What is a Public Key Certificate?
A Public Key Certificate, also called a digital certificate, is an electronic document that verifies the identity of a user, device, or service within a Public Key Infrastructure.
A PKI certificate typically includes;
Distinguished name (Owner name)
Owner's public key
Date of issuance
Expiration date
Distinguished name of the certificate authority
Issuing a certificate authority's digital signature
There are different types of PKI certificates, including;
TLS/SSL Certificates: Transport Layer Security (TLS), commonly referred to as Secure Sockets Layer (SSL), is a protocol used to secure internet communication. TLS/SSL certificates are used to encrypt data exchanged between a user's browser and a web server, ensuring data is transmitted securely and cannot be modified or stolen by unauthorized parties.
**Code Signing Certificates: A code signing certificate is a public key certificate used to sign software, ensuring its integrity and authenticity.
It contains the publisher's public key, identity details, and digital signature from a Certificate Authority. Developers use their private key to sign the code, and end users use the associated public key to verify the signature.
When users download software, their browser or operating system may validate the signature to ensure it has not been altered since it was signed.
Document Signing Certificates: Document Signing Certificates are used to sign electronic documents to verify their source. These certificates ensure that both parties signing a contract digitally can confirm that the document is authentic and trustworthy.
Verified Mark Certificates (VMC): A Verified Mark Certificate is a digital certificate that displays a brand-registered logo next to the brand or sender's name in supported email clients. This helps recipients identify trusted brands, enhancing email authenticity. In other words, VMS focuses on enhancing brand trust using the visual identity.
Email S/MIME (Secure/ Multipurpose Internet Mail Extensions) Certificates: S/MIME certificates are used to secure email communication. They ensure that emails are encrypted, allowing only the intended recipient to read their contents, and digitally sign to verify the authenticity and integrity of the message.
For example, the sender signs the email with their private key, and the recipient verifies the signature with the sender's public key. To send an encrypted reply, the recipient uses the sender’s public key to encrypt the message, which the sender can then decrypt using their private key.
This process prevents spoofing, protects sensitive information, and builds trust in email communication.
EU Qualified Certificates: EU qualified certificates are public key certificate that adhere to stricter legal and technical requirements under eIDAS (Electronic, Identification, Authentication and Trust Services) regulation in the European union.
They are issued by a Quality Trust Service Provider (QTSP) , and are used to support qualified trust services such as qualified electronic seals. These seals verify the identifying of the entity ensuring documents remains unchanged with after seal is applied.
PSD2(Payment Service Directive) certificates: PSD2 corticates are digital certificate used to secure and authenticate communication between banks and third-party providers (TPPs) under EU's Revised Payment Services Directive to ensure authentication, and trust in financial transactions.
The two main types of PSD2 certificates are:
QWAC (Qualified Website Authentication Certificate): Used to authenticate third-party providers and establish secure communication channels. It ensures the trustworthiness of online transactions by verifying website's identity.
QSealC (Qualified Electronic Seal Certificate): This is used to seal data digitally, ensuring its integrity and non-repudiation (proving data hasn't been altered)
How does PKI work?
PKI (Public Key Infrastructure) enables organizations to request digital certificates issued by a Certificate Authority. A digital certificate proves the authenticity of an entity such as a user, device, or server.
When an organization generates a CSR (Certificate Signing Request), it is sent to a Registration Authority (RA), which verifies the identity of who makes the request and confirms this to the Certificate Authority, which will issue the digital certificate
The process is divided into:
Enrolment: Involves submitting a request to the Certificate Authority. The request includes a public key and identity information, like a domain name, to prove identity to the Certificate Authority or Registration Authority.
Verification: The Certificate Authority or Registration Authority verifies identity, and after successful verification, the Certificate Authority issues a digital certificate that contains the entity's public key identity information, Certificate Authority digital signature, and expiration data, etc
Certificate Validation: The recipient verifies the Certificate Authority's digital signature, certificate validity status, and verifies that the certificate has not been revoked. Certificates can be revoked if the private key is compromised, if the certificate was issued incorrectly, if the certificate has expired, or if the identity of the entity has changed.
Component of Public Key Infrastructure (PKI)
Key components of a public key infrastructure include the following;
Certificate Authority: Certificate Authority is a trusted entity that issues, stores, and signs digital certificates. It uses its private key to sign digital certificates, which can be verified using the Certificate Authority's public key.
Registration Authority: The registration authority is responsible for verifying the identity of users, devices, or organizations that require digital certificates. It works alongside the certificate authority by forwarding validated requests to the certificate authority.
The Certificate Authority can act as a Registration Authority, or the Registration Authority can be a separate third party focusing only on identity verification.
Certificate Database: This is a database or repository that stores and manages individual digital certificates along with metadata such as the valid period of the certificate, revocation status, etc.
Certificate Management System: These are protocols used to manage digital certificates in an organized manner, including access control, creation, distribution, storage, and revocation.
Central Directory: A central directory is a location where cryptographic keys are indexed and stored securely.
Certificate Policy: This is a public document that defines rules, practices, and standards of the Public Key Infrastructure. It helps third parties determine whether the certificates issued under PKI can be trusted.
Benefits and Challenges of PKI
Benefits | Challenges |
Data Confidentiality and Integrity | Outdated Protocols |
Digital Signatures | Weak Keys and Irregular Key Rotation |
Access Control | Mismanaged Certificates |
Secure Website Communication | Improper Protection and Management of Private Keys |
Authentication | |
Improved Trust | |
Benefits of PKI
Several benefits of Public Key Infrastructure include the following;
Data Confidentiality and Integrity: PKI ensures that information is accessible only to authorized parties. It supports encryption, which protects communication and ensures that data in transit is not tampered with.
Digital Signatures: Digital signatures verify the authenticity and integrity of data. PKI enables digital signatures by providing cryptographic keys and certificates required to validate the sender, ensure data has not been altered, and prevent the signer from denying they signed the document (called non-repudiation)
Access Control: Digital certificates and public-private key authentication restrict access to systems, files, and networks, ensuring that users with valid certificates can access resources.
Secure Website Communication: PKI enables SSL/TLS certificates, which encrypt data transmitted between a browser and a website, ensuring data confidentiality and integrity.
Authentication: PKI supports certificate-based authentication for users' devices and services, confirming that something or someone is trustworthy.
Improved Trust: Verifying identities and securing communication, PKI builds trust. For example, websites with valid SSL certificates are most likely to be trusted by users.
Challenges of PKI
The limitations of Public Key Infrastructure include;
Outdated Protocols: Deprecated and Outdated protocols can become vulnerable to security incidents and data breaches.
Weak Keys and Irregular Key Rotation: Weak keys are considered a security risk because they are easy to break. Many systems do not rotate keys frequently, which causes attackers to use compromised keys to impersonate entities and steal sensitive information.
Mismanaged Certificates: Mismanaged certificates involve failing to issue, renew, or revoke certificates on time. This can lead to expired or insecure certificates, which may cause vulnerabilities and service outages, impact the organization's network, compliance posture, and potentially cause a data breach.
Improper Protection and Management of Private Keys: Private keys ensure that data is kept securely, and if they are not protected, attackers can steal them or use vulnerabilities to access confidential information for malicious purposes.
Use Cases of PKI
Email Encryption: PKI ensures that email content is encrypted, and only authorised recipients can decrypt it.
Digital Signatures: Digital signatures verify the authenticity and integrity of digital documents by signing them with a private key and verifying them with a public key.
SSL/TLS (HTTPS): SSL/TLS certificates issued through PKI secures the communication between browsers and servers by encrypting data.
VPNs: VPNs use certificates to authenticate users and devices, ensuring that only trusted parties can access a private network.
