Digital certificates are a lot like identification cards, as they are electronic credentials that are used to prove the identity of users, devices, or organizations. Issued by Certification Authorities (CA), digital certificates bind an owner’s public key with his or her private key. These certificates contain data that identifies the owner of the certificate such as the subject’s identification information, public-key value, CA’s name, CA’s digital signature, CA’s private key, and also generates a digital signature. These certificates are often distributed by public folders, email, web pages, and directories. These certificates are used in the digital signing of electronic data to protect and verify it, to authenticate users who are communicating over networks and protect symmetric secret encryption which is sent and shared over networks. Digital certificates also secure mail, web communications, code signing, and local and remote access to network resources.
To gain a digital certificate, one must contact a certification authority (CA). In Microsoft Outlook, for example, one must go to the Tools menu, click Trust Center, and then click E-mail Security. Under Digital IDs, next click Get a Digital ID. Then, click Get an S/MIMIE Certificate from an External Certificate Authority and finally click OK. You will then be shown a list of available CA’s from which you will select one and then follow the instructions. Once registered with the CA, an email will be often sent to you with your digital ID with the necessary instructions. Digital Certificates are usually valid for 2 years. One can become a CA in multiple ways, depending on what he or she wishes to do. If one wishes to become a root CA, one can set up their own infrastructure and get keys. However, companies won’t often accept root certificates without a WebTrust audit, at the minimum.
One can also create CA certificates by generating private keys with the openssl genrsa -des3 -out server.CA.key 2048 command. Then, a certificate signing request must be made. This can be done with the openssl req -verbose -new -key server.CA.key -out server.CA.csr -sha256 command. Next, fill in the required information such as country, state, locality, organization, and common name and email address. Next, the command, openssl ca -extensions v3_ca -out server.CA-signed.crt -keyfile server.CA.key -verbose -selfsign -md sha256 -enddate 330630235959Z -infiles server.CA.csr, will allow you to self-sign the certificate. Lastly, the command, openssl x509 -noout -text -in server.CA.crt, will allow you to inspect the certificate. By following these steps, the server.CA.crt file can be available to anyone who uses your website or any certificates one wishes to sign.
Tech-FAQ. (2017). Digital Certificates. Retrieved from .
Wikihow. (2017). How to Be Your Own Certificate Authority. Retrieved from .