We rely on digital certificates for much of the encryption that we use over the Internet. In this video, you’ll learn about digital certificates and what information is contained in a digital certificate.
<< Previous Video: Key RevocationNext: Public Key Infrastructure >>
We’ve talked a lot so far about digital certificates, but what are those really? What is this digital certificate? This certificate that we would use in our browsers, that we would get from a web server– those are public key certificates. It allows us to take a public key that’s out there and have it associated with this digital certificate. It’s a way to communicate this information in a standard form wherever you happen to be.
This digital signature that we might put on a digital certificate also adds some trust. So you might have in your Public Key Infrastructure a certificate authority that’s signs this digital certificate and that adds additional trust to it. If you’re in an environment where you’re using something like PGP, or OpenPGP, that is something called a web-of-trust to make sure that everybody trusts everyone else.
This certificate creation is one that is usually built into the operating system, especially in Windows. Then Windows server– you can get something called the Windows Certificate Services– and you can automate the process of having these certificates created. This domain services allows us to automate this and stored in a very, very simple way. But if you’re using another operating system like Linux or Mac OS X, you’ll find there are other third party certificate management softwares out there. You can find many of them open source so that you can have digital certificates whatever your operating system might be.
Digital certificates are constructed in a very standard way so that you can use a digital certificate that was created on one machine and other machines would be able to understand that very standard format. That format is called X.509. You’ll see people referring to their X.509 certificate. And there are different versions that you can see for the different types of X.509 certificates, but they’re generally all following something like this standard format. There may be serial numbers, signature algorithms who issue the digital certificate, some validity frames, a subject, a public key, and also extensions. And all of this information is put in a standard format in that X.509 certificate so that you can share it with anyone.
That extension piece that you can have at the end of your X.509 certificate allows you to include a lot of different capabilities for that cert. And you’ll find that there’s an extension ID, whether it’s true or false, in this critical field and the value, the string value of what that extension happens to be. So you can have a digital certificate and you can add some extensions on it to say that this is going to be used to digitally sign documents– maybe it’s used just for key exchange, maybe this is used by the certificate authority for certificate signing.
So having that extension piece on there really allows you to build out certificates with very specific functions and be able to label it that way. And you’ll find when you start building certificates in your operating systems with your certificate authorities, you’ll have a lot of these options available to you. It really extends the capability of what you can do with digital certificates.