Digital Certificate

Digital certificate is a format to declare the identity of the certificate-installer. The format includes information like name, city, state, country, organization etc of the installer.

If a site wants to make itself secure, it installs such a certificate encrypted with the private key on its web-server’s listening port.

Then it publicly distributes the public key (to say browsers).

When the user hits the web-site, the site presents this certificate encrypted with the private key to the browser. Browser decrypts using public key and then it verifies the decrypted content for authentication.

Additionally, the digital certificate encrypted with private key is digitally signed by the CA by the CA’s private key. This step adds another level of security because anyone with CA’s public key can verify that the certificate was indeed issued by the CA. CAs typically add physical form of verification to increase the value of their certificate.

Communication using digital certificates

1. Client opens a secure website (example https://<something>)

2. If website uses DC for security, client sends a list of supported Cipher Suites (Ciphers and Hash functions).

3. Server picks up the best Suite and sends it back in the form of a DC. The DC also contains server name, Certificate Authority name (CA is the authority which authenticates a site) and server’s Public Encryption Key (PuEK).

4. Client then encrypts a random number RN using PuEK. Since the server has Private EK (PrEK), only it can decode the RN communicated using this PuEK.

5. From the RN, both parties generate key material for encryption and decryption.