• Start
  • FAQ's
  • Basic concepts on digital certificates and PKI

Basic concepts on digital certificates and PKI

  • What is Public Key Cryptography?
    • Public Key Cryptography is the encryption technology where encryption and decryption is performed by separate but related keys, one which is kept private and one which is made public. This encryption technology is the base for Public Key Infrastructure (PKI).

  • What are public and private keys?
    • The asymmetric cryptography on which the PKI is based employs a key pair in which what is enciphered with one of these can only be deciphered by the other, and vice versa. One of these keys is "public" and includes the electronic certificate, whilst the other is "private" and is only known by the certificate subscriber and, when appropriate, by the Key Archive.

  • What is a Public Key Infrastructure (PKI)?
    • A Public Key Infrastructure (PKI) is a technology, together with the relevant operational, registration, revocation and other certificate management procedures. It is used to assure the security and protection of electronic communications and of data stored electronically, by means of the use of pairs of public and private keys. Public keys are digitally signed by a third party known as a Certification Authority (CA). The resulting signed public key is known as a digital certificate, which contains the public key and relevant information about the public key holder (the owner).

  • Why is PKI based on trust?
    • PKI provides the critical element of "trust" in electronic transactions as well as communications. It provides a means for relying parties to know that another individual's or entity's public key actually belongs to that individual/entity. Certification Authority organisations have been established to address this need.

  • What are the major elements of a PKI?
    • The major components of PKI are tshe following:

      1. Certification Authority
      2. Digital certificates
      3. Public & private key pairs
      4. Certificate Policy (CP)
      5. Certification Practices Statement (CPS)
  • What is a Certification Authority (CA)?
    • A Certification Authority is a trusted third party that verifies the identity of an entity registering for a digital certificate. Once a Certification Authority authenticates the requesting entity's identity, it issues a digital certificate to the requesting entity binding his or her identity to a public key.

  • Is there any difference between a Certification Authority (CA) and a Certification Service Provider (CSP)?
    • Generally speaking, both terms are used interchangeably to denote an issuer of digital certificates.

  • What is a Registration Authority (RA)?
    • A Registration Authority (RA) is an entity that is trusted by the Certification Authority to register or vouch for the identity of users to a Certification Authority. An RA focuses on identifying and authenticating users; it does not sign or issue digital certificates. However, it is required to comply with preset standards for verifying a person’s identity.

  • What is a Certificate Revocation List (CRL)?
    • A Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of the serial numbers of the certificates) that have been revoked, and therefore should not be relied upon. The CRL is created and digitally signed by a Certification Authority.

  • What are the Certificate Practice Statement (CPS) and the Certificate Policies (CPs) documents?
    • A Certification Practice Statement (CPS) is a document that describes how the Certification Authority manages the certificates it issues. It contains items such as the obligations of the Certification Authority, its liabilities and warranties, confidentiality policy, etc.

      The Certificate Policies (CPs) will establish the applicable procedures to manage (issue, renew, revoke, suspend and activate) each type of certificate. It contains items such as the identification and authentication requirements, and details of what information will be contained in the certificates.

  • What is a digital certificate?
    • A digital certificate is an electronic document that is signed by a Certification Authority certifying the relationship between a public key and the identity of the public key holder. It also includes additional information such as the validity period, the location of issuer’s policies, revocation information, etc.

      Although, properly speaking, the digital certificate only contains a public key, the term “certificate” is often used to describe the pair public and private keys. For example, the expression "the user used a digital certificate to authenticate" is often used to describe that the user used her private key to authenticate, and the web server used the user’s certificate (public key) to validate her identity.

  • What is the difference between software and hardware digital certificates?
    • The key difference relies on where the digital certificate is kept: while for hardware ones the certificate is stored inside a physical token (i.e. smart card, usb token, etc.) for software ones the certificate is stored in a software container generally created by the operating system. This simple difference has further implications regarding the level of trust that can be achieved depending on whether one type or the other is used. The usage of hardware certificates provides a higher level of trust.

  • Do digital certificates have a limited life time?
    • Yes all digital certificates have an explicit start date and an explicit expiration date. Most applications check the validity period of a certificate when the digital certificate is used.

  • What is an Electronic Signature?
    • An electronic signature is data in electronic form which are attached to or logically associated with other electronic data and which serves as a method of authentication.

  • What is an Advanced Electronic Signature?
    • An Advanced Electronic Signature is an electronic signature which meets the following requirements:

      1. It is uniquely linked to the signatory;
      2. It is capable of identifying the signatory;
      3. It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
      4. It is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
  • What is a Qualified Certificate for Electronic Signature?
    • The Regulation (EU) No 910/2014 regulates the implementation and recognition of electronic signatures within the European Union. The Directive stipulates that a Qualified Certificate for Electronic Signature shall contain:

      1. an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for electronic signature;
      2. a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least, the Member State in which that provider is established and:

        —for a legal person: the name and, where applicable, registration number as stated in the official records;

        —for a natural person: the person’s name;

      3. at least the name of the signatory, or a pseudonym; if a pseudonym is used, it shall be clearly indicated;
      4. electronic signature validation data that corresponds to the electronic signature creation data;
      5. details of the beginning and end of the certificate’s period of validity;
      6. the certificate identity code, which must be unique for the qualified trust service provider;
      7. the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;
      8. the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is available free of charge;
      9. the location of the services that can be used to enquire about the validity status of the qualified certificate;
      10. where the electronic signature creation data related to the electronic signature validation data is located in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automated processing.
  • Regulations related with digital certificates
    • Legal and regulatory issues are of utmost importance in the implementation of a PKI. The most relevant is the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014, most common named as eIDAS (electronic IDentification, Authentication and trust Services) regulation.

© European System of Central Banks. All rights reserved