Digital Certificate Operation in a Complex Environment
navigation search
search query:

PKI Primer and Project Background

4. What are digital certificates?

From this page onwards, the explanations will touch technical issues and you may wish to examine our glossary.

Digital certificates are like digital passports that help to identify an entity (possibly on a network or on some sort of electronic system). The entity could be an end user, a router or a server among other things.

4.1. Where are digital certificates used?

Digital certificates are involved in identifying entities, often over a network (such as the internet). Some kinds of digital certificates can be used to verify that 'digitally signed' emails and other documents actually come from the 'correct' person (who signed the document). This methodology of tying a digital signature or certificate to an 'identity' - in a way that the signature or certificate can be checked - is a fundamental concept of public key infrastructure (PKI), but we shall come back to this later.

The process of verifying the identity of people or entities is termed 'authentication' and is a huge subject in itself (the next section goes into more depth regarding authentication and includes a better definition).

The DCOCE project examined the use of digital certificates in authentication processes as users access services at or via the University of Oxford. The use of digital certificates to send and receive encrypted email and other documents was outside the scope of the project but was considered in parallel (see the final reports).

4.2. What do they look like?

Certificates are not usually displayed directly by a user, as for example, your birth certificate may be. They contain information about the owner and the issuer like other 'real world' certificates. The detail of the certificate structure, content and appearance goes well beyond this brief introduction. However, if you would like to know more, see SourceForge's Open source PKI Book which shows the plain text appearance of a digital certificate. As with many ideas in the electronic world, there are a variety of certificate formats in use. However, the most common is the X.509 v3 certificate, used by organisations such as Verisign, Thawte, Entrust, Computer Associates and many others. This standard was proposed by the Internet Engineering Task Force (IETF) and is most often used with public key infrastructure (discussed more fully in a later section).

More information regarding the actual structure can be seen at the Internet Engineering Task Force's Public-Key Infrastructure charter pages.

4.3. Where would I keep my certificate?

This is a big question, but digital certificates contain (or are associated with) key pairs: a public key (that anyone can use to check that you are who you say you are) and a private key (that you need to keep safe). This is discussed in further depth in a later section. However, you need to keep your private key secure and there are several ways of doing this. Often, the certificate is used by your web browser (at least in the situations covered by this project), but you may have to enter a pass phrase to decrypt your certificate or to use your private key (as the encryption keeps it safe from use by others).

Therefore, to answer the question where would I keep my certificate?, the certificate could be kept in a web browser for use with web-based services. However, you may wish to move the certificate around and you may need another device to carry your certificate (and private key). Digital certificates and private keys can be stored on:

  • key servers
  • smart cards
  • other tokens (such as USB devices)
  • the hard drive of a personal computer
  • floppy disks
  • (and much more)

Obviously, not all of the above options are equally secure, but the choice of storage media depends upon what you are likely to use the certificate for, the level of security you require and cost, as well as technical practicalities.

Now that we have had a look at what digital certificates are and assuming that we are happy that (used properly) they can work, let's get back to 'authentication'.

Up: Contents Previous: 3. Project partners and participants Next: 5. What is authentication?

Oxford University Computing Services Mimas Athens access management services Oxfore e-Science Centre Systems and Electronic Resources Service Joint Information Systems Committee