Public Key Certificates
Public keys are often contained in certificates. A user can digitally sign messages using his or her private key, and another user can verify the signature using the public key contained in the signer’s certificate, which was issued by a CA within the PKI. A public key certificate (sometimes called an identity certificate) is a file in a specified format (Mac OS X Server uses the x.509 format) that contains the following:
– The public-key half of a public-private key pair.
– The key user’s identity information, such as a person’s user name and contact information.
– A validity period (how long the certificate can be trusted to be accurate).
– The URL of someone with the power to revoke the certificate (its “revocation center”).
– The digital signature of either a CA or the key user.
Certificate Authorities (CAs)
A CA is an entity that signs and issues digital identity certificates claiming trust of the identified party. In this sense, it is a trusted third party between two transactions. In x.509 systems, CAs are hierarchical in nature, with CAs being certified by CAs, until you reach a “root authority.” The hierarchy of certificates is always top-down, with a root authority’s certificate at the top. A root authority is a CA that is trusted by enough or all of the interested parties, so that it does not need to be authenticated by yet another trusted third party.
A CA can be a company that, for a fee, signs and issues a public-key certificate stating that the CA attests that the public key contained in the certificate belongs to its owner, as recorded in the certificate. In a sense, a CA is a digital notary public. A user applies to the CA for a certificate by providing identity and contact information, as well as the public key. A CA must check an applicant’s identity, so that users can trust certificates issued by that CA to belong to the identified applicant.