattern of the of the seal ring and its socially-agreed pattern recognition, it could be use to authenticate the holder or the institution behind him/her. Usually they represented an institution (like a kingdom) or the person itself (the King or the Pope).
  2. Sign a document. The seal ring could be used to sign any document by melting hot wax on the paper and pressing the pattern on it, printing the relief design on the document.
Seal ring

Digital certificates would be a much more advanced, complete, complex, safer and modern version of these seal rings, but this paradigm can help us to get an idea of its purpose.

FAQ

What is a digital certificate?

To fully understand what a digital certificate is, you need to have a previous knowledge of public-key cryptography and PKI (public key infrastructures), otherwise it will be quite difficult to explain. Please have a look at the linked articles before continue reading, in case you are unfamiliar with these concepts.

A digital certificate is a container that holds the public key, and in some cases also the private key, of a subject plus other information related to it, like the issuer, owner or issuance and expiration date. All this data is digitally signed by an entity that is trusted by all parties, that is the certification authority (CA).

Digital certificates are stored as files, and are usually protected with a password that will be send by the issuer along with the file.

Digital certificates can installed from the files on repositories that can store multiple certificates. These repositories can be hardware-based or software based. Among the software-based, you can let the operating system or a framework (like the Java Certificate Store) to store it.

How is the content of a digital certificate standardized?

Digital certificates are defined through the International Telecommunications Union (ITU-T) standard X.509.

The standard has been adopted for the internet through RFC 3280, that was superseded by RFC 5280.

This standard governs the creation and endorsement of digital certificates for secure electronic communications.

What is the info contained in a digital certificate?

Certificates conforming to X.509 contains this data:

  1. Version of X.509.
  2. Serial number
  3. Signature algorithm identifier
  4. Issuer name
  5. Validity period
  6. Subject’s name
  7. Subject’s public key

What are the most popular digital certificates formats?

There are different standards for digital certificates formats.

The same digital certificate format can be available on different format files.

Popular digital certificate formats:

StandardFormatFile Extension(s)
1Distinguised Encoding Rules (DER)Binary.der,.crt,.cer
2Privacy Enhanced Mail (PEM)Text.pem, .crt
3Personal Information Exchange (PFX)Binary.pfx, .p12
4PCKS#7 / CMSText.p7b, .p7c

PEM inspired PCKS#7, that inspired CMS.

What are the most popular digital certificates format files?

Within the same file firmat, there may be different encoding.

Popular digital certificate file formats:

  • Public digital certificate (only public key)
    • X.509 certificate (file extension .cer)
      • DER encoded
      • Base-64 encoded
  • Certificate bundles (include multiple public keys):
    • PKCS #7 / CMS Certificates (file extension .p7b or .p7c)
    • Microsoft Serialized Certificate Store (file extension .sst)
  • PKCS #12 (include private keys)
    • Personal Information Exchange-PKCS #12 (file extensions .p12 or .pfx)

Public digital certificates like X.509 defines the digital signature that is used by other technologies like PKCS #7 or Cryptographic Message Syntax (CMS).

CMS is a IETF standard defined by RFC 5652.

What is the validity of a digital certificate?

Certificates expire, as measure of security. It ensure that in case a certificate is compromised, it cannot be exploited forever.

Maximum validity time depends on the type of certificate. The sooner it expires, the less secure is the certificate.

What is the difference between qualified and non-qualified digital certificates?

According to European Union laws, there can be two types of digital certificates:

  • Qualified
  • Non-qualified

Qualified certificates are backed by a EU nation, and thus the issuer and RA need to be audited periodically. Maximum validity of qualified certificate is shorter than non-qualified.

In practice, qualified certificates offer more security than a non-qualified. They are also more expensive and require more maintenance.

Some acronyms as the Spanish DCCF (Dispositivo Cualificado de Creación de Firma) contain a reference to the qualified attribute of the certificate.

Which types of certificates are there?

Types of digital certificates:

  • Device Certificate
  • Company Seal Certificate
  • Entity Representative Certificate

Device certificates, as the name implies, identifies a device. It is usually installed without a PIN. It lasts maximum 10 years.

Company Seal Certificates represents legal entities like companies.

Entity representative certificate identifies a person that is authorised to act as the representative on an entity towards any other institution. It is a qualified certificate. It is usually installed with a PIN, and an installation without a PIN is disregarded. It lasts maximum 4 years.

What is a self-certificate?

You can read more about self-certificates on this post.

How can I browse the content of a digital certificate?

You need to know the password of the digital certificate in order to browse it, otherwise it will not be possible to check it.

One way is to browse the content of a digital certificate is installing it and then checking its content in the certificate repository.

How to browse the content of a digital certificate without installing it?

If you want to browse the content of a digital certificate without installing it, you can use certutil command in Windows prompt.

certutil command example:

certutil -dump <certificate_filename>

Where should a digital certificate be stored?

Digital certificates can be stored in hardware of software.

Storing digital certificiate in software is considered an unsafe practice, as private key can be stolen by skilled hackers with access to the system.

Some hardware-based repositories are the following:

  • Trusted Platform Module (TPM). You can find more info about it on this post.
  • Hardware Security Module (HSM). You can find more info about it on this post.

Where are digital certificates stored in Windows 10?

Certificates in Windows 10 can be stored at user or machine level. The repositories are different for each type.

The commands to access the certificates in Windows 10 are the following:

  • Local Machine Certificate MSC: certlm.msc
  • Local User Certificate MSC: certmgr.msc

How are Digital Certificates revoked?

In case a digital certificate is compromised, it must be revoked.

A method is Certificate Revocation Lists (CRLs).

An alternative is Online Certificate Status Protocol (OCSP), that removes the latency inhererent in the use of certificate revocation lists by providing a means for real-time certificate verification.

OCSP is described in RFC 6960 and is on the Internet standards track.

Certificates for Web Authentication

Certificates are used for web authentication as a control to mitigate the risk of MitM attacks to the website users. It leverages SSL/TLS controls.

A website authenticates the user by asking them a username and password, by default. This method, however, it is not practical for the websites to authenticate to the users. Certificates and SSL/TLS technologies are used instead.

When a user visits a website using the HTTPS protocol, it requests the user a digital certificate that contains the private key. However, there could be a MitM where the certificate given to the user is not the valid one.

To avoid this, a third party in which both user and website trust is used within the process. This third-party is a certification authority (CA).

When a user access a SSL/TLS website, it works like this:

  1. User accesses the website through a browser using the HTTPS protocol.
  2. The client browser receives the information about who is the CA.
  3. The client browser contacts the CA to request the website’s public key.
  4. The client browser uses the website’s public key to negotiate and exchange the symmetric key that will be used during the communication.
  5. Both client and server communicates to each other using the symmetric key.

Steps to set up the website using a certificate:

  1. Server generates both the public and the private key.
  2. Server generates a Certificate Signing Request (CSR) linked to a specific domain using the standard PCKS #10. This CSR contains its public key, and can be converted to text.
  3. CSR is sent to the CA.
  4. CA needs to verify that the referred domain owner was actually behind the request and sets a challenge. This is known as the domain control validation (DCV), and there are different, like adding a given record (e.g., CNAME) to the server’s DNS, uploading a given file to a specific path the server or sending an email to the email address that is linked to the domain.
  5. Once the challenge is passed, the CA generates a certificate file containing the public key, as a .crt or .p7b file.
  6. This file is installed as a certificate in the server, so it can shared its own public key signed by the CA.

Certificate Revocation

A certificate revocation list (CRL) includes all certificates that has been revoked before its expiration because their security has been compromised.

CRL are public and stored in the CA. Because of the high volume of CRLs, alternatives validation protocols are used instead.

Online Certificate Status Protocol (OCSP) are codified using the ASN.1 syntax and transmitted using HTTP. It is standirese.RFC 6960.

Server-based Certificate Validation Protocol (SCVP) adds validation to the certificate chain, and it is more complex to use.

Certificate Transparency (CT) is a project that aims to make an inventory of all certificates issued by the CAs . It is supported by some GAFA companies.

Certificate Transparency (CT) official website

You might be also interested in…

External references

Leave a Reply

Your email address will not be published. Required fields are marked *