A certificate is a data file that binds the identity of an entity to a public key, and contains the user’s identification and a signature from the issuing authority. It is also referred to as a digital certificate, X.509 certificate, or a public key certificate. Certificates are issued from the public key infrastructure (PKI), which provides a registration authority to determine the identity of the certificate holder or subject to a required level of assurance, and a certification authority to issue the certificate. The PKI also contains a repository of the issued certificates and the certificate revocation list (CRL).
Certificates contain a public key and have a corresponding private key that is protected by a password and can be stored on a hardware security module (HSM) such as a smart card. Data encrypted by the private key can only be decrypted by the public key, whereas data encrypted by the public key can only be decrypted by the private key. With this scheme, most required security services can be created.
Figure 1 – An individual or subscriber with a digital certificate.
Figure 1 shows a certificate issued to a person. The certificate contains the public key while the corresponding private key is protected. The person authenticates to the private key by unlocking it with the password. Certificates are also issued to non-person entities (NPEs), such as Web servers or routers.