Digital Certificates and Certificate Authorities
Just as a driver's license or a passport is used to identify a person, a digital certificate is used to identify an individual, a server, a company, or some other entity. Adigital certificate is an electronic identity document whose purpose is to help prevent impersonation. To extend this analogy, just as you would go to a government agency to obtain a passport, you would go to a certificate authority (CA) to obtain a digital certificate. A CA is a trusted third-party organization or company that validates identities and issues certificates. The certificates are used to associate public keys with entities (e.g. organizations, people). The role of the CA in data security is important, as electronic exchange of data becomes a necessity for communications and commerce. For example, electronic-commerce sites such as Amazon.com and BestBuy.com have digital certificates so that users can trust that they are using legitimate sites instead of a fraudulent site created by hackers.
In general, before issuing a certificate, the CA must verify the identity of the entity requesting for the certificate. The certificate issued by the CA associates a specific public key with the entity requesting for the certificate. A certificate also includes the name of the entity it identifies, an expiration date, the name of the CA that issued the certificate, and a serial number. Most importantly, a certificate includes the digital signature of the issuing CA to ensure the authenticity of the certificate.
Web browsers are usually pre-configured to trust certain certificate authorities, such as Verisign, Inc. You can view the list of trusted CAs by clicking on Tools from your Internet Explorer menu. Then choose Internet Options..., click on the Content tab. Click on the Certificates... button, and then click on the Trusted Root Certification Authorities tab. To see a digital certificate, you can go to a website that uses digital certificates such as that of a financial institution or that of an online store. For instance, when you view your personal information on Amazon.com, you can double-click on the "lock" icon at the bottom right-hand side of the screen and view the digital certificate.
The image below is a digital certificate from Amazon.com:
Figure 4 Digital certificate
Root CAs can also grant certification authority to subsidiary CAs. The Certification Path tab shows the path from root CAs to the digital certificate holder. The screen shot below shows that Amazon's root CA is VeriSign/RSA Secure Server.
Figure 5 Certification Path
When you visit a site that may have a faulty certificate, you will see a warning like the following screen shot:
Figure 6 Certificate warning
At this point, you can choose to proceed despite the warning, or choose "No" to terminate your request to the page. You can also view the certificate and then decide whether you want to proceed to the page. If a CA is not a member of your trusted CA list, you may choose to install the Certificate. Please be cautious before you install a certificate. Intruders may fake a certificate to get you to install it. Once the fraudulent certificate is installed, malicious programs may be run from your computer. You can read about the security incident where intruders pretended to be Microsoft employees and obtained certificates from VeriSign, Inc. These certificates could be used to sign programs, ActiveX controls, Office macros, and other malicious code.
The set of standards and services that govern the use of public-key cryptography and the system of certificates is called Public Key Infrastructure (PKI).
A typical enterprise's PKI encompasses the following:
Issuance of digital certificates to individual users and organizations
Integration with corporate certificate directories; tools for managing, renewing, and revoking certificates
You can read about how digital signatures, certificates, and PKI work together to ensure the security of network communications.