Digital certificates, also known as public key certificates or identity certificate, .
When I explain what a digital certificate to someone without a strong IT background I like to compare it with a seal ring, like the ones used in medieval times of Western countries. These seal rings had two functions:
- Identify the holder. Because of its unique pattern of the of the seal ring and its socially-agreed pattern recognition, it could be use to authenticate the holder or the institution behind him/her. Usually they represented an institution (like a kingdom) or the person itself (the King or the Pope).
- Sign a document. The seal ring could be used to sign any document by melting hot wax on the paper and pressing the pattern on it, printing the relief design on the document.
Digital certificates would be a much more advanced, complete, complex, safer and modern version of these seal rings, but this paradigm can help us to get an idea of its purpose.
What is a digital certificate?
To fully understand what a digital certificate is, you need to have a previous knowledge of public-key cryptography and PKI (public key infrastructures), otherwise it will be quite difficult to explain. Please have a look at the linked articles before continue reading, in case you are unfamiliar with these concepts.
Digital certificates are containers of a private key and other information related to it, like the issuer, owner or issuance and expiration date.
Digital certificates are stored as files, and are usually protected with a password that will be send by the issuer along with the file.
Digital certificates can installed from the files on repositories that can store multiple certificates. These repositories can be hardware-based or software based. Among the software-based, you can let the operating system or a framework (like Java Certificate Store) to store it.
How is the content of a digital certificate agreed?
Digital certificates are defined through the International Telecommunications Union (ITU) standard X.509.
This standard governs the creation and endorsement of digital certificates for secure electronic communications.
What is the info contained in a digital certificate?
Certificates conforming to X.509 contains this data:
- Version of X.509.
- Serial number
- Signature algorith identifier
- Issuer name
- Validity period
- Subject’s name
- Subject’s public key
What are the most popular digital certificates format?
There are different standards for digital certificates formats.
The same digital certificate format can be available on different format files.
Popular digital certificate formats:
|1||Distinguised Encoding Rules (DER)||Binary||.der,.crt,.cer|
|2||Privacy Enhanced Mail (PEM)||Text||.pem, .crt|
|3||Personal Information Exchange (PFX)||Binary||.pfx, .p12|
What are the most popular digital certificates format files?
Within the same file firmat, there may be different encoding.
Popular digital certificate file formats:
- Personal Information Exchange-PKCS #12 (file extensions .p12 or .pfx)
- X.509 certificate (file extension .cer)
- DER encoded
- Base-64 encoded
- Cryptographic Message Syntax Standard- PKCS #7 Certificates (file extension .p7b)
- Microsoft Serialized Certificate Store (file extension .sst)
What is the validity of a digital certificate?
Certificates expire, as measure of security. It ensure that in case a certificate is compromised, it cannot be exploited forever.
Maximum validity time depends on the type of certificate. The sooner it expires, the less secure is the certificate.
What is the difference between qualified and non-qualified digital certificates?
According to European Union laws, there can be two types of digital certificates:
Qualified certificates are backed by a EU nation, and thus the issuer and RA need to be audited periodically. Maximum validity of qualified certificate is shorter than non-qualified.
In practice, qualified certificates offer more security than a non-qualified. They are also more expensive and require more maintenance.
Some acronyms as the Spanish DCCF (Dispositivo Cualificado de Creación de Firma) contain a reference to the qualified attribute of the certificate.
Which types of certificates are there?
Types of digital certificates:
- Device Certificate
- Company Seal Certificate
- Entity Representative Certificate
Device certificates, as the name implies, identifies a device. It is usually installed without a PIN. It lasts maximum 10 years.
Company Seal Certificates represents legal entities like companies.
Entity representative certificate identifies a person that is authorised to act as the representative on an entity towards any other institution. It is a qualified certificate. It is usually installed with a PIN, and an installation without a PIN is disregarded. It lasts maximum 4 years.
How can I browse the content of a digital certificate?
You need to know the password of the digital certificate in order to browse it, otherwise it will not be possible to check it.
One way is to browse the content of a digital certificate is installing it and then checking its content in the certificate repository.
How to browse the content of a digital certificate without installing it?
If you want to browse the content of a digital certificate without installing it, you can use certutil command in Windows prompt.
certutil command example:
certutil -dump <certificate_filename>
Where should a digital certificate be stored?
Digital certificates can be stored in hardware of software.
Storing digital certificiate in software is considered an unsafe practice, as private key can be stolen by skilled hackers with access to the system.
Some hardware-based repositories are the following:
- Trusted Platform Module (TPM). You can find more info about it on this post.
- Hardware Security Module (HSM). You can find more info about it on this post.
Where are digital certificates stored in Windows 10?
Certificates in Windows 10 can be stored at user or machine level. The repositories are different for each type.
The commands to access the certificates in Windows 10 are the following:
- Local Machine Certificate MSC: certlm.msc
- Local User Certificate MSC: certmgr.msc
You might be also interested in…
- Encryption Concepts for IT
- Public key infrastructure
- Trusted Platform Module (TPM)
- Hardware Security Module (HSM)
- “What is the difference between non-qualified and qualified trust service providers“; Dorin FRASINEANU; 2020-08-04.
- “CISSP Official Study Guide: Ninth Edition”; Mike Chapple, Jame Michael Steward, Darril Gibson; Sybex; 2021; Chapter 7 “PKI and Cryptographic Applications”, page 278.