A PKI Certificate Overview For Beginners
Not everyone using personal email wants to have information in the email open to public scrutiny. While this may seem to be an exaggeration, all email not encrypted is really open for public viewing if anyone wants to take a look.
In reality, all information sent across the internet, unless specifically protected by Secure Sockets Layer or Transport Layer Security, is open for anyone to view. A good comparison is to think of the difference in sending a postcard through the mail (without SSL/TLS protection) or sending a sealed envelope (with SSL/TLS protection). In this case, the protection is not an envelope, but the use of Public Key Infrastructure.
This Public Key Infrastructure is a framework or an infrastructure that is used in SSL/TLS options for security domains or for Personal Authentication Certificates that are also called Client certs or S/MIME (Secure Multipurpose Mail Extensions). This uses two different basic components that work together to provide security.
These two elements or components include the use of a trusted Certificate Authority to generate the certificate as well as the use of cryptography that uses a set of paired keys. To understand how these work together, let's take a closer look at a PKI certificate overview of terms and features.
The Role of the Certificate Authority
The first part of our PKI certificate overview is going to focus in on what we do at Comodo. As Public Key Infrastructure is used in both domain SSL/TLS products as well as Personal Authentication Certificates understanding our role is critical.
At the Certificate Authority or CA for short, we take in the information from the applicant for the product and then validate or verify this information. This is done through several different means. For example, with a Certificate Signing Request for a PKI certificate for a domain, it is required that the applicant provides specific information.
This will include the location, name of the business or individual, the Fully Qualified Domain Name (the URL in most instances) as well as an email contact and other information. For the more advanced EV or extended validation, we will also need to verify the business has a physical address and is, in fact, a legal business entity.
In order to be trusted, we follow very specific protocols in how we validate this information. They adhere to the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria and we go through independent audits by WebTrust to verify we meet their rigorous standards.
This means that the certificates we issue are trusted by browsers and devices. In fact, they are trusted by 99.9% of devices and browsers, which means that the certificates we issue are also trusted. In this way, we "vouch" for the entity identified in the certificate, which is an essential part of the PKI certificate overview.
The other essential feature of any PKI certificate overview is the use of the pair of keys that is matched or bound to the certificate. These keys are used to encrypt and decrypt the data that moves between a client and a server with a domain SSL/TLS product or between an email sender and recipient with a Personal Authentication Certificate.
Private keys are maintained by the owner of the certificate and are never shared with either the CA or any other users. This private key only matches with the one mathematically related key that is generated when the PKI certificate request is submitted.
The key pair creates the encryption and also provides the decryption. If a private key is ever compromised the certificate must be revoked, another task of the CA. All certificates and keys are issued only for a specific period of time. This can be one, two or three years depending on the specific type of certificate.
With Personal Authentication Certificates or Email certs, the keys are also used to digitally sign email. This will allow the receiver to check the encoded message with a hash message (a mathematical record of the original message) to verify the email was not changed or tampered with after the sender completed the digital signature.
This allows for the use of digital signatures for legal documents even when transmitted online. For many businesses, this is a critical component of Public Key Infrastructure and one that makes it possible to quickly, efficiently and completely securely share documents and contracts that are legally binding.
If you have questions about this PKI certificate overview or if you want to discuss the right options for your needs, visit us online at https://www.instantssl.com. Feel free to give us a call as well at +1 888 266 6361.