|What is a Digital Certificate ?|
|A digital certificate is the electronic version of an identification card
that establishes your credentials and authenticates your connection
when doing business or other transactions on the internet.|
Digital certificates are electronic files that simply work like a kind of online passport.
It contains your name,a serial number,expiration dates, a copy of the certificate holder's public key (used for encrypting messages), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
The digital certificates are used in conjunction with a public key encryption system.
An digital certificate is an electronic file which contains information that identifies you when you use our online services. Your certificate ensures the security of your online transactions because it authenticates you to our systems and allows you to digitally sign electronic documents like activity statements. Some of our online services – particularly services for business – are only accessible with a digital certificate.
|How to obtain a Digital Certificate ?|
|Digital certificates are issued by a third party known as a Certification Authority (CA).
The CA have the responsibility to confirm the identity of the certificate holder
as well as provide assurance to the website visitors that the website is one that is trustworthy.|
To obtain Digital Certificate an organisation must apply to a Certification Authority which is responsible for validating and ensuring the authenticity of requesting organisation. The Certificate will identify the name of the organisation,a serial number, the validity date ("from / to") and the organisation's Public Key where encryption to / from that organisation is required.
In addition,the Digital Certificate will also contain the Digital Signature of the Certification Authority to allow any recipient to confirm the authenticity of the Digital Certificate.
Digital certificates can be kept in registries so that authenticating users can lookup other user’s public keys.
A global standard (X. 509 Public Key Infrastructure for the Internet) defines the requirements for Digital Certificates and the major Certificate Authorities conform to this. Such standards,and the integrity of the Certificate Authorities are vital for the establishment of 'digital trust',without which e-Commerce will never attain its potential.
In general use,a certificate is a document issued by some authority to attest to a truth or to offer certain evidence. A digital certificate is commonly used to offer evidence in electronic form about the holder of the certificate. In PKI it comes from a trusted third party,called a certification authority (CA) and it bears the digital signature of that authority.
A common use for a digital certificate is to associate or “bind” a person to a public key,which is contained in the certificate. The CA is asserting that this unique public key belongs to one individual; that individual is the person who holds the linked private key. Only the person who holds the private key can decrypt something that’s encrypted with the public key.
Digital certificates are also commonly used in electronic commerce,where the owner of a secure site will obtain a digital certificate that’s checked by a browser for a secure session. In this case,the CA is asserting that the public key belongs to the business; it’s bound to the domain. The information associated with this certificate is also used to set up an encrypted session so that others cannot see personal information like credit card numbers when they are in transit over the web.
|How Digital Certificates Work ?|
|Digital certificates are based on public/private key technology,the same technology used to protect nuclear missile sites. Each key is like a unique encryption device. No two keys are ever identical,which is why a key can be used to identify its owner.|
Keys always work in pairs,one called the private key,and the other called the public key. What a public key encrypts,only the corresponding private key can decrypt,and vice versa. Public keys are distributed freely to anyone who wants to exchange secure information with you. Your private key is never copied or distributed and remains secure on your computer or server.
Digital certificates automate the process of distributing public keys and exchanging secure information. When you install a digital certificate on your computer or server,your computer or web site now has its own private key. Its matching public key is freely available as part of your digital certificate posted on your computer or web site.
When another computer wants to exchange information with your computer,it accesses your digital certificate,which contains your public key. The other computer uses your public key to validate your identity and to encrypt the information it wants to share with you using SSL (Secure Sockets Layer) technology. Only your private key can decrypt this information,so it remains secure from interception or tampering while traveling across the Internet.
|Server certificates allow website visitors to safely transfer their personal information
like credit cards and bank account information without worrying about theft or tampering.
Server certificates are also responsible for validating the website owners
identity so that the visitors can feel as though they are dealing with
a legitimate source when creating or inputting passwords,bank account
details,or credit card numbers into the website.|
For any business or website that will require such confidential information, server certificates are an important part of the website building process, one that cannot be skipped or overlooked for any reason. Having a server certificate can be to the website owners advantage because it gives the business an air of professionalism that is not often found when dealing with an e-commerce business where customers have little assurance as to the legitimacy or professionalism of the people that they are dealing with.
Personal certificates are a bit different in that they allow you to validate a website visitors identity and even restrict their access to certain portions of the website. You might want to set your website up so that web pages are only available to certain people,and personal certificates can help you do this. Personal certificates can be used for things such as sending and receiving email for private account information like forgotten passwords or username information. Personal certificates are ideal for communications such as providing partners and suppliers controlled access to websites for shipping dates,product availability,and even inventory management.
|Uses of Digital Certificates|
|Digital certificates play an important role in
keeping your online experiences safe and secure. It is wise to pay
attention to digital certificate dialog alerts that you receive,and
that you double check that your connection is secure before you proceed
and give someone your personal information.
Digital certificates,SSL,and S/MIME are several of the technologies that form the foundation for Internet Security.
Most of the standard protocols being widely adopted for electronic communications rely on digital certificates:
|SSL (Secure Sockets Layer),designed by Netscape Communication Corporation,is widely accepted as the basic standard for web browser and server authentication,and secure data exchange on the Internet. Almost all the major servers and web browsers including Netscape Communicator are optimized to enable SSL encryption,and is the most common type of security seen on the Internet.|
|S/MIME (Secure Multipurpose Internet Mail Extensions Protocol) is considered as the basic standard for secure email and EDI (Electronic Data Interchange).|
|SET (Secure Electronic Transactions protocol) protects electronic payments from the web visitor to the website operator.|
|Internet Protocol Secure Standard (IPSec) verifies networking devices such as servers and routers.|
|Digital Certificates Functions|
|Digital certificates do two things:|
1. They authenticate that their holders - people,web sites,and even network resources such as routers - are truly who or what they claim to be.
2. They protect data exchanged online from theft.
Digital certificates have two basic functions. The first is to certify that the people,the website,and the network resources such as servers and routers are reliable sources,in other words,who or what they claim to be. The second function is to provide protection for the data exchanged from the visitor and the website from tampering or even theft,such as credit card information.
A digital certificate contains the name of the organization or individual,the business address,digital signature public key,serial number,and expiration date. When you are online and your web browser attempts to secure a connection,the digital certificate issued for that website is checked by the web browser to be sure that all is well and that you can browse securely. The web browser basically has a built in list of all the main certification authorities and their public keys and uses that information to decrypt the digital signature. This allows the browser to quickly check for problems,abnormalities, and if everything checks out the secure connection is enabled. When the browser finds an expired certificate or mismatched information,a dialog box will pop up with an alert.
There are two main types of digital certificates that are important to building a secure website and these are server certificates and personal certificates.
|What is ? A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document,and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable,cannot be imitated by someone else,and can be automatically time-stamped. The ability to ensure that the original signed message arrived without any tampering and also the sender cannot easily repudiate it later.|
|Certificate Authority - CA|
|A certificate authority (CA) is a trusted thrid party in a network that issues and manages digital certificates. As part of a public key infrastructure,CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, then CA can issue a certificate.|
|Registration Authority - RA|
|A registration authority (RA) is an
authority in a network that verifies user requests for a digital
certificate and tells the certificate authority (CA) to issue it. RAs
are part of a public key infrastructure (PKI),a networked system that
enables companies and users to exchange information and money safely
and securely. The digital certificate contains a public key that is |
used to encrypt messages.
|Publick Key Infrastructure - PKI|
|A PKI (public key infrastructure) enables users of a
basically unsecure public network such as the Internet to securely and
privately exchange data and money through the use of a public and a
private cryptographic key pair that is obtained and shared through a
trusted authority. |
A public key infrastructure consists of
|A certificate authority (CA) that issues and verifies digital
certificate. A certificate includes the public key or information about
the public key.
||A registration authority (RA) that acts as the verifier for the
certificate authority before a digital certificate is issued to a
||One or more directories where the certificates (with their public keys) are held.
||A certificate management system.
What are private and public keys? |
Each person in PKI environment gets a pair of keys,one called the public key and the other called the private key. Each person's public key is published while the private key is kept secret. All communications involve only public keys,and no private key is ever transmitted or shared. No longer is it necessary to trust some communications channel to be secure against eavesdropping or betrayal. The only requirement is that public keys are associated with their users in an authenticated manner. Certification Authority who will issue digital certificates gives this authentication for public keys.
Anyone can send a confidential message by just using public key,but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient. Similarly to produce digital signature,private key is used with any kind of message. So that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
|How Can I get digital certificate for myself ?
||There are number of commercial PKI vendors who can issue digital certificates
for you like Verisign and Entrust. But you need pay money to get one
for your use. Or you can visit their web page to apply for trial
certificate. If your enterprise runs an in-house CA then you have
contact your CA administrator. |
How can I use my digital certificates for e-mail transactions? |
Well,Almost all-standard browsers (IE, Netscape,etc) have plugins for digital certificate management. All you have too is,just load your certificate,contact certificates and root CA certificate in to the browser and configure your favourite E-mail client (say Outlook Express or Outlook if you prefer IE)
Can’t we use Digital Certificates in web based e-mail programs?
Nope. Currently no web based e-mail programs like yahoo,hotmail etc. supports this feature. Since you always need some repository to store your certificate and your contact address certificates.
Obtaining Digital Certificates
| Understanding Digital Certificates in Microsoft Explorer
Digital Certificates - Support - [Speedsoft]
After the Digital Certificate has been generated,Verisign will return the signed certificate to you via electronic mail,and Thawte will email you a URL ...
ssl digital certificates from thawte the global certificate authority
Global certification authority offering a range of SSL and code signing digital certificate products.
PCWorld.com - Fraudulent VeriSign Digital Certificates Patch
Protect yourself from malicious code masquerading as Microsoft product.
Cisco Secure VPN Client Solutions Guide - Configuring VeriSign ...
Configuring VeriSign Digital Certificates Configuring VeriSign Digital Certificates . Download the complete book. Cisco Secure VPN Solutions Guide Cisco ...
Download details: Windows Security Update: Verisign Digital ...
This update resolves the "Erroneous VeriSign -Issued Digital Certificates Pose ... VeriSign,Inc. issued two VeriSign digital certificates to an individual ...
Digital Certificate ID Links Page
Digital Certificate Authority; Keywitness Canadian Certificate Authority; TradeWave TradeAuthority Online CA; VeriSign Digital Certificate Authority ...
Configuring VeriSign Digital Certificates
Use this appendix with "Configuring Digital Certification," and the ... For details on submitting a VeriSign certificate request to the Verisign CA,...
SSL Certificates - VeriSign Australia
VeriSign Australia - 128 bit SSL certificates for secure HTTPS ecommerce and ... SSL Digital Certificates for secure Web server encryption over HTTPS ...
Certificate Servers e-Lock PKI - A certificate issuance system that is integrated with CryptoAPI. [Free] (e-Lock)
|Entrust/PKI - A certificate issuance system for Windows NT,HP-UX,Solaris,and AIX. (Entrust)
||pyCA - Python software for running a certificate authority on UNIX. [Free / Open Source] (Michael Ströder)
||Red Hat Certificate System
- Based on system acquired from Netscape. Supports deployment and
maintenance of PKI solutions including the issue and revocation of
digital certificates. [Red Hat Linux,Solaris]
- A toolkit implementing SSL v2/v3 and TLS protocols with
full-strength cryptography world-wide. It is based on SSLeay,developed
by Eric Young and Tim Hudson. [Free / Open Source] (The OpenSSL Project)
|OpenSSL Certificate Cookbook - Instructions to make a CA with OpenSSL,Apache,and Perl.
||OpenSSL PKCS#12 Program FAQ - An utility to generate PKCS#12 certificates with OpenSSL/SSLeay. (Stephen Henson)
|CERT Advisory: Multiple Vulnerabilities In OpenSSL
- "There are four remotely exploitable buffer overflows in OpenSSL.
There are also encoding problems in the ASN.1 library used by OpenSSL.
Several of these vulnerabilities could be used by a remote attacker to
execute arbitrary code on the target system. All could be used to
create denial of service."(July 30,2002)
OpenCA - Opensource Certification Authority software.
- A toolkit implementing SSL v2/v3 and TLS protocols with
full-strength cryptography world-wide. It is based on SSLeay,developed
by Eric Young and Tim Hudson. [Free / Open Source] (The OpenSSL Project)
- Provider of the FileSecure business communication and file security
solution. Based on enterprise digital rights management technology.
||Alacris - Alacris
develops and deploys software products and services that enable large
enterprises to consolidate the management of their PKI security technologies.
||Aladdin Knowledge Systems
- Access control systems and user authentication ensure only authorized
users access online information. By implementing strong user
authentication and access control systems,organizations can ensure
that only authorized users access their online information.
||beTRUSTed - Service
from PricewaterhouseCoopers,secures large commercial transactions and
communications over the Internet through the issuing of digital certificates.
||Binor - ASN.1 and PKI resources. Toolkits,applications,and free online utilities.
- Focused on the development of solutions for security infrastructure
management. Provider of services to facilitate security assessment and
management of digital security assets.
||Challenge PKI Project
- The open test suites is a solution to speed interoperability between
multi-domain and multi-vendor PKIs. The test suites can overcome the
contradiction between vague standards and various implementations.
||Comodo - Digital
certificates,web identity assurance and secure messaging solutions.
Trust toolbar website validation browser plug-in.
||CoreStreet Ltd -
Provide certificate validation to enable strong security for physical
and logical access control. The product is based on a distributed
||CPKtec Home Page -
Provider of cryptography toolkits for mobile devices. Cryptographic
development services including software design and assembler
||Diginus - Provider of
PKI and digital certificate based services using a range of
technologies including Open Source. Features company profile,and
service dencriptions. Provides information about UK and European PKI
related public-sector initiatives.
||EJBCA,Java Certificate Authority
- A platform independent Certificate Authority based on J2EE
technology. It can be used standalone or integrated in J2EE
applications. The software is OSI Certified Open Source under the LGPL
||Electrosoft Services - Security and PKI Consulting
- Electrosoft Services is a consulting and software development company
specializing in IT and Internet security,and public key infrastucture
||E-Lock Technologies - Providing PKI based Digital Signature and Encryption products and services.
||Entrust - Encryption,digital signatures and key management solutions. Product details and customer experiences.
Enables the electronic creation,transmission,storage and retrieval of
protected electronic original documents. Features product dencription and company profile.
||GlobalCerts - Offer
a secure email gateway solution for businesses,incorporating scalable
X.509 PKI functionality for managing digital certificates from approved CAs. Includes live demos,webcasts and brochures.
||IDX-PKI - IDX-PKI is
an Open Source implementation of a Public Key Infrastructure which aims
to be IETF compliant for PKIX License recommandations. Always improved,
IDX-PKI is already fully usable and suitable for commercial use.
||Information Security Corporation - Makers of SecretAgent and other PKI enabled products.
||JaBaCATs - Command line
java tool for running certification authorities. Allow generation of
digital certificates,certificate requests and certificate revocation lists.
||The Multimedia Security Company - The Media Security Company. Products ond consulting for Watermarking and Encryption
||NewPKI - An open source PKI based on the low level OpenSSL API. Compatible with Linux and Windows.
||OpenLDAP - Open source LDAP software including servers,clients,and SDKs.
- Offers information on how to use OSCP and SCVP,an online certificate
revocation checker and searchable list of certification authorities.
||Pebblehaven Company - Offering digital web certificates and web site identity verification solutions.
||PKI XML Web Service - An online tool to generate digital certificates via a PKI. Based on XML / SOAP.
PKIForum.com is an independent news,information and education
organization focused on public key infrastructure (PKI). Good source of
news on new PKI related products and services.
||SecCommerce GmbH -
SecCommerce Informationssysteme GmbH produce software-solutions for
Internet-security. There are products offered for security
infrastructure and digital signature as well as projects for realizing
crucial business workflows in the Internet.
||Secorvo Security Consulting GmbH - Consultancy and Services: PKI Concepts,Strategies and Implementation for big compagnies worldwide
||SecureNet - A
global provider of secure e-commerce solutions for Internet
applications,remote banking,virtual private networks (VPNs) and data critical e-commerce activities.
||Selso.com - Free Certification Service Provider. Implemented using Open Source.
||SUNPKI - Sun Microsystems Inc.'s Public Key Infrastructure.
||SwissSign - Provider of PKI
security technology for individuals,companies and organizations.
Features company overview and product dencriptions. Offers free
certification services for individuals as well as commercial PKI services.
||VeriSign Trust Services Integration Kit (TSIK) - TSIK provides free Java APIs that simplify trusted application
development. The APIs enable rapidly integration of digital trust
services,from secure XML processing to authentication,authorization,
and payments. Developers can integrate with VeriSign's digital trust
services without knowing the details of the lower level functions such
as signing and processing of XML. Developers can also use these APIs to
create secure XML applications of their own.
||Zertificon Solutions - Provider of PKI based encryption and digital signature solutions.