Understanding Digital Certificates and Trust in IT Security

019_Certificates - CompTIA Security+ SY0-701 - 1.4

What is a Digital Certificate?

A digital certificate is a file containing both a public key and a digital signature. It functions similarly to an identification card but offers more capabilities, particularly in providing authentication and trust in IT security.

The Role of Trust in IT Security

One of the primary concerns in IT security is trust. When granting access to a system, we must ensure that the user is who they claim to be. A digital certificate helps establish this trust by allowing a certificate authority (CA) to digitally sign the certificate, confirming its authenticity.

Methods of Establishing Trust

• Certificate Authority (CA): A trusted third party that verifies identities and digitally signs certificates.
• Web of Trust: A decentralized trust model where individuals sign each other’s certificates.
• Internal Certificate Authorities: Organizations can create their own CA for internal use.

Digital Certificates in Web Browsers

When securely connected to a website, a lock icon appears in the browser’s address bar. Clicking the lock reveals details of the X.509 certificate, the standardized format used for digital certificates.

How Does a Browser Trust a Website?

1. The website presents its digital certificate to the browser.
2. The browser checks if the CA that signed the certificate is trusted.
3. If trusted, the browser accepts the certificate, establishing a secure connection.

The Process of Obtaining a Digital Certificate

1. Create a Certificate Signing Request (CSR): Includes a public key and identifying information.
2. Send the CSR to a Certificate Authority: The CA verifies the request.
3. CA Digitally Signs the Certificate: The CA uses its private key to sign the certificate.
4. Certificate is Installed on the Web Server: Allows secure communication.

Internal vs. Public Certificate Authorities

• Public CA: Used for websites accessed by external users.
• Internal CA: Used for private systems.

Wildcard and Subject Alternative Name (SAN) Certificates

Wildcard Certificates: Allow a single certificate to secure multiple subdomains.

SAN Certificates: Allow multiple domain names to be listed within a single certificate.

Revoking Digital Certificates

• Certificate Revocation List (CRL): A list maintained by the CA of revoked certificates.
• Online Certificate Status Protocol (OCSP): A more efficient alternative to CRLs.
• OCSP Stapling: The website includes a digitally signed OCSP response in its handshake.

Ensuring Trust in Digital Certificates

Modern browsers support OCSP and CRL checks to prevent fraudulent certificates. If a certificate is revoked or signed by an untrusted CA, browsers will issue a warning.