Experts often use the terms PKI and digital certificates when explaining how digital signatures work. However, it can all get quite confusing for people who don’t have a technical background.
This article aims to clarify the role that public key cryptography, public key infrastructures (PKI), and digital certificates play in creating digital signatures.
The basics of public key cryptography
Public key cryptography uses a pair of keys to secure online communications and create digital signatures. Each party gets a private and public key. The two keys are different but mathematically related. As its name suggests, the private key must be kept secret. On the other hand, the public key can be shared with others.
An electronic message encrypted with a person’s public key can only be decrypted using the same person’s corresponding private key. Similarly, a digital signature created with a person’s private key can only be validated with the same person’s public key. Here’s how it works.
Ensuring the confidentiality of electronic messages
Let’s say Dan wants to send a confidential message to Stacey. He wants to ensure that Stacey is the only one who can read its contents, so he uses her public key to encrypt the message. The only way to decrypt the message is with Stacey’s corresponding private key. Since Stacey is the only one who knows her private key, Dan can be sure that no one else can read the message.
This is how public key cryptography ensures the confidentiality of electronic communications.
Creating digital signatures
For creating digital signatures, the process looks a little bit different.
Let’s say Dan sends Stacey a contract for signature. In this case, Stacey will use her private key to sign the document. Dan will then use Stacey’s public key to validate the signature. If Stacey’s public key can validate the signature, Stacey is the actual signer of the document.
This is how you can use public key cryptography to create a digital signature.
What are digital certificates?
A digital certificate is the digital equivalent of an ID card. Much like an ID card, a digital certificate can prove that a person or organization is who they say they are. Therefore, digital certificates are essential to ensure trust in public key cryptography.
Let’s go back to the example above. Without a digital certificate, Dan can’t be sure that the public key that was shared with him really belongs to Stacey. Matt could easily pose as Stacey, sharing his public and private key with Dan instead.
A digital certificate contains information on its owner’s identity and the owner’s public key, thus binding the owner to the public key.
Digital certificates are issued by trusted organizations called Certification Authorities. Before issuing a digital certificate, a CA verifies the identity of the person requesting the certificate to ensure they are who they claim to be.
Simply put, digital certificates serve as a means of authenticating an entity in public key encryption schemes.
Besides electronic document signing, digital certificates are commonly used for authentication purposes. Certificate-based authentication refers to the use of a digital certificate to verify the identity of an entity before allowing them to access a system, file, network, or application.
An example of certificate-based authentication is using your eID to access a public service online or log in to your online banking account.
What about PKI?
A public key infrastructure is the set of policies, procedures, roles, and technologies needed to issue, manage, distribute, store, and revoke digital certificates in an encryption scheme based on public-key cryptography.
What are the types of digital certificates?
The three main types of digital certificates are:
1. TLS certificates
Transport Layer Security (TLS) is a cryptographic protocol that ensures the privacy and integrity of data sent over the Internet.
TLS certificates are data files containing information about the identity of a website’s owner as well as their public key. Besides making TLS encryption possible, TLS server certificates also authenticate the identity of a website’s owner.
Let’s say you want to make an online purchase and need to fill in your card information. Thanks to TLS, your payment details will be encrypted, and thus protected from prying eyes while in transit.
The URLs of websites secured with TLS certificates start with “HTTPS” instead of “HTTP” and a tiny padlock is displayed in front of these URLs in the address bar.
2. Code signing certificates
Developers use code signing certificates to digitally sign the code of their software. Code signing certificates bind the identity of the developer to the signed software and prevent code tampering. Therefore, digitally signed software is safer to download for the end-user.
Unfortunately, even though a signed software is more reliable than an unsigned one, it still can’t always be trusted.
Anyone can purchase a code signing certificate, even developers who purposely add malicious code in their applications. Therefore, you should make sure that you only download software signed by developers that you trust.
3. Client certificates
Client certificates allow remote servers to verify the identity of individual users or devices making a request.
Digital ID certificates are an example of client certificates. You can use these certificates to sign documents digitally and access online public services.
Benefits of signing documents using digital ID certificates:
- the signer of the document is who they say they are
- any change to the document after signing will invalidate the signature
- the signer’s identity is bound to the public key contained in the digital ID certificate, so they can’t deny the signature
Why should you trust authentication via digital certificates?
The main benefit of digital certificates is that they are issued by trusted authorities (Certificate Authorities). These authorities verify the identity of the requester before issuing the certificate.
Suppose you ask someone to sign a physical contract. You will first need to check their passport to verify their identity. If the passport is original, valid, and the photo ID matches, you will have verified the identity of that person.
Similarly, you can verify the identity of a person with the help of a digital certificate. However, instead of asking them to meet in person, you can ensure that the right person is signing the document remotely by asking them to use their certificate-based digital ID (such as MitID, BankID, itsme® etc.). And just as you’d trust that a passport released by an official national department can identify a person safely, you can also trust that an eID based on a digital certificate issued by a Certificate Authority securely identifies that person online.
Digital certificate example
A digital certificate commonly includes information about:
- the identity of the certificate’s owner;
- the certificate owner’s public key;
- the trusted authority that issued the certificate.
Finally, it contains the digital signature of the certificate’s issuer.
What is a Certificate Authority (CA)?
A Certificate Authority (CA) is a company that, after being audited for compliance, has been authorized to issue digital certificates to entities.
In the EU, Certificate Authorities are usually Qualified Trust Service Providers (QTSP) that meet the requirements set under the eIDAS Regulation.
For example, Nets DanID A/S is an EU QTSP acting as a CA when issuing NemIDs and MitIDs in Denmark. You can access the complete list of qualified trust service providers under the eIDAS Regulation in the EU Trusted List browser.
What is the difference between a digital signature and a digital certificate?
The main difference is that a digital certificate binds an entity to its public key to authenticate them while a digital signature binds the signer to the provisions stated in the signed document.
|Digital signature||Digital certificate|
|What is it?||A very large number created using an algorithm||A digital file|
|What does it do?||Authenticates the signer’s identity and the integrity of signed messages||Authenticates the identity of the certificate owner|
|How is it created?||A document is run through a hashing algorithm to generate a hash called message digest. The message digest is then encrypted using the signer’s private key (by performing certain calculations).||Issued to an entity by a Certificate Authority (CA) (after verifying the entity’s identity)|
Digital certificates & Penneo
Penneo Sign enables users to log into the system, access documents, and sign them using certificate-based eIDs issued by QTSPs such as itsme®, NemID, MitID BankID Sweden, BankID Norway, Finnish Bank IDs, and Mobiilivarmenne.