Cryptography in Action 65
■ Version
■ Serial number
■ Algorithm ID
■ Issuer
■ Validity
■ Not before
■ Not after
■ Subject
■ Subject Public Key Info
■ Public Key Algorithm
■ Subject Public Key
The certificate is signed by generating a hash value and encrypting it with the issuer’s
private key. At this point if the certificate is altered—for example, if a party tries to replace
the public key—the certificate becomes invalid and the client should see a warning indicat-
ing that. If a client possesses the issuer’s public key and trusts the issuer of the key, then the
client will assume the public key in the certificate checks out. For an attacker to compro-
mise the system, they would have to have access to either the private key of the server or the
private key of the issuer to successfully impersonate one of the parties.
A digital certificate allows you to associate the public key with a particular service, such
as a web server, for use in e-commerce.
Authenticating the Certificate
A digital certificate complements or replaces other forms of authentication. A user who
presents the credential must have a method in place that allows for the credential to be vali-
dated. One such method is the CA. When you present a certificate to another party, the cre-
dential is validated and allows the party or parties of a transaction to have their identities
confirmed. Once a series of steps is undertaken, secure communication or the validation of
items such as the digital signature can take place.
Enter the PKI System
A CA creates and revokes certificates that it has in its control along with the associated
public keys. A CA can be controlled by a company for its internal use or by a public entity
for use by any who wish to purchase a credential from the controlling party.
A CA is a trusted third party that is responsible for issuing, managing, identifying, and
revoking certificates as well as enrolling parties for their own certificates. The CA vouches
for the identity of the holder of any given certificate. A CA issues credentials to banks, web-
mail, VPNs, smart cards, and many other entities. The CA gathers information, validates,
and issues a credential to the requesting party if everything checks out.