Digital certificates, also known as public key certificates or identity certificate.
When I explain what a digital certificate to someone without a strong IT background I like to compare it with a seal ring, like the ones used in medieval times of Western countries. These seal rings had two functions:
- Identify the holder. Because of its unique pattern of the of the seal ring and its socially-agreed pattern recognition, it could be use to authenticate the holder or the institution behind him/her. Usually they represented an institution (like a kingdom) or the person itself (the King or the Pope).
- Sign a document. The seal ring could be used to sign any document by melting hot wax on the paper and pressing the pattern on it, printing the relief design on the document.
Digital certificates would be a much more advanced, complete, complex, safer and modern version of these seal rings, but this paradigm can help us to get an idea of its purpose.
FAQ
What is a digital certificate?
To fully understand what a digital certificate is, you need to have a previous knowledge of public-key cryptography and PKI (public key infrastructures), otherwise it will be quite difficult to explain. Please have a look at the linked articles before continue reading, in case you are unfamiliar with these concepts.
A digital certificate is a container that holds the public key, and in some cases also the private key, of a subject plus other information related to it, like the issuer, owner or issuance and expiration date. All this data is digitally signed by an entity that is trusted by all parties, that is the certification authority (CA).
Digital certificates are stored as files, and are usually protected with a password that will be send by the issuer along with the file.
Digital certificates can installed from the files on repositories that can store multiple certificates. These repositories can be hardware-based or software based. Among the software-based, you can let the operating system or a framework (like the Java Certificate Store) to store it.
How is the content of a digital certificate standardized?
Digital certificates are defined through the International Telecommunications Union (ITU-T) standard X.509.
The standard has been adopted for the internet through RFC 3280, that was superseded by RFC 5280.
This standard governs the creation and endorsement of digital certificates for secure electronic communications.
What is the info contained in a digital certificate?
Certificates conforming to X.509 contains this data:
- Version of X.509.
- Serial number
- Signature algorithm identifier
- Issuer name
- Validity period
- Subject’s name
- Subject’s public key
What are the most popular digital certificates formats?
There are different standards for digital certificates formats.
The same digital certificate format can be available on different format files.
Popular digital certificate formats:
Standard | Format | File Extension(s) | |
---|---|---|---|
1 | Distinguised Encoding Rules (DER) | Binary | .der,.crt,.cer |
2 | Privacy Enhanced Mail (PEM) | Text | .pem, .crt |
3 | Personal Information Exchange (PFX) | Binary | .pfx, .p12 |
4 | P7B | Text | .p7b, .p7c |
What are the most popular digital certificates format files?
Within the same file firmat, there may be different encoding.
Popular digital certificate file formats:
- Public digital certificate (only public key)
- X.509 certificate (file extension .cer)
- DER encoded
- Base-64 encoded
- X.509 certificate (file extension .cer)
- Certificate bundles (include multiple public keys):
- PKCS #7 / CMS Certificates (file extension .p7b or .p7c)
- Microsoft Serialized Certificate Store (file extension .sst)
- PKCS #12 (include private keys)
- Personal Information Exchange-PKCS #12 (file extensions .p12 or .pfx)
Public digital certificates like X.509 defines the digital signature that is used by other technologies like PKCS #7 or Cryptographic Message Syntax (CMS).
CMS is a IETF standard defined by RFC 5652.
What is the validity of a digital certificate?
Certificates expire, as measure of security. It ensure that in case a certificate is compromised, it cannot be exploited forever.
Maximum validity time depends on the type of certificate. The sooner it expires, the less secure is the certificate.
What is the difference between qualified and non-qualified digital certificates?
According to European Union laws, there can be two types of digital certificates:
- Qualified
- Non-qualified
Qualified certificates are backed by a EU nation, and thus the issuer and RA need to be audited periodically. Maximum validity of qualified certificate is shorter than non-qualified.
In practice, qualified certificates offer more security than a non-qualified. They are also more expensive and require more maintenance.
Some acronyms as the Spanish DCCF (Dispositivo Cualificado de Creación de Firma) contain a reference to the qualified attribute of the certificate.
Which types of certificates are there?
Types of digital certificates:
- Device Certificate
- Company Seal Certificate
- Entity Representative Certificate
Device certificates, as the name implies, identifies a device. It is usually installed without a PIN. It lasts maximum 10 years.
Company Seal Certificates represents legal entities like companies.
Entity representative certificate identifies a person that is authorised to act as the representative on an entity towards any other institution. It is a qualified certificate. It is usually installed with a PIN, and an installation without a PIN is disregarded. It lasts maximum 4 years.
What is a self-certificate?
You can read more about self-certificates on this post.
How can I browse the content of a digital certificate?
You need to know the password of the digital certificate in order to browse it, otherwise it will not be possible to check it.
One way is to browse the content of a digital certificate is installing it and then checking its content in the certificate repository.
How to browse the content of a digital certificate without installing it?
If you want to browse the content of a digital certificate without installing it, you can use certutil command in Windows prompt.
certutil command example:
certutil -dump <certificate_filename>
Where should a digital certificate be stored?
Digital certificates can be stored in hardware of software.
Storing digital certificiate in software is considered an unsafe practice, as private key can be stolen by skilled hackers with access to the system.
Some hardware-based repositories are the following:
- Trusted Platform Module (TPM). You can find more info about it on this post.
- Hardware Security Module (HSM). You can find more info about it on this post.
Where are digital certificates stored in Windows 10?
Certificates in Windows 10 can be stored at user or machine level. The repositories are different for each type.
The commands to access the certificates in Windows 10 are the following:
- Local Machine Certificate MSC: certlm.msc
- Local User Certificate MSC: certmgr.msc
How are Digital Certificates revoked?
In case a digital certificate is compromised, it must be revoked.
A method is Certificate Revocation Lists (CRLs)
An alternative is Online Certificate Status Protocol (OCSP), that removes the latency inhererent in the use of certificate revocation lists by providing a means for real-time certificate verification.
OCSP is described in RFC 6960 and is on the Internet standards track.
You might be also interested in…
- Encryption Concepts for IT
- Public key infrastructure
- Trusted Platform Module (TPM)
- Hardware Security Module (HSM)
- eIDAS
External references
- “What is the difference between non-qualified and qualified trust service providers“; Dorin FRASINEANU; 2020-08-04.
- “CISSP Official Study Guide: Ninth Edition”; Mike Chapple, Jame Michael Steward, Darril Gibson; Sybex; 2021; Chapter 7 “PKI and Cryptographic Applications”, page 278.