Share via


X.509 Digital Certification

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

A primary task of a digital certificate is to provide access to the subject's public key. The certificate also confirms that the certificate's public key belongs to the certificate's subject. For example, a CA can digitally sign a special message (the certificate information) containing the name of some user, say Alice, and her public key. This must be done in such a way that anyone can verify that the certificate was issued and signed by no one other than the CA. If the CA is trusted and it can be verified that that CA issued Alice's certificate, any receiver of Alice's certificate can trust Alice's public key from that certificate.

The typical implementation of digital certification involves a process for signing the certificate. The process goes something like this:

  1. Alice sends a signed certificate request containing her name, her public key, and perhaps some additional information to a CA.
  2. The CA creates a message, m,from Alice's request. The CA signs the message with its private key, creating a separate signature message, sig. The CA returns the message, m, and the signature, sig, to Alice. Together, m and sig form Alice's certificate.
  3. Alice sends both parts of her certificate to Bob to give him access to her public key.
  4. Bob verifies the signature, sig using the CA's public key. If the signature proves valid, he accepts the public key in the certificate as Alice's public key.

As with an ordinary digital signature, any receiver with access to the CA's public key can determine if a specific CA signed the certificate. This process requires no access to any secret information. The scenario just presented assumes that Bob has access to the CA's public key. Bob would have access to that key if he has a copy of the CA's certificate that contains that public key.

X.509 digital certificates include not only a user's name and public key, but also other information about the user. These certificates enable the CA to give a certificate's receiver a means of trusting not only the public key of the certificate's subject, but also that other information about the certificate's subject. That other information can include, among other things, an e-mail address, an authorization to sign documents of a given value, or the authorization to become a CA and sign other certificates.

X.509 certificates and many other certificates have specific time duration. A certificate can expire and no longer be valid.

See Also

Concepts

Certificates and CryptoAPI

Other Resources

Cryptography
Certificates