Digital certificate is nothing but a digital document used for authentication purposes.
- Identity certificate indicates that you can trust the remote host/website.
- To trust a certificate it has to be obtained from a certificate authority ( CA ) also called a “ ROOT CA “ or “ Trusted Root “.
- The certificate authority is a well-known company , trusted by most web browsers and operating systems.
- These certs must pass rigorous verification checks prior to OS installment i.e these certs are bundled with the system OS by default.
- If a certifcate is a self-signed certificate then it should follow all the rules followed by the other trusted CA like digicert , verisign , etc , so that it will be considered secure otherwise you browser will flag insecure connection error.
CATEGORIES OF DIGITAL CERTIFICATE
- ROOT CERTIFICATE = It is a digital certificate of the certificate authority itself. It includes public key of the CA and installed by default into most of web browsers.
- IDENTITY CERTIFICATE = Digital certificate of a non-CA entity ( i.e. webserver , VPN endpoint , ect )
- There are many different certificate authorities exist and their offerings vary based on things like :
- COST ( Free or Paid )
- Features Availability
- Levels of certificate verification available
By verifying the “ Digital Signature “ in the certificate we can be able to know that the identity certificate we received was really generated by a trusted certificate authority.
DIGITAL CERTIFICATE WORKING PRINCIPLE :
- Certificate Authority hashes all contents of the cert with a well-known hash function ( Currently SHA-2 Using 256-bit Digest ).
- Resulting digest is then again encrypted , using CA’s PRIVATE encryption key.
- Encrypted digest appended to certificate as a “thumbprint” which is placed in the bottom of details tab in digital certificate. This is also known as the “ Digital Signatre “ of the identity certificate.
- So when a client receives a certificate from a server , this digital signature or thumbprint value will be decryped using the CA’s public key which is already present in default with system OS.
- Once decrypted we will get the hash digest values which will be compared with default system certificate and if the hash value matches then a secure connection will get established.
So if the locally derived digest = decrypted digest then you know this certificate must have been encrypted by the certificate authority ( whom you trust ).