PKI and Digital Certificates — Your Questions, Answered
PKI and digital certificates are critical tools when it comes to protecting your networks and systems. It’s vital to understand the various terms related to PKI, so we’re answering all your questions around it.
What Is Public Key Cryptography?
Public key cryptography is an encryption technology where the encryption and decryption of data is carried out using separate but related cryptographic keys, one that is kept private and one that is made public. This encryption technology is the basis for public key infrastructure.
What Is Public Key Infrastructure?
A public key infrastructure (PKI) is a collection of policies, activities, technologies and processes for managing digital certificates and key encryption. PKI is a foundation for transferring information between parties across a network in a secure and encrypted way.
PKI makes it possible for individuals and organizations to securely share and transfer information. It is necessary for applications including eCommerce, online banking, private email and other online tasks where encryption is paramount.
It ensures the security and protection of electronic communications and data through the use of certificates and private/public key pairs.
How Does PKI Work?
PKI is based on public key cryptography. This starts with an organization requesting a digital certificate. A trusted “Certificate Authority” creates a key for the organization linked to the digital certificate.
When two parties want to communicate with each other, they check the other party’s key against their digital certificate; this establishes they are who they say they are. This marks the other part as trusted and means information can be encrypted and passed between the two parties.
What Is a Certificate Authority?
A Certificate Authority, also known as a Certificate Service Provider (CSP), is a trusted issuer of digital security certificates that allows for the trusted transmission and receipt of data over networks or the public internet.
What Is a Digital Certificate?
Certificate authorities provide digital certificates. A digital certificate is a specialized electronic credential that certifies a relationship between a public key and the identity of the key holder. Public keys are part of cryptography and allow for the encryption and decryption of secure information, together with validating the sender and recipient of information.
What Is a Qualified Certificate?
A Qualified Certificate is a special kind of digital certificate that contains a minimum set of elements specified in European Directive (99/93/EC). It is produced by a qualified CSP, which meets certain specific technical and procedural requirements. These requirements include:
- Automated processing indications that the certificate is a qualified certificate for electronic signatures
- Information that defines the qualified trust service provider who is issuing the certificate. This information must include:
- The service provider’s member state
- The name and registration number of the provider
- The name of the signatory
- Electronic signature creation and validation data
- The start and end times for the certificate’s validity
- The qualified trust service provider’s unique certificate identity code
- The qualified trust service provider’s advanced electronic signature or electronic seal
What Is an Advanced Electronic Signature?
An Advanced Electronic Signature is an electronic signature that is:
- Uniquely linked to the signatory
- Capable of identifying the signatory
- Created using means that the signatory can maintain under his sole control
- Linked to the data to which it relates in such a manner that any subsequent change of the data is detectable
The requirements that govern electronic signatures are defined under the European regulation for the electronic identification and trust services for electronic transactions (EIDAS).
What Is a Qualified Electronic Signature?
A Qualified Electronic Signature (QES) is a special signature that follows European Directive (99/93/EC). A QES needs to be:
- An advanced electronic signature as defined in the directive. Currently, only PKI digital signatures (using asymmetric cryptography) fulfil those requirements.
- Based on a Qualified Certificate (QC) issued by a suitably certified certification service provider
- Created through a Secure Signature‐Creation Device (SSCD) that meets specific conditions
Qualified electronic signatures are a digital equivalent to handwritten signatures. Qualified electronic signatures are defined by EIDAS. It must meet three main criteria:
- The signatory must be linked and uniquely identified to the signature
- The data used to create the signature must be under the sole control of the signatory
- It must be able to identify if the data that accompanies the signature has been tampered with since the signing of the message
What Is the CA/B Forum?
The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of internet browser software, operating systems and other PKI-enabled applications.
What Is an Extended Validation (EV) SSL certificate?
An EV SSL is a certificate that meets the Extended Validation Guidelines (EVGs) produced by the CA/B Forum. An EV SSL verifies the identity of the website owner, its exclusive use of the domain and the authority of its personnel. Only certification authorities who are audited for compliance to EVGs may issue an EV certificate.
What Is a Wildcard Certificate?
A wildcard certificate allows you to secure unlimited first-level sub-domains on a single domain name.
For example, you can get a wildcard certificate with the common name *.yourdomain.com. This certificate can be used to secure related subdomains like:
Wildcard certificates do not work for multiple-level subdomains. For example, a wildcard for *.yourdomain.com will not work on www.secure.yourdomain.com or server.name.yourdomain.com. The advantage of a wildcard certificate is that you only need one certificate to secure multiple subdomains rather than buying and managing multiple certificates.
Some devices do not support wildcard certificates, and you will need to use a subject alternative name certificate instead.
What Is a Subject Alternative Name Certificate?
A Subject Alternative Name (SAN) certificate allows one certificate to secure multiple different domain names using the SAN fields. A SAN certificate can secure multiple external domain and subdomain names.
For example, one SAN SSL certificate could secure the following:
A SAN certificate is required for some Microsoft products.
To explore more about PKI, download our white paper on the role of PKI in securing enterprise networks.
Or learn more about the future of digital certificates in this blog post.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).