The knowledge about Public Key Certificate and Certificate Authority

1. Public key certificate

1. Definition:

a public key certificate (aka: a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key.

2. The certificate includes

  1. information about the key
  2. information about the identity of its owner (called the subject)
  3. the digital signature of an entity that has verified the certificate’s contents (called the issuer).

3. the processes for proving


  1. the signature is valid.


  2. the software examining the certificate trusts the issuer.


it can use that key to communicate securely with the certificate's subject.

4. The different fields for using

  1. In email encryption, code signing, and e-signature systems, a certificate’s subject is typically a person or organization.

  2. In Transport Layer Security (TLS) a certificate’s subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices.

  3. In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers to issue certificates for them.

  4. In a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.

5. Types of certificate

1. TLS/SSL server certificate (TLS: formerly known as SSL)

1. server: is required to present a certificate as part of the initial connection setup.
2. client: connecting to that server will perform the certification path validation algorithm
  1. The subject of the certificate matches the hostname to which the client is trying to connect.

  2. The certificate is signed by a trusted certificate authority.

The primary hostname (domain name of the website) is listed as the Common Name in the Subject field of the certificate. A certificate may be valid for multiple hostnames (multiple websites). Such certificates are commonly called Subject Alternative Name (SAN) certificates or Unified Communications Certificates (UCC certificates).

These certificates contain the field Subject Alternative Name, though many CAs will also put them into the Subject Common Name field for backward compatibility. If some of the hostnames contain an asterisk (*), a certificate may also be called a wildcard certificate.

A TLS server may be configured with a self-signed certificate. When that is the case, clients will generally be unable to verify the certificate, and will terminate the connection unless certificate checking is disabled.

600px Chain of trust

2. TLS/SSL client certificate

Client certificates are less common than server certificates, and are used to authenticate the client connecting to a TLS service, for instance to provide access control.


  1. most services provide access to individuals, rather than devices, most client certificates contain an email address or personal name rather than a hostname.


  2. authentication is usually managed by the service provider, client certificates are not usually issued by a public CA that provides server certificates.


  3. Instead, the operator of a service that requires client certificates will generally operate their own internal CA to issue them. Client certificates are supported by many web browsers, but most services use passwords and cookies to authenticate users, instead of client certificates.

Client certificates are more common in RPC systems, where they are used to authenticate devices to ensure that only authorized devices can make certain RPC calls.

3. Email certificate

In the S/MIME protocol for secure email, senders need to discover which public key to use for any given recipient. They get this information from an email certificate. Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.

4. Code signing certificate

Certificates can also be used to validate signatures on programs to ensure they were not tampered with during delivery. Authenticode is one example of a code signing scheme.

5. Qualified certificate (Qualified digital certificate)

A certificate identifying an individual, typically for electronic signature purposes. These are most commonly used in Europe, where the eIDAS regulation standardizes them and requires their recognition.

6. Root certificate

A self-signed certificate used to sign other certificates. Also sometimes called a trust anchor.

7. Intermediate certificate

A certificate used to sign other certificates. An intermediate certificate must be signed by another intermediate certificate, or a root certificate

8. End-entity or leaf certificate

Any certificate that cannot be used to sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.

9. Self-signed certificate

A certificate with a subject that matches its issuer, and a signature that can be verified by its own public key. Most types of certificate can be self-signed. Self-signed certificates are also often called snake oil certificates to emphasize their untrustworthiness.

2. Root certificate

1. Definition

root certificate is a public key certificate that identifies a root certificate authority (CA)

2. How to use

  1. Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier,

  2. in some cases there is no Authority Key identifier, then Issuer string should match with Subject string (RFC5280).

For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.

3. The tree structure of the certificate

A certificate authority can issue multiple certificates in the form of a tree structure.

  1. A root certificate is the top-most certificate of the tree, the private key which is used to “sign” other certificates. All certificates signed by the root certificate, with the “CA” field set to true, inherit the trustworthiness of the root certificate—a signature by a root certificate is somewhat analogous to “notarizing” an identity in the physical world. Such a certificate is called an intermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates.

The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in operating systems by their manufacturers. Microsoft distributes root certificates belonging to members of the Microsoft Root Certificate Program to Windows desktops and Windows Phone 8.[2] Apple distributes root certificates belonging to members of its own root program.

3. Qualified digital certificate

1. Definition

A qualified digital certificate is a public key certificate issued by a qualified trust service provider that ensures the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

4. Certificate authority (certification authority) (A.K.A CA)

1. Definition

a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 standard.

2. How to use

  1. Sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web.

  2. Common use is in issuing identity cards by national governments for use in electronically signing documents.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.