For ordinary citizens, digital certificates are those electronic files or documents that allow them to carry out thousands of legal actions, administrative actions, and they can dispense with having to go in person to carry out these procedures. But, what is a digital certificate?
A digital certificate is an electronic document signed and generated by a certification authority (CA) or certification service provider, which allows the unique identification of an entity or applicant. This is done using public key or asymmetric cryptography, in which a pair of electronic encryption keys (public and private) is used.
Public key encryption, or public key cryptography, is a method of encrypting data with two different keys and making one of the keys, the public key, available for anyone to use. The private key is held only by the owner or applicant of the digital certificate.
The operating mechanism of asymmetric or public key cryptography is that data encrypted with the public key can only be decrypted with the private key, and vice versa.
Certification Authority (CA) and Public Key Infrastructure (PKI)
A certification authority (CA) is a trusted entity responsible for providing a series of electronic certification services. One of the best known and most widely used certification authorities in Spain is the FNMT (Fabrica Nacional de Moneda y Timbre).
Following the entry into force of the European regulation eIDAS 914/2018, CAs have been replaced by the figure of Qualified Service Provider (QSP), although the term CA is still used, especially in the business world.
These authorities are responsible for issuing, verifying the validity and revocation of electronic certificates, always guaranteeing the identity and veracity of the certificate holders’ data.
A public key infrastructure (PKI) is a system composed of hardware elements, software and security procedures, whose main function is the governance of encryption keys and digital certificates, making use of cryptographic and other mechanisms.
The usual components of a PKI infrastructure are:
- Certification authority: As explained above, it is responsible for establishing user identities and creating digital certificates, an electronic document that associates identity and the set of public and private keys.
- Registration authority: Responsible for the initial registration and authentication of users who are subsequently issued a certificate if they meet all the requirements.
- Certificate server: Responsible for issuing the approved certificates with the registration authority. The generation of the public key for the user is composed with the user’s data and finally digitally signed with the private key of the certification authority.
- Certificate repository: This component is responsible for the availability of the public keys of the registered identities. When a certificate needs to be validated, the repository is consulted, the signature and the certificate status are verified. They also have the CRL (Cerficate Revocation List), which lists those certificates that for some reason have ceased to be valid before the expiry date and have been revoked.
- Time Stamping Authority (TSA): This is the authority in charge of signing documents in order to prove that they existed before a certain point in time.
Inside Digital Certificates
X.509 is a standard used in public key infrastructures to define the digital certificate structure. In 1998, the ITU (International Telecommunication Union) introduced this standard. There are 3 versions of X.509 available. For more details on this standard, it is recommended to consult RFC 5280.
Digital certificates under the X.509 standard is in ASN.1 language and encoded in most cases using DER, CRT and CER. The extensions used can be .pfx, .cer, .crt, .p12, etc.
The most common parts of a digital certificate are:
- Version: used to identify the X.509 version.
- Certificate serial number: this is a unique integer number generated by the CA.
- Signing Algorithm Identifier: used to identify the algorithm used by the CA at the time of signing.
- Issuer Name: displays the name of the CA issuing a certificate.
- Validity: Used to display the validity of the certificate, showing when it expires.
- Username: Displays the name of the user to whom the certificate belongs.
- User’s public key information: contains the user’s public key and the algorithm used for the key.
In higher versions, more fields appear, such as the Unique Issuer Identifier, which helps to find the CA uniquely if two or more CAs have used the same issuer name, among others.
Digital certificates mainly employ asymmetric cryptography and use encryption algorithms such as RSA (Rivest, Shamir and Adleman), DSA (Digital Signature Algorithm) and ECDSA (Elliptic Curve Digital Signature Algorithm).
The DSA algorithm is mainly used for actions dealing with digital signature and signature verification. The RSA and ECDSA algorithms are used for actions related to electronic signature and also for data encryption and decryption.
Digital certificate types and classes
There are many types and classes of digital certificates, as these are provided by the CAs, which determine which ones they provide and manage.
The European regulation eIDAS 910/2014 establishes 2 types of certificates:
- Electronic Certificate: Document signed by a certification service provider, linked to a series of signature verification data and ratification of the signatory’s identity. It follows the issuing requirements established in Law 59/2003 on electronic signatures and the eIDAS Regulation of the European Parliament.
- Qualified Electronic Certificate: Certificate that adds a series of additional conditions. The issuing provider must identify the applicants and seek reliability in the services it provides. This certificate complies with the requirements of the Electronic Signature Law 59/2003 in its content, in the processes for verifying the signatory’s identity and in the conditions to be met by the certification service provider. Example: Electronic ID card.
If we consider digital certificates according to the type of identity and data, in general terms, the following 3 types can be established:
- Natural Person: Associated with the identity of a natural person or citizen. They are designed to be used mainly for personal, official procedures.
- For legal persons: Their use is intended for all types of organisations, whether they are companies, administrations or other types of organisations, all of which have a legal identity.
- For entities without legal personality: They link the applicant with signature verification data and confirm their identity for use only in communications and data transmissions by electronic, computer and telematic means in the field of taxation and public administration in general.
They are also classified in some cases according to the scope of application of the certificate, examples of which include:
- Web server certificate
- Source code signing certificate
- Company membership certificate
- Representative certificate
- Proxy certificate
- Company seal certificate
The main purpose of web server certificates is to ensure the security of communications and transactions between the web server and visitors. This allows access to the contents of the web server that has the certificate, in a secure way (web pages or database), as long as it is well implemented.
These certificates use the TLS (Transport Layer Security) protocol, which replaces the SSL (Secure Socket Layer) protocol. There are various web server certificates such as SSL/TLS, wildcard, SAN or multi-domain certificates, among others.
Usefulness of digital certificates
The usefulness of digital certificates is uneven, as this depends on the type of digital certificate involved and as seen above, there are many types.
The main advantages offered by the use of digital certificates are:
- Security in communications and servers.
- Security in the authentication systems where they are implemented.
- Ease of carrying out legal or administrative actions remotely.
- Electronic signature capacity, for the signing of documentation.
- Data and information encryption capacity.