What is a Digital Certificate
A digital certificate is a signed public key. It is signed by an authority that is deemed to be trusted. The certificate of the trusted authority is needed to verify a certificate. The trusted authority certificates are known as root authority certificates and need to be kept in a secure place usually referred to as a trusted authority store. The certificates of many root authorities come pre-installed with most modern operating systems and browsers.
To understand how digital certificates work, you need to be familier with the concept of assymetric encryption, symmetric encryption and cryptographic hashes.
Symmetric encryption uses the same key to encrypt and decrypt. It is only secure if the key is kept private.
Assymetric encryption uses key pairs. With key pairs, one key is used to encrypt data and that data can only be decrypted with the corresponding key. One of these keys is designated the private key and the other the public key. Data is encrypted using the public key and decrypted using the private key. Assymetric encryption can also be used to create secure digital signatures. Digital signatures are created by using the private key and can be verified using the public key.
As its name suggests, the private key needs to be kept private and must not be made publically available. The public key, however, can be freely distributed to anyone who wants it.
A cryptographic hash is like a digital fingerprint of data. Hashing algorithms are designed in such a way that a small change to the data makes a significant change to the hash that is generated. A hashing algorithm will always generate the same hash for the same data.
A digital signature is a finger print of a document or other piece of data that is used to verify the original document's authenticity. To create a digital signature, a cryptographic hash of the data to be signed is generated. This hash is then encrypted using the private key of the person or organisation that is doing the signing. The signature can be validated by anyone with the corresponding public key. To verify a digital signature, the client decrypts the signature to get the original hash and then compares this against a newly generated hash of the data. If the two hashes match, the signature is valid and the data has not been altered.
Digital certificates are used to validate the authenticity of a public key. A certificate is a public key that is signed with a digital signature. This is to verify that the public key really does come from the person or organisation that the client expects.
A certificate contains a public key and a number of fields, including the subject name, date of validity, the name of the certifying authority (CA) and a signature of the public key and all fields signed by the CA's private key.
A client validates the certificate by creating a new hash of the certificate data and using the CA component of the certificate, locates the certificate for the CA from the local trusted authority store and then uses the public key from the CA's certificate to decrypt the signature of the certificate and compares the value of the hash with the newly generated one.
A self-signed certificate is a certificate that is signed using it's own private key and therefore can be verified by it's own public key. Self-signed certificates are easily created by using freely available tools (like OpenSSL) and don't require a third party CA to be involved. They are usually used for testing or when they are only used by a limited set of clients, for example in a corporate environment.
Root Certificate Authorities
A root certificate is simply a self-signed certificate that is installed in the browser (or operating system) as a trusted key. Anyone can create a self-signed certificate, but to install it in the trusted certificate store of a client you need to have administrative access to the client machine. The certificates of many root authorities come pre-installed with most modern operating systems and browsers.
Intermediate Certificate Authorities
An intermediate CA (Certificate Authority) is a certificate that belongs to the authority that issues a certificate that isn't itself a root CA, but instead is signed by a root CA. The intermediate CA has been delegated permission to generate certificates by the root authority. An intermediate CA certificate forms part of a certificate chain. All certificates in the chain are needed to verify the end certificate. If the end certificate is an SSL certificate, then for the SSL certificate to be able to be verified, the web server must send the intermediate CA's certificate as well as the website's SSL certificate so that the client has all the certificates in the certificate chain. Note that the client should already have the certificate of the root authority in the local trusted authority store.