The ISO X.509 protocol defines a mechanism called a certificate that
contains a user’s public key that is signed by a trusted entity called a
certificate authority (CA).
Certificates contain information used to establish identities over a
network in a process called authentication. Like a driver’s licence, a
passport, or other forms of personal identification, certificates enable
servers and clients to authenticate each other before establishing a secure
Certificates are valid only for a specified time period; when a
certificate expires, a new one must be issued. The issuing authority can also
To establish an SSL/TLS connection, you require a server certificate
at one end of the connection and a root certificate of the CA that issued the
server certificate at the other end.
- Server certificate
- A server certificate certifies the identity of a server. The type
of digital certificate that is required by the Secure Gateway is called a
- Root certificate
- A root certificate identifies the CA that signed the server
certificate. The root certificate belongs to the CA. This type of digital
certificate is required by a user device to verify the server certificate.
When establishing an SSL connection with a Web browser on a user
device, the server sends its certificate to the client.
When receiving a server certificate, the Web browser (for example,
Internet Explorer) on the user device checks to see which CA issued the
certificate and if the CA is trusted by the client. If the CA is not trusted,
the Web browser prompts the user to accept or decline the certificate
(effectively accepting or declining the ability to access this site).
When User A receives a message from User B, the locally stored
information about the CA that issued the certificate is used to verify that it
did indeed issue the certificate. This information is a copy of the CA’s own
certificate and is referred to as a root certificate.
Certificates generally have a common format, usually based on
International Telecommunication Union (ITU) standards. The certificate contains
information that includes the:
- The organization that issues the certificates.
- The party that is identified by the certificate.
- Period of validity
- The certificate’s start date and expiration date
- Public key
- The subject’s public key used to encrypt data.
- Issuer’s signature
- The CA’s digital signature on the certificate used to guarantee
A number of companies and organizations currently act as CAs,
including VeriSign, Baltimore, Entrust, and their respective affiliates.