The certificate is identical to the certificate request with the addition of the certificate authority’s signature. The is composed of the endpoint’s distinguished name, public key and signature. The distinguished name contains details about the certificate bearer including country, state or province, locality, details about the entity the certificate represents, and often an email to contact if there are problems. The public key is needed later to allow the SSL handshake to be performed securely. The signature is generated by digesting the entire certificate and encrypting the digest with the certificate authority’s public key. The signature ensures the certificate has not been modified since signing and that it was actually signed by the certificate authority. Thus, certificates provide a measure of trust when signed by a legitimate certificate authority.
The certificate request is composed of the endpoint’s distinguished name and public key. The distinguished name contains details about the certificate bearer including country, state or province, locality, details about the entity the certificate represents, and often an email to contact if there are problems. The public key is needed later in the signed certificate to allow the SSL handshake to be performed securely.
Certificate subject (client or server) sends a certificate request to the certificate authority to get a certificate issued. The certificate authority thoroughly verifies information included in the certificate request. Once the certificate authority has done it’s due diligence it will digest and sign the the certificate request with the certificate authority’s private key to create a signed certificate. Finally, the certificate authority issues the signed certificate to the certificate subject. Any machine or organization may be a certificate authority and issue certificates. Every machine has a collection of trusted certificates, these trusted certificates allow the machine to trust any and every machine issued a certificate by the certificate authority that owns the trusted certificate. Trusting a certificate should be done with great care – trusting a bad certificate authority can completely undermine the security of your system and network. Some well-known and widely trusted certificate authorities include Verisign and DigiCert. In summary, getting a certificate issued is much like getting a driver’s license: You fill out the certificate request (application) with relevant information, the certificate authority (DMV) verifies your identity and issues a signed certificate (driver’s license) that proves your identity to others and is extremely difficult to counterfeit perfectly.
The Secure Socket Layer (SSL), also known as Transport Layer Security (TLS), is one of the fundamental technologies supporting the web today. SSL/TLS provides the security needed to keep information confidential that crosses the Internet, verify the identity of the other machine, and ensure the that information isn’t tampered in transit through the world wide web. The first step in the process is for every server to get a certificate from a reputable certificate authority that proves it’s identity. Clients may also be issued identifying certificates to ensure two-way identification. When two devices want to communicate, they perform an exchange of information (handshake) that helps establish their identities and set up a secured connection. To establish trust, they send their certificates to one another and by using the trusted certificate authority’s own certificate the can verify the identity of the other machine. Clients are not normally required to provide a certificate, however servers must provide a certificate. Once the handshake is complete and they trust each other, they may begin communicating data between them without fear of eavesdropping or tampering.