What Is a Digital Certificate (Technically)?
A digital certificate, within the Public Key Infrastructure (PKI) framework, is a data structure containing a user's public key and identifying information, which is attached to a document signed with the user's private key to enable recipients to verify the signature's authenticity and the document's integrity through asymmetric cryptography.
This is part 2 of the Digital Certificates series. Don't forget to read part 1 here.
When we say that a document is “signed with a digital certificate”, technically and strictly speaking, it’s not correct. The document is signed with a private key, and then a certificate containing a matching public key is attached. Let’s unpack this a bit.
Digital certificates are a concept defined within the Public Key Infrastructure (PKI) framework and a set of standards. PKI is based on asymmetric cryptography, which at its core relies on pairs of mathematically linked public and private keys. The public key is usually freely shared, and the private key is kept secret.
That keypair has some important properties:
- If you digitally encrypt something with a public key, you can then decrypt it only with the matching private key—ensuring privacy of the communication.
- If you digitally sign something with a specific private key, you can then use the matching public key to verify that the signer was indeed in possession of the specific private key—ensuring authenticity of the communication.
The certificate contains only the public key, plus the user’s (or other entity’s) names and other attributes.
When you digitally sign a document with your secret private key, the resulting digital signature and a matching certificate are attached to the document. Later, if the document's recipient wants to verify the authenticity of the digital signature, as well as the integrity of the document, they can do so by using the public key contained in the certificate.
Digital encryption and signing via PKI is very strong—"cryptographically strong"—if the keys are of sufficient size and modern algorithms are used. This means you can’t decrypt a message without the correct private key, and you also can’t forge someone’s digital signature without their private key.
But how can you be sure that the user Alice whose name is on the certificate really is Alice? Technically, anyone can generate a keypair, put any name they want on the certificate, and use it as they want. The software for that is freely available.
PKI solves this via Certificate Authorities (CA)—they are special, trusted entities that issue trusted certificates. They do so by performing identity validation of users or organizations, issuing digital certificates containing vetted information, and in turn digitally signing those certificates with their secret private keys.
CAs also perform other functions such as revoking certificates, answering “is this certificate currently valid and not revoked?” questions via special protocols, and so on.
eSignatures vs. Digital Signatures
- Digital signatures are virtually unbreakable and guarantee the authenticity and integrity of the signed documents. However, PKI is relatively complex and carries non-trivial overhead and costs for its operators and users due to requirements of compliance, secure enrollment, management, storage and application of various keys, and so on.
- Standard eSignatures do not involve any cryptography. They are very easy to apply—just affix someone’s name to the document in a visual way, and record this fact somewhere. However, a signer's identity is usually not vetted in a strong, consistent and trusted way.
Proof is a digital trust platform built on top of PKI, providing cryptographically strong digital signatures for any kind of content and transactions, yet affordable and simple to use.
Next time, we’ll dive into Proof PKI’s security architecture in a bit more detail.
*Digital signing is a special mathematical operation performed on a digital digest of the message (aka hash).
*Various off-the-shelf software such as Adobe Acrobat usually does it for you.
*This allows you to validate the authenticity of the digital certificate, like any other digital message, i.e. that it came from the specific user—CA in this case—and was not modified.