A user’s public key, which has been signed and encrypted, using a private key of a well-known certificate authority, is what is referred to as a cryptographic certificate. The cryptographic certificate allows its users to give out their public key to others, and allows the others to trust that they get the correct user’s public key.
A community agreement establishes this trust for the Cryptographic Certificate organization for verification of the identity of the users. It then allows users to sign their Public Key to certify they belong to a certain user. X.509 is a popular format for Cryptographic Certificate.
Public key and private key
Encrypting data using public key/private key pair means that the data is encrypted using one key and can only be decrypted using the other key. This works very well although it’s very hard to understand.
The keys resemble each other and can only be used alternatively, that is, one key is used to decrypt what the other key has encrypted. The key pair operates in prime numbers, and the length of the numbers the process of decrypting the message without the key complicated
For this to work, one has to keep one key secret (the private key) and give out the other (the public key) to everybody. This means that you can only receive messages which you can decrypt. This is because you are the only one to have the other key pair which can decrypt the message.
Contrary, you can only certify that a message is coming from you when you have encrypted it using your private key, and only the parties with the public key will be able to certify it correctly. In this case, you have to be aware that the messages are not secure, you have only signed them. It is important to remember, the public key is out there with numerous parties.
The challenge in this, however, is to know the public key which corresponds to your private key. To be able to do so, you have to ask the other person to send you a certificate and a non-confidential signed message which contains the public key.
How do you know that the person or the website you are dealing with is the correct one? Well, it might require you to take the great length and numerous resources to prove that you are dealing with the right party.
You have to trust that you have the other person’s/party’s certificate loaded in your browser. You can get the owner’s information in the certificate. Some of the information includes the owner’s name, email address, its validity, its usage and resource location amongst others.
You can also get the Distinguished Name (DN) which has the Common Name (CN), that is the sites address and email which are determined by its usage and the certificate ID of the person who certifies this information.
The certificate has a public key and a hash which means that the certificate has not been tampered with. You also trust the certificate as you made a choice to trust the person who signs the certificate.
Certificate tree or certificate path
Normally, a root certificate of well-known Certification Authorities (CA) or root CA Certificate is usually loaded to your browser or application. The lists of all signed certificates and revoked certificates are usually maintained by the CA.
A signed certificate cannot be changed, so certificate remains unsecure until it is signed. You can use the certificate to sign the certificate itself, and this is known as a self-signed certificate. All root CA certificates sign themselves.
As you may have noted, the certificate has some important documents which prove that it has not been tampered with. The certificate should never be transmitted in any form whatsoever, and in that case, it doesn’t have a private key. This certificate can use the public key to send a message to the owner or verify a message signed by the owner of the certificate.