Cel Mengata from St Paul, Minnesota writes:
What is a certificate and how does it work on a computer?
Cel, a digital certificate is an attachment to an electronic message used for security purposes. It is the digital equivalent of a physical or paper certificate. Just as a physical license serves to identify an individual and show what they are allowed to do, e.g. a driver’s license identifies someone who can legally drive, a digital certificate is presented to prove your identity and the right you have to access certain information on the internet.
It is used to ensure that when data passes from one computer to another over a network, the data will not be able to be read by an unauthorized entity and for extra security measures, the data will be checked by the receiving computer using a digital certificate to verify the integrity of the data and to ensure that it was not altered in transit.
When data is sent through a network, there is usually a risk that the message may be intercepted, read and even modified by an unauthorized person. To prevent this, data is usually encrypted to prevent it from being read and understood until it is decrypted. This is where digital certificates come in.
Digital certificates use a cryptographic technology called public-key cryptography to sign data and to verify the integrity of the certificate itself.
Public key cryptography is a system based on pairs of keys called public key and private key. A public key is used to encrypt data and its corresponding private key is used to decrypt the data.
To understand how public-key cryptography works, we will look at how it is used to encrypt email messages from Email Client A to Email Client B. Suppose A wants to send a secure encrypted message to B and wants to ensure that only B can decrypt the message. B owns a public key and a private key. He can only decrypt a message (using his private key) that was encrypted by his public key. To make it possible for others to encrypt messages with his public key, he applies for a digital certificate from a Certified Authority (CA). The CA issues B a digital certificate containing his public key and a variety of other identification information. The CA then makes B’s public key available on the internet through a directory service. When A wants to send a message to B, he obtains the digital certificate containing B’s public key and identification information from a CA’s directory service and uses it to encrypt the message before sending it. When B receives the message, he uses his private key to decrypt it. As long as B’s private key is kept secure, no other user can decrypt a message meant for them.
A digital certificate contains information that identifies the certificate’s owner and their public key. The certificate also has information that identifies its issuer i.e. the Certified Authority (CA) that issued the certificate. The CA digitally signs each certificate with its own private key. To do this, the CA generates a message digest from the certificate, encrypts the digest with its private key and includes the digital signature as part of the certificate. Clients can use the message digest and the CA’s public key to verify the certificate’s integrity. If a certificate becomes tampered, its message digest will not match the digest in the CA’s digital signature.
~Joyce
Informative Thanks a lot
It would be better if you can explain with a real time example of the website and a Certificate Authority. Its a bit difficult to understand whats happening in real time.
Hello Sir, May I know what do you mean by digital signature in the below statement?
“To do this, the CA generates a message digest from the certificate, encrypts the digest with its private key and includes the digital signature as part of the certificate.”
digital signatures are used basically to authenticate the sender, So CA will calculate the message digest using hash function(using it’s own private key) and then how would it encrypt that data as Certificate requester(receiver of certificate) does not have any public -private key pair initially(at this moment).
does this this mean that CA sends the certificate back to the Requester unencrypted?