Digital
certificate is a format to declare the identity of the
certificate-installer. The format includes information like name,
city, state, country, organization etc of the installer.
If
a site wants to make itself secure, it installs such a certificate
encrypted with the private key on its web-server’s listening
port.
Then
it publicly distributes the public key (to say browsers).
When
the user hits the web-site, the site presents this certificate
encrypted with the private key to the browser. Browser decrypts using
public key and then it verifies the decrypted content for
authentication.
Additionally,
the digital certificate encrypted with private key is digitally
signed by the CA by the CA’s private key. This step adds
another level of security because anyone with CA’s public key
can verify that the certificate was indeed issued by the CA. CAs
typically add physical form of verification to increase the value of
their certificate.
Communication
using digital certificates
Client
opens a secure website (example https://<something>)
If
website uses DC for security, client sends a list of supported
Cipher Suites (Ciphers and Hash functions).
Server
picks up the best Suite and sends it back in the form of a DC. The
DC also contains server name, Certificate Authority name (CA is the
authority which authenticates a site) and server’s Public
Encryption Key (PuEK).
Client
then encrypts a random number RN using PuEK. Since the server has
Private EK (PrEK), only it can decode the RN communicated using this
PuEK.
From
the RN, both parties generate key material for encryption and
decryption.
Got a thought to share or found a bug in the code? We'd love to hear from you: