Public key certificate
In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
In a typical public-key infrastructure (PKI) scheme, the signer is a certificate authority (CA), usually a company that charges customers to issue certificates for them. In a web of trust scheme, the signer is either the key's owner (a self-signed certificate) or other users ("endorsements") whom the person examining the certificate might know and trust.
Certificates are an important component of Transport Layer Security (TLS, sometimes called by its older name SSL, Secure Sockets Layer), where they prevent an attacker from impersonating a secure website or other server. They are also used in other important applications, such as email encryption and code signing.
Certificates can be created for Unix-based servers with tools such as OpenSSL's ca command, or SuSE's gensslcert. These may be used to issue unmanaged certificates, certification authority (CA) certificates for managing other certificates, and user or computer certificate requests to be signed by the CA, as well as a number of other certificate related functions.
Similarly, Windows Server contains a CA as part of Certificate Services for the creation of digital certificates. In Windows Server 2008 and later the CA may be installed as part of Active Directory Certificate Services. The CA is used to manage and centrally issue certificates to users or computers. Microsoft also provides a number of different certificate utilities, such as SelfSSL.exe for creating unmanaged certificates, and Certreq.exe for creating and submitting certificate requests to be signed by the CA, and certutil.exe for a number of other certificate related functions.
Contents of a typical digital certificate
- Serial Number: Used to uniquely identify the certificate.
- Subject: The person, or entity identified.
- Signature Algorithm: The algorithm used to create the signature.
- Signature: The actual signature to verify that it came from the issuer.
- Issuer: The entity that verified the information and issued the certificate.
- Valid-From: The date the certificate is first valid from.
- Valid-To: The expiration date.
- Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...).
- Public Key: The public key.
- Thumbprint Algorithm: The algorithm used to hash the public key certificate.
- Thumbprint (also known as fingerprint): The hash itself, used as an abbreviated form of the public key certificate.
National Institute of Standards and Technology
The National Institute of Standards and Technology(NIST) Computer Security Division provides guidance documents for Public Key Certificates:
- SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
- SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
Usage in the European Union
Under the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a qualified trust service provider that ensures the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data. The certificate shall meet the requirements of Annex I and is provided by a certification service provider who fulfills the requirements of Annex II.
According to Annex I, qualified certificates must contain:
- An indication that the certificate is issued as a qualified certificate
- The identification of the certification service provider and the state in which it is established
- The name of the signatory or a pseudonym, which shall be identified as such
- Provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended
- Signature verification data which correspond to signature creation data under the control of the signatory
- An indication of the beginning and end of the period of validity of the certificate
- The identity code of the certificate
- The advanced electronic signature of the certification service provider issuing it
- Limitations on the scope of use of the certificate, if applicable
- Limits on the value of transactions for which the certificate can be used, if applicable
Annex II requires certification service providers to:
- Demonstrate the reliability necessary for providing certification services
- Ensure the operation of a prompt and secure directory and a secure and immediate revocation service
- Ensure that the date and time when a certificate is issued or revoked can be determined precisely
- Verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued
- Employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature technology and familiarity with proper security procedures. They must also apply administrative and management procedures which are adequate and correspond to recognized standards.
- Use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them
- Take measures against forgery of certificates, and, in cases where the certification service provider generates signature creation data, guarantee confidentiality during the process of generating such data
- Maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance
- Record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically.
- Not store or copy signature creation data of the person to whom the certification service provider provided key management services
- Before entering into a contractual relationship with a person seeking a certificate to support their electronic signature, inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in readily understandable language. Relevant parts of this information must also be made available on request to third parties relying on the certificate.
- Use trustworthy systems to store certificates in a verifiable form so that:
- Only authorized persons can make entries and changes
- Information can be checked for authenticity
- Certificates are publicly available for retrieval in only those cases for which the certificate holder's consent has been obtained
- Any technical changes compromising these security requirements are apparent to the operator
In this model of trust relationships, a CA is a trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. According to NetCraft , the industry standard for monitoring Active TLS certificates, states that "Although the global [TLS] ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo, GoDaddy) account for three-quarters of all issued [TLS] certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since [our] survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share."
Certificates and website security
The most common use of certificates is for HTTPS-based web sites. A web browser validates that a TLS (Transport Layer Security) web server is authentic, so that the user can feel secure that his/her interaction with the web site has no eavesdroppers and that the web site is who it claims to be. This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate provider (a CA that presents as a commercial retailer of certificates) with a certificate signing request. The certificate request is an electronic document that contains the web site name, contact email address, company information and the public key (for security reasons the private key is not part of the request and is not sent to the certificate authority). The certificate provider signs the request, thus producing a public certificate. During web browsing, this public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.
Before issuing a certificate, the certificate provider will request the contact email address for the web site from a public domain name registrar, and check that published address against the email address supplied in the certificate request. Therefore, an https web site is only secure to the extent that the end user can be sure that the web site is operated by someone in contact with the person who registered the domain name.
As an example, when a user connects to
https://www.example.com/ with their browser, if the browser does not give any certificate warning message, then the user can be theoretically sure that interacting with
https://www.example.com/ is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.
A certificate provider can opt to issue three types of certificates, each requiring its own degree of vetting rigor. In order of increasing rigor (and naturally, cost) they are: Domain Validation, Organization Validation and Extended Validation. These rigors are loosely agreed upon by voluntary participants in the CA/Browser Forum.
A certificate provider will issue a Domain Validation (DV) class certificate to a purchaser if the purchaser can demonstrate one vetting criterion: the right to administratively manage a domain name.
A certificate provider will issue an Organization Validation (OV) class certificate to a purchaser if the purchaser can meet two criteria: the right to administratively manage the domain name in question, and perhaps, the organization's actual existence as a legal entity. A certificate provider publishes its OV vetting criteria through its Certificate Policy.
To acquire an Extended Validation (EV) certificate, the purchaser must persuade the certificate provider of its legal identity, including manual verification checks by a human. As with OV certificates, a certificate provider publishes its EV vetting criteria through its Certificate Policy.
Browsers will generally offer users a visual indication of the legal identity when a site presents an EV certificate. Most browsers show the legal name before the domain, and use a bright green color to highlight the change. In this way, the user can see the legal identity of the owner has been verified.
A web browser will give no warning to the user if a web site suddenly presents a different certificate, even if that certificate has a lower number of key bits, even if it has a different provider, and even if the previous certificate had an expiry date far into the future. However a change from an EV certificate to a non-EV certificate will be apparent as the green bar will no longer be displayed. Where certificate providers are under the jurisdiction of governments, those governments may have the freedom to order the provider to generate any certificate, such as for the purposes of law enforcement. Subsidiary wholesale certificate providers also have the freedom to generate any certificate.
All web browsers come with an extensive built-in list of trusted root certificates, many of which are controlled by organizations that may be unfamiliar to the user. Each of these organizations is free to issue any certificate for any web site and have the guarantee that web browsers that include its root certificates will accept it as genuine. In this instance, end users must rely on the developer of the browser software to manage its built-in list of certificates and on the certificate providers to behave correctly and to inform the browser developer of problematic certificates. While uncommon, there have been incidents in which fraudulent certificates have been issued: in some cases, the browsers have detected the fraud; in others, some time passed before browser developers removed these certificates from their software.
The list of built-in certificates is also not limited to those provided by the browser developer: users (and to a degree applications) are free to extend the list for special purposes such as for company intranets. This means that if someone gains access to a machine and can install a new root certificate in the browser, that browser will recognize websites that use the inserted certificate as legitimate.
For provable security, this reliance on something external to the system has the consequence that any public key certification scheme has to rely on some special setup assumption, such as the existence of a certificate authority.
Usefulness versus unsecured web sites
In spite of the limitations described above, certificate-authenticated TLS is considered mandatory by all security guidelines whenever a web site hosts confidential information or performs material transactions. This is because, in practice, in spite of the weaknesses described above, web sites secured by public key certificates are still more secure than unsecured http:// web sites.
- Authorization certificate
- CA/Browser Forum
- Certificate policy
- Certificate server
- Pretty Good Privacy
- X.509, a standard for a PKI
- OpenSSL: Documentation ca(1)
- "NIST Computer Security Publications - NIST Special Publications (SPs)". csrc.nist.gov. Retrieved 2016-06-19.
- (PDF) http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf. Missing or empty
- (PDF) http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-25.pdf. Missing or empty
- Turner, Dawn M. "What is a Qualified Digital Certificate for Electronic Signatures in eIDAS". Retrieved 10 August 2016.
- "Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures". Official Journal L 013 , 19/01/2000 P. 0012 - 0020. Annex II. Retrieved 2010-02-17.
- "List of certificates included by Mozilla". Mozilla.org. Retrieved 30 July 2012.
- "DigiNotar removal by Mozilla". Mozilla.org. Retrieved 30 July 2012.
- "DigitNotar removal by Google". Google.com. Retrieved 30 July 2012.
- "Using certificates article at Mozilla.org". Mozilla.org. Retrieved 30 July 2012.
- Ran Canetti: Universally Composable Signature, Certification, and Authentication. CSFW 2004, http://eprint.iacr.org/2003/239
- Ben Laurie, Ian Goldberg (18 January 2014). "Replacing passwords on the Internet AKA post-Snowden Opportunistic Encryption" (PDF).
- RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- SSLTools Certificate Lookup Wikipedia.org Public key certificate details