Digital Certificate is tool which realize safe communication , which is issued by CA( Certificate Authority: e.g. Verisign ) , installed to machine (e.g. Web server), and used by user accessing to the machine validating one ( the machine is not disguised! ) and used for encrypting communication.
Simply put, Digital Certificate provides the feature of Authentication and Encryption. It is used https communication in many cases, but not necessarily.
Digital Certificate's Authentication feature is often compared with Ward's Seal Registration. Comparison and image diagram are shown below.
General procedure for issuing digital certificates are as follows:
- Using the certificate issuing function of OpenSSL in the Linux server (or other equipment), input publisher information, the host name (common name =FQDN) and so on, and execute the function, then CSR and the private key will be generated. About CSR, explained later.
- The private key is leave so that it is not as much as possible known to others, CSR will be sent by mail or the like to a certificate authority. (Digital certificate body is common to use to publish to the Internet, so CSR to be its original will may be public information.)
- The CA using the private key of its own, to grant an digital signature to CSR. The result will be "Digital Certificates". It sends back this Digital Certificate to CSR sender.
- CSR sender will install the Digital Certificate with secret key to the device he wants to use. (He can even separate from the equipment that issued the CSR)
CSR is called Certificate Signing Request. When this is created, secret key and public key are generated together. CSR includes public key, and sending the CSR to Intermediate CA, the CA append the digital signature which is created by secret key of Intermediate CA (hashing CSR and encrypting with secret key) to CSR , so Digital Certificate is completed.
Validation of Digital Certificate
People to validate the authenticity of the Digital Certificate (If you have a Digital Certificate installed on the Web server, people to access to the Web server) , it decrypts the digital signature using the public key of the intermediate CA, actual compared with those obtained by calculating the hash value of the Digital Certificate to verify that it is the same.
Validity of the intermediate certificate is done by using a public key of the root CA in the same way.
However, the validity of the Root CA does not have a way of verification. So the Root Certificate to trust determined in advance, and you must install that to PC. For example, OS have pre-installed Root Certificate which should be trusted. When you validate the server certificate with https communication or the like, finally you get to the Root Certificate, so OS make sure whether the Root Certificate is installed or not. You can install any Root Certificateafter by yourself in anytime.
Treatment of Intermediate Certificate
Intermediate Certificate is, in general, concatenated with Digital Certificate to one file, and installed to the device you want to use. It enables verification of the Digital Certificate by the public key of the intermediate certificate in doing so.
On left in the above figure, you can see the Digital Certificate of Google opend by Windows, and right-hand side is what exporting an intermediate certificate and digital certificate in base64 encoded X.509, and concatenating with Notepad.
As the Windows OS, it recognizes Digital Certificate with Intermediate Certificate by jointing the Intermediate Certificate upper, with Digital Certificate lowwer.
But careness is necessary because it may not be recognized until the certificates in reverse order, it's depended on vendors for Load Balancer and so on.
If you are not connected an intermediate certificate, and install only the digital certificate, it will be used the Intermediate Certificate that is installed on the OS of the user side, but if not installed, the verification fails and errors is shown.
To verify whether the Intermediate Certificate and Root Certificate are installed or not, Click "Internet Options" in the IE -> "Content" -> "Certificate" -> [Intermediate Certification Authorities] and [Trusted Root Certification Authorities.
Root Certificate = Self-signed Certificate
Since the Digital Signature is also requied to the Root Certificate in the rules of Digital Certificate Standard, Root Certificates are digital-signed using its private key.
So the Root Certificate is always self-signed certificate.
Well it has been misunderstood, Certificate which is made by myself is not necessarily self-signed certificate. In actually, Certificate made by myself is often self-signed certificate, but as a different case, for example you build Root CA by yourself on a Windows server or a Linux server, or the like, and the Digital Signature using the private key of the CA to Digital Certificate, it is not called self-signed certificate. It is simply a digital certificate that has not been publicly trusted. (However, in the local be installed in the Root Certificate to "Trusted Root Certification Authorities" can serve as a trusted digital certificate)
The private key, it is necessary to use always with a digital certificate and pair, "that you have a secret key" is, proved to be a "legitimate owner of the contents of the electronic certificate", also at the same time, communication you can do the encryption. Since the secret key is required is strictly controlled. If bale to the secret key is someone, the Digital Certificate should stop immediately available.
Use method of Digital Certificate is variety. For example, installing Web Server (IIS of Windows Server, Apache of RedHat Enterprise Linux, and so on), to function as a "Server Certificate", you can do the validity of claims and communication encryption of the server by the https communication.
In this case, the server administrator is asked to issue a pay for server certificate to the certification authority service skilled in the art, such as GeoTrust, you will need to install it.
And, if installed in the browser of the client (such as Windows or Macintosh) to function as a "client certificate", you can be the client to browse the "site that only the certificate holders can be viewed."
In this case, basically will be the "issuer = the publishers".