A digital certificate is an electronic document that identifies a person or entity and contains a copy of their public key. Each certificate includes a public key so that anyone can communicate securely with the person or entity by encrypting information with this public key. Digital certificates conform to a standardized file format that contains the following information:
Identity information, such as the name and address of the certificate owner.
Public key.
Expiry date.
One or more digital signatures.
A digital signature provides a means to detect whether a certificate has been altered. A digital signature is a cryptographic operation created by calculating a value, called a message digest, from the identity information and the public key.
A message digest is a bit-value designed to change if any part of the certificate changes. The algorithm used to calculate the message digest is known to all users of the certificates. The correct value is encrypted with the private key contained in the certificate. Thus, anyone can detect alteration using the algorithm to calculate the message digest, using the public key to decrypt the message digest contained in the certificate, and comparing the two values.
If you are using FIPS-approved RSA encryption, you must generate your certificates using RSA.
A certificate constructed in this manner is called a self-signed certificate because the digital signature is constructed with the matching private key. Such a certificate cannot be altered without knowledge of the private key.
Digital certificates play the role of identity cards. The signatures prevent alteration because as long as the private keys used to create the signatures are kept secret, the digital certificate cannot be altered.
