Digital certificates, also known as PKI certificates, are usually mentioned when talking about digital signatures, but what are they? And how do these certificates make digital signatures the safest choice? Read on to learn more!
What are digital certificates?
Digital certificates, aka PKI certificates, are a means to authenticate devices, organizations, and individual users to ensure the security of electronic transactions.
Simply put, they are the digital version of ID cards. Here are some of their similarities:
- Both ID cards and digital certificates are issued by recognized authorities.
- When applying for an ID card or requesting a digital certificate, your identity needs to first be verified.
- A digital certificate provides digital proof of identity while an ID card is used to confirm your identity in the physical world.
How do digital certificates work?
Digital certificates are based on PKI (public key infrastructure).
First, a public and a private key unique to the person requesting the certificate are generated. In cryptography, public and private keys are alphanumeric codes used to encrypt and decrypt messages.
Next, the certificate is issued. The digital certificate contains the public key and the name of its owner, thus binding the public key to its owner’s identity.
The two most common use cases for digital certificates are:
Digital signing
When a person digitally signs a document, their private key is used to sign the document while their public key helps verify the validity of the signature.
Thanks to digital signature certificates, people can sign documents electronically in a fast and secure way.
Certificate-based authentication
Besides signing documents, digital certificates are commonly used for authentication purposes.
Certificate-based authentication refers to the use of a digital certificate to verify the identity of a device or user before allowing them to access a system, file, network, or application.
An example of certificate-based authentication is using your eID to access a public service online or log in to your online banking account.
What are the types of digital certificates?
The three main types of digital certificates are:
1. TLS certificates
Transport Layer Security (TLS) is a cryptographic protocol that ensures the privacy and integrity of data sent over the Internet.
TLS certificates are data files containing information about the identity of a website’s owner as well as their public key. Besides making TLS encryption possible, TLS server certificates also authenticate the identity of a website’s owner.
Let’s say you want to make an online purchase and need to fill in your card information. Thanks to TLS, your payment details will be encrypted, and thus protected from prying eyes while in transit.
The URLs of websites secured with TLS certificates start with «HTTPS» instead of «HTTP» and a tiny padlock is displayed in front of these URLs in the address bar.
2. Code signing certificates
Developers use code signing certificates to digitally sign the code of their software. Code signing certificates bind the identity of the developer to the signed software and prevent code tampering. Therefore, digitally signed software is safer to download for the end-user.
Unfortunately, even though a signed software is more reliable than an unsigned one, it still can’t always be trusted.
Anyone can purchase a code signing certificate, even developers who purposely add malicious code in their applications. Therefore, you should make sure that you only download software signed by developers that you trust.
3. Client certificates
Client certificates allow remote servers to verify the identity of individual users or devices making a request.
Digital ID certificates are an example of client certificates. You can use these certificates to sign documents digitally and access online public services.
Benefits of signing documents using digital ID certificates:
- the signer of the document is who they say they are
- any change to the document after signing will invalidate the signature
- the signer’s identity is bound to the public key contained in the digital ID certificate, so they can’t deny the signature
Why should you trust authentication via digital certificates?
The main benefit of digital certificates is that they are issued by trusted authorities (Certificate Authorities). These authorities verify the identity of the requester before issuing the certificate.
Suppose you ask someone to sign a physical contract. You will first need to check their passport to verify their identity.
If the passport is original, valid, and the photo ID matches, you will have verified the identity of that person.
Similarly, you can verify the identity of a person before letting them sign a contract digitally.
However, instead of asking them to meet in person, you can ensure that the right person is signing the document remotely by asking them to use their certificate-based digital ID (such as NemID, BankID, itsme® etc.). And just as you’d trust that a passport released by an official national department can identify a person safely, you can also trust that an eID based on a certificate issued by a Certificate Authority securely identifies that person online.
Digital certificate example
A digital certificate commonly includes information about:
- the identity of the certificate’s owner;
- the certificate owner’s public key;
- the trusted authority that issued the certificate.
Finally, it contains the digital signature of the certificate’s issuer.
What is a Certificate Authority (CA)?
A Certificate Authority (CA) is a company that, after being audited for compliance, has been authorized to issue digital certificates to entities.
In the EU, Certificate Authorities are usually Qualified Trust Service Providers (QTSP) that meet the requirements set under the eIDAS Regulation.
For example, Nets DanID A/S is an EU QTSP acting as a CA when issuing NemIDs and MitIDs in Denmark. You can access the complete list of qualified trust service providers under the eIDAS Regulation in the EU Trusted List browser.
What is the difference between a digital signature and a digital certificate?
The main difference is that a digital certificate binds the identity of the owner to their public key and verifies the identity of its owner while a digital signature binds the certificate to the document to prevent changes to the document after signing and verify the identity of the signer.
| Digital signature | Digital certificate | |
|---|---|---|
| What is it? | An alphanumeric code | A digital file containing information |
| What does it do? | Ensures the legitimacy and integrity of a document | Verifies the identity of the certificate owner |
| How is it created? | The document is run through a hashing algorithm and becomes a code (digest) which is then encrypted using the signer’s private key | Issued to the owner by a Certificate Authority (CA) |
Digital certificates & Penneo
Penneo enables users to log into the system, access documents, and sign them using certificate-based authentication.
Identities are verified using certificate-based digital IDs issued by QTSPs such as NemID in Denmark, BankID in Sweden, BankID in Norway, itsme® in Belgium, and Bank ID/Mobile ID in Finland.
