Digital Certificate
A Digital Certificate is an electronic document that proves the ownership of a public key. It links a public key to the identity of an individual, organization, or device, and is issued by a trusted third party called a Certificate Authority (CA).
Think of it like a digital passport for websites or systems — it validates who owns a public key and whether you can trust them.
Uses of Digital Certificates
Digital certificates are critical in secure communication, especially over the internet. They are the backbone of:
- HTTPS (SSL/TLS) security
- Authenticating servers and clients
- Preventing man-in-the-middle attacks
- Public Key Infrastructure (PKI)
Structure of a Digital Certificate
A typical certificate contains:
| Field | Description |
|---|---|
| Subject | The identity (domain, user, org) |
| Public Key | Public key of the subject |
| Issuer | Certificate Authority (CA) that issued the certificate |
| Validity Period | Start and end dates |
| Serial Number | Unique identifier |
| Signature Algorithm | Algorithm used to sign the certificate |
| Digital Signature | CA’s signature on the certificate |
How Digital Certificate Works
- User visits
https://bank.com - Server sends its digital certificate to the user's browser.
- Browser checks:
- Is the certificate issued by a trusted CA?
- Is the domain name correct?
- Is the certificate expired or revoked?
- If valid:
- Browser extracts the server’s public key from the certificate.
- Browser uses that key to establish an encrypted connection (via TLS handshake).
- Communication is now encrypted and authenticated.
TLS Handshake with Digital Certificate
Client (Browser) Server (https://bank.com)
| |
| --------- Client Hello (TLS request) ------>|
|<----- Server Hello + Certificate (X.509) ---|
| |
Validate Certificate: |
- Issuer is trusted (e.g., DigiCert) |
- Not expired |
- Matches domain (bank.com) |
| |
Extract Public Key from Certificate |
Encrypt shared secret with server's public key |
| |
|---- Encrypted Key Exchange ---------------->|
|<------ Server Finished (secured) -----------|
|------ Client Finished (secured) ------------|
==> Secure HTTPS Communication Starts (TLS session)
Tools used for Digital Certificate
| Tool/Technology | Use Case |
|---|---|
| OpenSSL | Generate certificates, CSR, private keys |
| Let’s Encrypt | Free, automated TLS certificates |
| X.509 | Standard for certificate structure |
| TLS/SSL | Secure channel using certs |
| Browsers (CA store) | Manage trusted Root CAs |
Trust Hierarchy in Digital Certificates
Public Key Infrastructure (PKI)
+--------------------------+
| Root Certificate Authority|
+--------------------------+
|
+--------------------------+
| Intermediate CA |
+--------------------------+
|
+--------------------------+
| Server/Device Certificate|
+--------------------------+
- Root CA: Highest authority, pre-installed in browsers/OS.
- Intermediate CA: Issued by Root CA, used to issue server certs.
- Server Certificate: Used by websites, APIs, services.
Your browser trusts the Root CAs and any certs they sign, directly or indirectly.