Introduction to Digital Certificates

The purpose of a digital certificate is to provide a mechanism for transmitting a public key to a subject to use in decrypting a message. The subject has three characteristics: First, he is the receiver of the message; second, he is the receiver of the public key; and finally, he wants to decrypt a message. The transferring of a public key doesn't sound very complicated, but there are many issues that can arise in the process. For example, how do you know that the public key originated from the person who sent the message, and how do you know that the public key hasn't been tampered with?

To understand the digital certificate, there are three basic protocols that you need to understand. The first is the key pair algorithm. In that algorithm, a private key encrypts, and a public key decrypts what the private key encrypted. The public and private keys are mapped to each other, which means that these keys are generated from each other and only those two combinations can work together.

The next protocol you must understand is the X.509 specification. X.509 describes the format of digital certificates and some of the common management techniques used because of the format. This chapter addresses the X.509 specification. Part of the X.509 specification identifies the issuer and the subject with a distinguished name (DN) that belongs to the X.500 specification. The X.500 is used to identify the issuer and subject, and can also be used as a directory tree structure to save the certificate in a repository such as the Java KeyStore (JKS).

The X.509 specification has a definition in the name itself. The "X" part of the specification means that it is part of the data networks and open system communications. Any specification that falls between X.500 and X.599 means that it is a directory specification. X.509 is a directory specification because it is built to store security keys into a directory structure. The directory structure entries are stored in the certificate using the X.500 protocol that was introduced as the Data Communication Network Directory . Later, version 1 of X.500 was enhanced to become version 2, which is commonly known as the Lightweight Directory Access Protocol (LDAP).

Organizations that use digital certificates are known to have an infrastructure that supports public keys, which is commonly known as Public Key Infrastructure (PKI). The format of the digital certificate provides information on who issued the key, along with the public key and the signature to validate all the information. Some commercial organizations pick up the responsibility of managing and authenticating the digital certificate. Such an organization is known as a Certificate Authority (CA).