• Start
  • FAQ's
  • Basic concepts on digital certificates and PKI

Basic concepts on digital certificates and PKI

  • What is Public Key Cryptography?
    • Public Key Cryptography is the encryption technology where encryption and decryption is performed by separate but related keys, one which is kept private and one which is made public. This encryption technology is the base for Public Key Infrastructure (PKI).

  • What are public and private keys?
    • The asymmetric cryptography on which the PKI is based employs a key pair in which what is enciphered with one of these can only be deciphered by the other, and vice versa. One of these keys is "public" and includes the electronic certificate, whilst the other is "private" and is only known by the certificate subscriber and, when appropriate, by the Key Archive.

  • What is a Public Key Infrastructure (PKI)?
    • A Public Key Infrastructure (PKI) is a technology, together with the relevant operational, registration, revocation and other certificate management procedures. It is used to assure the security and protection of electronic communications and of data stored electronically, by means of the use of pairs of public and private keys. Public keys are digitally signed by a third party known as a Certification Authority (CA). The resulting signed public key is known as a digital certificate, which contains the public key and relevant information about the public key holder (the owner).

  • Why is PKI based on trust?
    • PKI provides the critical element of "trust" in electronic transactions as well as communications. It provides a means for relying parties to know that another individual's or entity's public key actually belongs to that individual/entity. Certification Authority organisations have been established to address this need.

  • What are the major elements of a PKI?
    • The major components of PKI are tshe following:

      1. Certification Authority
      2. Digital certificates
      3. Public & private key pairs
      4. Certificate Policy (CP)
      5. Certification Practices Statement (CPS)
  • What is a Certification Authority (CA)?
    • A Certification Authority is a trusted third party that verifies the identity of an entity registering for a digital certificate. Once a Certification Authority authenticates the requesting entity's identity, it issues a digital certificate to the requesting entity binding his or her identity to a public key.

  • Is there any difference between a Certification Authority (CA) and a Certification Service Provider (CSP)?
    • Generally speaking, both terms are used interchangeably to denote an issuer of digital certificates.

  • What is a Registration Authority (RA)?
    • A Registration Authority (RA) is an entity that is trusted by the Certification Authority to register or vouch for the identity of users to a Certification Authority. An RA focuses on identifying and authenticating users; it does not sign or issue digital certificates. However, it is required to comply with preset standards for verifying a person’s identity.

  • What is a Certificate Revocation List (CRL)?
    • A Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of the serial numbers of the certificates) that have been revoked, and therefore should not be relied upon. The CRL is created and digitally signed by a Certification Authority.

  • What are the Certificate Practice Statement (CPS) and the Certificate Policies (CPs) documents?
    • A Certification Practice Statement (CPS) is a document that describes how the Certification Authority manages the certificates it issues. It contains items such as the obligations of the Certification Authority, its liabilities and warranties, confidentiality policy, etc.

      The Certificate Policies (CPs) will establish the applicable procedures to manage (issue, renew, revoke, suspend and activate) each type of certificate. It contains items such as the identification and authentication requirements, and details of what information will be contained in the certificates.

  • What is a digital certificate?
    • A digital certificate is an electronic document that is signed by a Certification Authority certifying the relationship between a public key and the identity of the public key holder. It also includes additional information such as the validity period, the location of issuer’s policies, revocation information, etc.

      Although, properly speaking, the digital certificate only contains a public key, the term “certificate” is often used to describe the pair public and private keys. For example, the expression "the user used a digital certificate to authenticate" is often used to describe that the user used her private key to authenticate, and the web server used the user’s certificate (public key) to validate her identity.

  • What is the difference between software and hardware digital certificates?
    • The key difference relies on where the digital certificate is kept: while for hardware ones the certificate is stored inside a physical token (i.e. smart card, usb token, etc.) for software ones the certificate is stored in a software container generally created by the operating system. This simple difference has further implications regarding the level of trust that can be achieved depending on whether one type or the other is used. The usage of hardware certificates provides a higher level of trust.

  • Do digital certificates have a limited life time?
    • Yes all digital certificates have an explicit start date and an explicit expiration date. Most applications check the validity period of a certificate when the digital certificate is used.

  • What is a Qualified Certificate?
    • Qualified Certificate is a special kind of Certificate that:

      1. Contains a minimum set of elements that are specified in the European Directive (99/93/EC); and
      2. Is produced by a Qualified CSP, which meets the specific technical and procedural requirements that are also spelled out in the aforementioned Directive
  • What is an Electronic Signature?
    • An electronic signature is data in electronic form which are attached to or logically associated with other electronic data and which serves as a method of authentication.

  • What is an Advanced Electronic Signature?
    • An Advanced Electronic Signature is an electronic signature which meets the following requirements:

      1. It is uniquely linked to the signatory;
      2. It is capable of identifying the signatory;
      3. It is created using means that the signatory can maintain under his sole control; and
      4. It is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
  • What is a Qualified Electronic Signature?
    • The European Directive (99/93/EC) regulates the implementation and recognition of electronic signatures within the European Union. The Directive stipulates that a Qualified Electronic Signature (QES) shall:

      1. Be an Advanced Electronic Signature as defined in the Directive. (Currently, (only PKI digital signatures (using asymmetric cryptography) fulfil this requirements);
      2. Be based on a Qualified Certificate (QC) issued by a suitably certified Certification Service Provider (CSP); and
      3. Be created by a Secure Signature?Creation Device (SSCD) that meets specific functional conditions which are also laid down in the Directive.
  • Regulations related with digital certificates
    • Legal and regulatory issues are of utmost importance in the implementation of a PKI. The most relevant is the European Parliament and Council Directive 1999/93/EC of 13 December 1999 on a Community Framework for Electronic Signatures.

© European System of Central Banks. All rights reserved