What is a public key certificate? (2022)

What is a public key certificate? (1)


  • TechTarget Contributor

What is a public key certificate?

A public key certificate is a digitally signed document that serves to validate the sender's authorization and name. It uses a cryptographic structure that binds a public key to an entity, such as a user or organization. The digital document is generated and issued by a trusted third party called a certification authority.

Public key certificates, which are also known as digital certificates, include the public key, identity information about the owner and the name of the issuing certificate authority (CA). The CA, a trusted third party, issues digital certificates that verify the identity of parties in an exchange of information over the internet. A digital certificate provides assurance of a person's identity, and the CA establishes that assurance by validating the identity of the person who requests the certificate.

(Video) Exchanging Public Key Certificates

How does a public key certificate work?

Public key certificates form a part of a public key infrastructure (PKI) system that uses encryption technology to secure messages and data. A public key certificate uses a pair of encryption keys, one public and one private. The public key is made available to anyone who wants to verify the identity of the certificate holder, while the private key is a unique key that is kept secret. This enables the certificate holder to digitally sign documents, emails and other information without a third party being able to impersonate them. The four main components of PKI are public key encryption, trusted third parties such as the CA, the registration authority and the certificate database or store.

What is a public key certificate? (2)

There are different types of public key certificates for different functions, such as authorization for a specific type of action. The following are common fields found in digital certificates:

  • Serial number. This number distinguishes the certificate from other certificates.
  • Algorithm information. The issuer uses this algorithm to sign the certificate.
  • Issuer. This is the name of the CA that issued the certificate.
  • Validity period of the certificate. These are the start and end dates that define when the certificate is valid.
  • Subject distinguished name. This is the name of the identity to which the certificate is issued.
  • Subject public key information. This is the public key that is associated with the identity.

What are the different types of certificates?

Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates. These certificates are the core of transport layer security (TLS) protocol, which is an updated version of SSL. These digital files contain a public encryption key that is used to validate server identity and a digital signature to ensure the integrity and the source of data and other information transmitted online. These certificates facilitate the exchange of encryption keys between web servers and browsers, which enable a secured connection.

The chain of trust, trust path or trust chain is a sequence of certificates that a web browser must traverse to verify that a particular website is authentic and, therefore, secure. A chain of trust typically includes a root certificate, an intermediate certificate and a leaf certificate.

(Video) Digital Certificates Explained - How digital certificates bind owners to their public key

There are multiple types of TLS/SSL certificates:

  • Domain validation (DV) certificates. These certificates are typically the most basic and most affordable type of certificate web browsers trust. DV certificates require that the domain name of an organization is verified by the issuing CA before they are issued. These certificates can be issued within minutes and do not require the website owner to prove their identity. When a browser sees a DV certificate, it trusts that the owner of the domain is indeed the owner of the certificate and that the certificate is only meant for that specific domain.
  • Organization validation (OV) certificates. An OV certificate is one of the ways that organizations can be validated for quality assurance through a formal and accredited process. Organization validation is a process of validating the identity of the root certificate authority, followed by a validation of the business or organization requesting the certificate.
  • Individual validation (IV) certificates. These are certificates that are issued to individuals -- not organizations -- making them popular choices among consumers, particularly for securing email.
  • Extended validation (EV) certificates. These certificates are issued after an extensive vetting process by both a CA and the CA's reputation partners. Under the EV guidelines established by the CA/Browser Forum, in addition to meeting the validity requirements, the applicant must submit proof of their identity, and the organization must pass an independent audit. The combination of these factors helps to provide an extra layer of trust in the identity of the site owner. Companies issuing EV certificates are also required to pass an independent audit.

While less common than server certificates, client certificates authenticate the identity of the user who wants to connect to a TLS service, rather than a device seeking a connection.

Email certificate. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for sending encrypted email. RSA Security created it to resolve the problem of sending encrypted email without the need to exchange a public key. It is commonly used within an organization that has its own CA.

EMV certificate. EMV payment cards have an embedded microchip containing a card issuer certificate. The embedded microchip enables the EMV payment card to generate a unique code for each transaction. EMV stands for Europay, MasterCard and Visa, the organizations that constitute the certificate authority.

Code-signing certificate. Code-signing certificates are used in software development and IT operations to digitally sign the software or firmware of an application or device. This provides recipients with assurance about who created the code and the integrity of the code.

(Video) What is Public Key Infrastructure (PKI) by Securemetric

Root certificate. A root certificate is a digital certificate that is used to sign other digital certificates. It is sometimes referred to as a trust anchor because it is at the top of a hierarchy of digital certificates that are used to verify other digital certificates. The hierarchy starts with a root certificate, which is the highest level of certificate. The root certificate is verified by a second-level certificate, which is verified by a third-level certificate, and so on.

Intermediate certificate. The intermediate certificate is used to sign other certificates and is best used as a bridge between a root CA and a subordinate CA. An intermediate certificate is used to sign end-user certificates that a website or a local server uses. The root certificates verify the identity of the intermediate certificate, which in turn verifies the end-user certificates.

Leaf certificate. A leaf certificate, or an end entity, is the endpoint for the signing and encrypting of data and cannot be used to sign other certificates. These include TLS/SSL, email and code-signing certificates.

Self-signed certificate. A self-signed certificate is a certificate that is signed by the same entity to whom it is assigned. Most certificates can be self-signed and are verified by their own public key. They are not signed by a CA, which means they might be perceived as less trustworthy.

Advantages and disadvantages of public key certificates

The main advantage of using public key certificates is that they enable secure authentication. The integrity of the public key certificate is guaranteed by the CA. Further, this type of certificate prevents man-in-the-middle attacks, which occur when a malicious third party intercepts the communication between two entities and relays the message between them. Lastly, public key certificates are supported by many enterprise networks and applications, and the process is transparent and efficient.

(Video) Digital Signatures

The biggest disadvantage of public key certificates is a lack of control over the encryption key. This means that if the certificate is compromised, it cannot be revoked. Someone could hack into the server to steal the certificate and use the public key in the certificate to decrypt any information that was encrypted with the public key. A fraudulent root certificate can be installed, and a browser does not provide warning when a web certificate is changed.

Before buying a digital certificate, review this buyer's handbook to learn how they work, which features are a must and how to evaluate the available options.

This was last updated in June 2021

Continue Reading About public key certificate

  • How to use a public key and private key in digital signatures
  • PKI authentication explained: The basics for IT administrators
  • Updating TLS? Use cryptographic entropy for more secure keys
  • Domain validation certificates: What are the security issues?
  • What does a Windows 10 digital certificate do?

Related Terms

segregation of duties (SoD)
Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals ... Seecompletedefinition
software-defined perimeter (SDP)
A software-defined perimeter, or SDP, is a security technique that controls access to resources based on identity and forms a ... Seecompletedefinition
tailgating (piggybacking)
Tailgating, sometimes referred to as piggybacking, is a type of physical security breach in which an unauthorized person follows ... Seecompletedefinition

Dig Deeper on Identity and access management

  • X.509 certificateBy: AlexanderGillis
  • 3 types of PKI certificates and their use casesBy: IsabellaHarford
  • registration authority (RA)By: AndrewFroehlich
  • digital certificateBy: MaryShacklett


What is the purpose of a public key certificate? ›

A public key certificate can be thought of as the digital equivalent of a passport. It is issued by a trusted organization and provides identification for the bearer. A trusted organization that issues public key certificates is known as a Certificate Authority (CA). The CA can be likened to a notary public.

Where is public key in certificate? ›

Public key is embedded in the SSL certificate and Private key is stored on the server and kept secret. When a site visitor fills out a form with personal information and submits it to the server, the information gets encrypted with the public key to protect if from eavesdropping.

Is a public key the same as a certificate? ›

The owner of the key pair makes the public key available to anyone, but keeps the private key secret. A certificate verifies that an entity is the owner of a particular public key.

WHO issues public key certificate? ›

The India PKI is a hierarchical PKI with the trust chain starting from the Root Certifying Authority of India (RCAI). Below RCAI there are Certifying Authorities (CAs) licensed by CCA to issue Digital Signature Certificates. CAs can be private sector companies, Government departments, public sector companies.

What are the 3 types of certificates? ›

There are three recognized categories of SSL certificate authentication types: Extended Validation (EV) Organization Validation (OV) Domain Validation (DV)

What is meant by public key? ›

In cryptography, a public key is a large numerical value that is used to encrypt data. The key can be generated by a software program, but more often, it is provided by a trusted, designated authority and made available to everyone through a publicly accessible repository or directory.

How do I know if my certificate is public or private? ›

In the Certificate windows that appears, you should see a note with a key symbol underneath the Valid from field that says, "You have a private key that corresponds to this certificate." If you do not see this, then your private key is not attached to this certificate, indicating a certificate installation issue.

How do I download a public key certificate? ›

Choose the Public key tab. To copy the public key to your clipboard, choose Copy. To download the public key to a file, choose Download.

What is a public key certificate and how are they distributed? ›

A Public Key is a cryptographic key that can be distributed to the public and does not require secure storage. Messages encrypted by the public key can only be decrypted by the corresponding private key.

Can two certificates have same public key? ›

1 Answer. Show activity on this post. Odds are, if it's the same public key, yes it is the same certificate.

How do public certificates work? ›

The certificate is signed by the Issuing Certificate authority, and this it what guarantees the keys. Now when someone wants your public keys, you send them the certificate, they verify the signature on the certificate, and if it verifies, then they can trust your keys.

What do you do with a public key? ›

Once the sender has the public key, he uses it to encrypt his message. Together, these keys help to ensure the security of the exchanged data. A message encrypted with the public key cannot be decrypted without using the corresponding private key.

What is difference between public and private key? ›

To conclude, private keys can be used for both encryption and decryption, while Public keys are used only for the purpose of encrypting the sensitive data. Private keys are shared between the sender and the receiver, whereas public keys can be freely circulated among multiple users.

How do I find my public access key? ›

To generate an SSH private/public key pair for your use, you can use the ssh-keygen command-line utility. You can run the ssh-keygen command from the command line to generate an SSH private/public key pair. If you are using Windows, by default you may not have access to the ssh-keygen command.

How do I find my public keystore key? ›

To obtain the public key from the Android Keystore use java. security. KeyStore#getCertificate(String) and then Certificate#getPublicKey() . To help obtain algorithm-specific public parameters of key pairs stored in the Android Keystore, its private keys implement java.

How can I get public key and private key from certificate? ›

How to Extract the Private and Public Key From pfx File
  1. Extract the key-pair. #openssl pkcs12 -in sample.pfx -nocerts -nodes -out sample.key.
  2. Get the Private Key from the key-pair. ...
  3. Get the Public Key from key pair. ...
  4. Need to do some modification to the private key -> to pkcs8 format. ...
  5. Get those files.


1. Digital Signatures and Digital Certificates
(Computer Science)
2. Public Key Distribution - Public Key Authority and Public Key Certificate
(Lectures by Shreedarshan K)
3. Public Key Infrastructure - SY0-601 CompTIA Security+ : 3.9
(Professor Messer)
4. Why digital certificate?
(Sunny Classroom)
5. What is PKI? Public Key Infrastructure
6. What are Digital Signatures? - Computerphile

Top Articles

Latest Posts

Article information

Author: Stevie Stamm

Last Updated: 12/24/2022

Views: 5425

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.