How do I get a digital certificate

How does a digital certificate work?

When it comes to the protection goals of authenticity and integrity, the digital certificate plays an important role. A password alone is often not enough to establish an identity, as this can be spied or guessed. That is why digital certificates are of great importance in IT security. This article provides an explanation of what a digital certificate is and when it is used.

What is a digital certificate?

A digital certificate is an electronic proof of authenticity that certifies the identity of a person, a computer or an organization. In real life, a certificate can be compared to an identity card. The identity of a person can be determined on the basis of the information in the identity card.

"Man-in-the-middle attack"

With asymmetric encryption, a public key is required for encryption and a private key for decryption. In this context, however, the question arises as to how the sender knows that the public key with which he wants to encrypt the message is "real" and does not come from an attacker. Because a cryptographic key is “only” information that can be changed and does not say anything about the assignment to a specific person or computer. It is not possible to find out who “belongs” to the key on the basis of the key alone.

Example: Bob wants to send Alice confidential information in encrypted form. Eve, who is eavesdropping on the traffic, wants to know about the content. She pretends to be Alice and sends Bob a fake email with her public key. Believing that it is Alice's key, Bob encrypts his message and sends it. Eve intercepts the email and decrypts the message with her private key.

A certificate is intended to prevent such a "man-in-the-middle attack" by protecting keys from manipulation. The certificate can be used to check whether the key comes from the person / computer / organization with whom you want to communicate. That is why the keys are also "personalized" using certificates. Bob and Alice can use the certificate to find out who the key is assigned to.

What are the characteristics of a digital certificate?

A certificate is a record. According to the X509 standard, a certificate must contain certain information, but it can also contain additional optional information. The mandatory information includes:

  • Name of the certificate holder
  • Certification Authority
  • Validity period
  • serial number
  • public key of the owner (this can be used to check the authenticity of the key) and
  • digital signature of the issuing certification authority so that it can be verified whether the certificate is genuine.

Areas of application for digital certificates

The areas of application for digital certificates are diverse. They are mostly used where identity has to be established. In particular, certificates can be found in the following systems:

  • SSL / TLS: With network protocols, certificates are supposed to ensure that the server identifies itself.
  • Email encryption: Certificates are also used to confirm the authenticity of e-mails.
  • Digital signature: Certificates are also required for the digital signature so that documents can be viewed as unadulterated.
  • Identity check when logging in to the system: if two computers connect and want to communicate confidentially with each other (e.g. via VPN), a password is often not enough. Because this can be spied or guessed. A certificate should also be used here for identification.

Certification bodies

In order for certification authorities to be regarded as trustworthy, they must meet strict security requirements, which are specified, for example, in the signature laws. These also have a private and a public key, although the latter must be known. The public keys of the certification authorities are preinstalled in most browsers and operating systems. By knowing the public key of the certification authority, the browser can check a received certificate.

But here, too, the question arises as to whether the public key is assigned to a trustworthy certification authority. That is why the certification authorities also have a certificate that is issued by a superordinate authority. This creates a hierarchy of certification bodies, with the Federal Network Agency for Telecommunications and Post acting as the root certification authority, whose public key is published in the Federal Gazette, among other places.

security

Despite all security measures, a digital certificate can be forged just like an identity card. On the one hand, a perpetrator can generate a certificate with falsified information within the certification authority. On the other hand, a perpetrator can impersonate another person or organization and apply for a certificate in their name from an untrustworthy certification authority.

The latter option often occurs in connection with phishing attacks. A perpetrator can pass fake online banking pages as "real", which also have an encrypted connection. At first glance, the forgery cannot be revealed because the browser also identifies these pages as an encrypted connection with an "https". That is why there is an Extended Validation SSL certificate in Internet traffic, the issue of which is tied to strict criteria. If such an EV SSL certificate is available, the browser also shows the company name in green in the URL line. This means that the user can trust that the website is "real".

Do you like the post? Then we look forward to a recommendation:

About the author

Agnieszka CzernikLawyer

Data protection and IT (security) serve to protect privacy and corporate values. Maintaining these interests and working in two diverse and interesting areas at the same time is my passion. more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

IT security advice

Do you have any suggestions for topics or improvements? Contact us anonymously here.