A certificate, or digital certificate,
is an electronic document used to identify an individual, a server,
a company, or some other entity and to associate that identity with
a public key. Like a driver's license, a passport, or other commonly
used personal IDs, a certificate provides generally recognized proof
of a person's identity. Public key cryptography uses certificates
to address the problem of impersonation.
Certificates are issued by certificate authorities.
The Certificate Authority (CA) is a trusted third party that verifies
the identity of the site with which you are connected. Like any
form of identification, the authenticity of the issuer is essential.
The role of CAs in validating identities and in issuing certificates
is analogous to the way a government issues passports and driver's
licenses. CAs can be either independent third parties or organizations
running their own certificate-issuing server software (such as Netscape
The methods used to validate an identity vary depending on
the policies of a given CA. In general, before issuing a certificate,
the CA must use its published verification procedures for that type
of certificate to ensure that an entity requesting a certificate
is in fact who it claims to be.
The certificate issued by the CA binds a particular public
key to the name of the entity the certificate identifies (such as
the name of an employee or a server). Certificates help prevent
the use of fake public keys for impersonation. Only the public key
certified by the certificate works with the corresponding private
key possessed by the entity identified by the certificate.
In addition to a public key, a certificate always includes
the name of the entity it identifies, an expiration date, the name
of the CA that issued the certificate, a serial number, and other
information. Most importantly, a certificate always includes the digital
signature of the issuing CA. The CA's digital signature
allows the certificate to function as a "letter of introduction"
for users who know and trust the CA but who do not know the entity
identified by the certificate.
For information about the HP SSL Certificate Tool, which allows
you to view and create certificates, see Chapter 3.