Digital Certificate Operation in a Complex Environment
Sections in this document:search
PKI Primer and Project Background
4. What are digital certificates?
Digital certificates are like digital passports that help to identify an entity (possibly on a network or on some sort of electronic system). The entity could be an end user, a router or a server among other things.
Digital certificates are involved in identifying entities, often over a network (such as the internet). Some kinds of digital certificates can be used to verify that 'digitally signed' emails and other documents actually come from the 'correct' person (who signed the document). This methodology of tying a digital signature or certificate to an 'identity' - in a way that the signature or certificate can be checked - is a fundamental concept of public key infrastructure ( ), but we shall come back to this later.
The DCOCE project examined the use of digital certificates in authentication processes as users access services at or via the University of Oxford. The use of digital certificates to send and receive encrypted email and other documents was outside the scope of the project but was considered in parallel (see the ).
Certificates are not usually displayed directly by a user, as for example, your birth certificate may be. They contain information about the owner and the issuer like other 'real world' certificates. The detail of the certificate structure, content and appearance goes well beyond this brief introduction. However, if you would like to know more, see SourceForge's which shows the plain text appearance of a digital certificate. As with many ideas in the electronic world, there are a variety of certificate formats in use. However, the most common is the v3 certificate, used by organisations such as Verisign, Thawte, Entrust, Computer Associates and many others. This standard was proposed by the ( ) and is most often used with public key infrastructure (discussed more fully in a ).
This is a big question, but digital certificates contain (or are associated with) key pairs: a public key (that anyone can use to check that you are who you say you are) and a private key (that you need to keep safe). This is discussed in further depth in a . However, you need to keep your private key secure and there are several ways of doing this. Often, the certificate is used by your web browser (at least in the situations covered by this project), but you may have to enter a pass phrase to decrypt your certificate or to use your private key (as the encryption keeps it safe from use by others).
Therefore, to answer the question where would I keep my certificate?, the certificate could be kept in a web browser for use with web-based services. However, you may wish to move the certificate around and you may need another device to carry your certificate (and private key). Digital certificates and private keys can be stored on:
Obviously, not all of the above options are equally secure, but the choice of storage media depends upon what you are likely to use the certificate for, the level of security you require and cost, as well as technical practicalities.