A digital certificate, also known as a public key certificate or identity certificate, is a password credential used to validate the authenticity of a user, device, server, or website.

They are used for digital communications and to exchange data securely. Digital certificates confirm the authenticity of an organization's website before a user makes a connection.

It also ensures that only verified devices can connect to an organization's network. 

Digital certificates use Public Key Infrastructure, a framework of encryption used to protect and authenticate digital communications.

They have a key pair, including a public and private one, that should match to make a secure connection.

Digital certificates are scalable, can be implemented to secure many user devices globally, and can be managed from a centralized system.

A publicly trusted Certificate Authority can only issue digital certificates.

Below are the three main types of public key certificates:

• TLS/SSL (Transport Layer Security/Secure Sockets Layer) certificates: hosted by the server and used to transfer data between a computer and the server.
• Client certificates: are used to validate the connection between devices or users to access a secure database and email.
• Code signing certificates: used by DevOps to validate the authenticity of software code before downloading it.

A certificate authority is a trusted entity that verifies the authenticity of websites, email addresses, organizations, and individuals and binds them to cryptographic keys by issuing digital certificates.

A popular and most common example is the HTTPS browsing protocol for websites. Users can identify that they are connected to the original website and avoid falling victim to phishing scams.

This website example is known as an SSL/TLS certificate. There are three different types of TLS certificates that CAs issue: domain validation (DV), organization validation (OV), and extended validation (EV).

Besides TLS certificates, they also issue other digital certificates, such as Code signing certificates, email certificates, device certificates, and user or client certificates, device certificates, and user or client certificates.

Certificate authorities use asymmetric encryption and Public Key Infrastructure (PKI) to issue certificates. Certificate authorities also maintain a Certificate Revocation List (CRL) to revoke certificates if the credentials have been compromised.

A public Certificate Authority is a third-party entity that issues certificates to other organizations/Because public CAs comply with the regulatory standards outlined by the CA/Browser Forum (CA/B Forum), they are widely accepted as a trusted source across the internet.

Some of the most popular public CAs are IdenTrust, DigiCert, Sectigo, GoDaddy, GlobalSign, Let's Encrypt, etc. In comparison, a private certificate authority is owned by an organization and follows internal procedures to confirm the security of that organization.

It can be trusted within the organization's periphery and cannot be used for any external purposes.

A Certificate Authority (CA) is an entity that issues digital certificates used to establish trust in electronic communications and transactions.

A CA's role is to verify an individual or organization's identity and issue a certificate that binds the entity's identity to a public key.

This certificate can establish a secure connection between the entity and a website or a device.

CAs are responsible for maintaining the security of their infrastructure and issuing certificates in compliance with industry standards and best practices.

They also revoke certificates that are no longer valid and maintain the trust of the certificate's validity.

A certification authority (CA) is a trusted entity that issues digital certificates which verify the identity of individuals and organizations. A root private key is a key used by a CA to sign the digital certificates it issues.

Theft of a root private key would be a serious security concern, as an attacker who obtains the root private key could use it to issue fraudulent digital certificates.

This could allow the attacker to impersonate other individuals or organizations and intercept and decrypt secure communications.

If a root private key is stolen, the CA should revoke all the certificates and issue new ones. This process is known as a root key rollover.

CAs must have robust security measures to protect the root private key from theft and plan to respond to a key compromise.

This includes regular key replacement, secure storage using a FIPS 140-2 Level 3 certified hardware security module (HSM), access controls, monitoring, and incident response plans.

Subversion of online certificate validation refers to an attacker manipulating the certificate validation process to authenticate a fraudulent certificate successfully. Below are the popular attempts.

Man-in-the-middle attack: An attacker intercepts and alters the communication between a user and a certificate authority (CA) to present a fraudulent certificate to the user.

Phishing: An attacker tricks a user into visiting a fake website that presents a fraudulent certificate and then uses the user's trust in the certificate to steal sensitive information.

DNS spoofing: An attacker alters the Domain Name System (DNS) records to redirect users to a fake website that presents a fraudulent certificate.

Rogue CA: An attacker creates a fake CA and issues fraudulent certificates that users and systems recognize as valid.

Organizations must use robust certificate validation techniques, such as certificate pinning, and keep the list of trusted CAs up to date. Users must educate themselves on the risks of phishing and other types of attacks.

Keeping the software and browser updated can protect them against vulnerabilities causing subversion of certificates.

Code Signing is a digital certificate that guarantees the authenticity and integrity of a software program.

Developers, programmers, and software engineers use code signing before downloading software code to avoid compromising the systems.

Code signing validates that the software code is from the original author and is safe to install and run on the machines.

Code signing utilizes public key cryptography to create a pair of a public and private keys. The public key is sent to a trusted Certificate Authority (CA) to verify the software developer's identity.

The CA shares the code signing certificate, signed by CA's private key containing the developer's identity and the developer's public key.

The developers then hash the code they created and encrypt it with their private key. They add the encrypted code and the code signing certificate to the final software stack.

For the code signing process, when a user downloads the software, he uses the public key of the CA, preinstalled in the web browser to verify the authenticity of the code signing certificate.

He then extracts the developer's public key from the certificate and decrypts the encrypted hash.

Code signing has weaknesses, so organizations must store encryption keys in highly trusted physical devices, such as Hardware Security Modules (HSM).

They are tamper-resistant and use extremely secure cryptographic operations, authentication, and key management.

A digital signature is a virtual fingerprint used to identify users, validate their consent and protect data in digital communications. Examples include tokens, biometric data, passwords, and digitized handwritten signatures.

They are used in emails, credit card transactions, or legal documents. Digital signatures ensure privacy, authentication, integrity, and non-repudiation.

An Advanced Electronic Signature (AES) and Qualified Electronic Signature (QES) have asymmetric cryptography technology and public key infrastructure containing a digital certificate and the highest security level.

For example, a sender uses a hash algorithm to create a hash of data. He then feeds his private key and the hash data into a signature algorithm to create the digital signature. This signature is attached to the hashed data and sent to the receiver.

The receiver feeds the digital certificate and the public key into a verification algorithm to create an output. The receiver also runs the same hash function on the received data to create a hash value.

For verification, the output received by the verification algorithm and the hash value should match for the receiver to confirm the validity of the digital signature.

Since the sender creates a digital signature using a private key that no one can access, he cannot repudiate signing the data in the future.

Whenever a piece of information or an event is recorded, it is timestamped. For example, a picture taken, video recorded, shared tweet, or any social media post.

Timestamps are valuable for tracking when the information was created or modified. It is more effective in legal scenarios.

Suppose an organization signs a copyright contract with a distributor. The distributor violates the rules and argues that the event happened before the signed contract.

In such cases, the organization can prove the facts if they have a timestamp of the contract signature. However, timestamps solely based on time clocks are vulnerable. Hackers can easily hack the system clocks to compromise the information.

Timestamping Authority (TSA), a trusted third party, generates trusted timestamps using secure FIPS-compliant hardware to avoid data manipulation.

RFC 3161 – RFC 5035 and Microsoft Authenticode are two major protocols usually followed by TSAs for time stamping.

The client application creates a hash and sends it to the TSA for time stamping. Once the hash is submitted, any changes made to the code must be communicated to the TSA.

The TSA combines the hash of data and the trusted time stamp using the PKI technology to create a timestamp token. The client attaches the timestamp token to the document or code signature.

Trusted timestamps ensure non-repudiation and Long-Term Validation (LTV) of the signature. LTV is applicable when users want to download a developer's software and confirm the validity of a signature even after it is revoked or expired.

The user machine will validate the signature based on the time it was digitally signed rather than the current time of his system and allow him to download the software but without the latest updates.

The developer can re-issue the code signing certificate.