Electronic transfers

3 types of PKI certificates and their use cases

Data can traverse many networks and systems before reaching its destination. Securing the data and guaranteeing the authenticity of the sender behind the data is essential. This is where the public key infrastructure comes in.

PKI is a set of systems and procedures that enables PKI certificates, also known as digital certificates. These certificates are electronic documents that, through the underlying PKI that binds the public key of a key pair to its entity, verify the authenticity of the entity.

The digital equivalent of a passport or driver’s license, a PKI certificate also enables digital signatures and authentication mechanisms, such as two-factor authentication (2FA).

PKI certificates are essential to the operation of an organization, but not all certificates are the same. There are three common types of PKI certificates:

  1. SSL/TLS certificates
  2. code signing certificates
  3. client certificates

Below, review the three varieties of certificates and their use cases, along with a list of other important terms related to PKI certificates.

1. SSL/TLS Certificates

SSL and TLS are two well-known network protocols that use certificates to authenticate a server’s identity and encrypt transfers between a browser and a server. Although SSL was replaced by TLS in 1999 and completely obsoleted by the Internet Engineering Task Force in favor of TLS in 2015, certificates are still often referred to as SSL, SSL/TLS, or TLS/SSL certificates.

SSL/TLS certificates are issued by a certificate authority (CA). When a user visits a website, the browser connects to a server and the server shares its certificate and public key with the user. The certificate is then checked to ensure that it is trustworthy. Then the browser returns a public key, which the server decrypts with its private key. The server then returns a session key to start the encrypted session. This key is only valid for one session. So if a user tries to interact with the same server again, the process is repeated and a new session key is created. This operation is called SSL/TLS handshake.

SSL/TLS certificates are most commonly used to encrypt and authenticate data exchange between web servers and web browsers. Websites with an SSL/TLS certificate display HTTPS in front of their URLs. This certifies that the domain is protected by an SSL/TLS certificate, which means the website can be verified as legitimate and user information remains protected when interacting with the site.

SSL/TLS certificates can be used to encrypt communications between any application client and server. This includes web browsers and web servers, using HTTPS, as well as data exchanges by other client-server applications, including email, file transfer, instant messaging, etc. Note, however, that SSL/TLS certificates do not encrypt emails or messages; they encrypt the connection between sender and receiver.

Types of SSL/TLS certificates

The most common types of SSL/TLS certificates are:

  • Domain verification is a low-level SSL/TLS certificate that validates that the certificate holder has the right to use the domain name. It does not validate who the certificate holder is.
  • Organization Validation is a mid-level certificate that verifies that an organization has the right to use a domain. The certificate includes the name and address of the organization.
  • Extended Validation is a high-level certificate that verifies the legitimacy of the legal, operational and physical existence of an organization.
  • Single domain is a certificate that authenticates a domain.
  • Wildcard character is a certificate that authenticates a domain and an unlimited number of its subdomains.
  • Multi-domain is a certificate that authenticates multiple domains.
  • Multi-domain wildcard is a certificate that combines generic and multi-domain functions to authenticate multiple domains and subdomains.
Different types of SSL/TLS certificates offer different levels of validation and domain coverage.

2. Code Signing Certificates

A code signing certificate, also known as software signing certificate, uses a digital signature to verify the owner of the software. The software developer signs the application and all executables – for example, patches or software updates – to verify that the software code is from whom they say it is and to ensure that the code has not been altered or tampered with before it reaches end users. A timestamp can be added to the certificate when it is signed, so that even if the certificate expires, users know the digital signature is valid.

Software developers and publishers use private keys to add digital signatures to their code. The signature is decrypted by a public key on an end user’s device. The user’s device then searches for a root certificate to authenticate the digital signature. The device then verifies that the hash of the digital signature matches the hash of the code. Only then is the software downloaded.

Code signing certificates protect the developer’s intellectual property, while ensuring code integrity and protecting end users from downloading corrupt code. These certificates are mainly used for code published on the Internet or on third-party platforms. Apple, for example, requires all iOS apps to be signed by an Apple-issued certificate.

The digital signature process
Digital signatures require a hash and private/public key pairs to be validated.

3. Client certificates

Unlike an SSL/TLS certificate, which authenticates the identity of a server and secures data in transit, a client certificate only authenticates the identity of an end user or device. A client certificate, also called digital identification Where personal identity certificate, connects an ID to a public key. Servers using client certificate authentication use these digital credentials to ensure that only authorized people and devices can access systems. Once authenticated, the certificate’s private key is used to create a secure connection where users and devices can encrypt data, email, and other communications.

Client certificates can be used as an alternative authentication method to passwords, where organizations grant access based on digital credentials. Client certificates can also be used in addition to a password to enable 2FA.

Other Terms to Know

  • Certificate Authority. A certificate authority is a trusted entity that issues different types of PKI certificates. Certificate authorities also verify certificate information and maintain certificate revocation lists.
  • Root certificates. A root certificate is the highest level of certificate. It is used by certificate authorities to create intermediate certificates.
  • Intermediate certificates. An intermediate certificate is used to digitally sign certificates issued by a certificate authority.
  • Certificate chain. A certificate chain begins with a root certificate, which is used to sign the next intermediate certificate, which is used to sign the next certificate, and so on. If the superior certificate is trusted, the whole chain is verified.
    CA certificate chain
    In a certificate chain, each certificate is validated by the previous certificate. If the superior certificate is verified, the chain can be trusted.
  • Verified brand certificate. A digital certificate issued by a certification authority that validates that a logo belongs to its owner is called a verified brand certificate. Verified Trademark Certificates allow organizations to display trademarks in the avatar slot when sending emails.
  • 509 certificate. A digital certificate that uses the PKI X.509 standard to verify the identity of a certificate owner is called a X.509 certificate. Most SSL/TLS certificates are X.509 certificates.