Show understanding of digital certification

Published by Patrick Mutisya · 14 days ago

Cambridge A-Level Computer Science 9618 – Encryption, Encryption Protocols and Digital Certificates

17.1 Encryption, Encryption Protocols and Digital Certificates

Objective

Show understanding of digital certification – what it is, why it is needed, how it works and how it is managed in practice.

What is a Digital Certificate?

A digital certificate is an electronic document that binds a public key to an entity (person, organisation or device) and is issued by a trusted third party called a Certificate Authority (CA). It provides:

  • Authentication – proves the identity of the holder.

  • Integrity – ensures the public key has not been altered.

  • Non‑repudiation – the holder cannot deny having used the key.

Key Components of a Public Key Infrastructure (PKI)

  1. Certificate Authority (CA) – issues, signs and revokes certificates.

  2. Registration Authority (RA) – verifies the identity of the applicant before the CA issues a certificate.

  3. Certificate Repository – stores issued certificates and revocation information.

  4. Certificate Revocation List (CRL) – a list of certificates that have been revoked before expiry.

  5. Online Certificate Status Protocol (OCSP) – provides real‑time status of a certificate.

Structure of a Digital Certificate

The most common format is X.509. The table below summarises the main fields.

FieldDescription
VersionIndicates the X.509 version (v1, v2, v3). v3 adds extensions.
Serial NumberUnique identifier assigned by the CA.
Signature AlgorithmAlgorithm used by the CA to sign the certificate (e.g., SHA‑256 with RSA).
IssuerDistinguished Name (DN) of the CA that issued the certificate.
Validity PeriodStart and end dates/times for which the certificate is valid.
SubjectDN of the entity to which the certificate is issued.
Subject Public Key InfoPublic key and algorithm belonging to the subject.
Extensions (v3 only)Additional data such as Key Usage, Subject Alternative Name, CRL Distribution Points.
Signature \cdot alueDigital signature created by the CA over the certificate contents.

Certificate Lifecycle

  1. Key Pair Generation – The applicant creates a public/private key pair.

  2. Certificate Signing Request (CSR) – Contains the public key and subject details, signed with the applicant’s private key.

  3. Verification by RA – The RA checks the applicant’s identity.

  4. Certificate Issuance – CA signs the CSR, producing the digital certificate.

  5. Distribution – Certificate is installed on the server/device or sent to the client.

  6. Validation – During a connection, the peer validates the certificate chain and checks revocation status.

  7. Renewal or Revocation – Before expiry the certificate can be renewed; if compromised it is revoked.

How \cdot alidation Works – Example with HTTPS

When a web browser connects to an HTTPS site, the following steps occur:

  1. The server sends its X.509 certificate to the browser.

  2. The browser builds a certificate chain from the server’s certificate up to a trusted root CA.

  3. Each certificate in the chain is verified:

    \$\text{VerifySignature}(Ci) = \text{Decrypt}{\text{PublicKey}(C{i+1})}(\text{Signature}(Ci))\$

    where \$Ci\$ is a certificate and \$C{i+1}\$ is its issuer.

  4. The browser checks the validity period and that the domain name matches the Subject Alternative Name.

  5. Revocation status is checked via CRL or OCSP.

  6. If all checks pass, the browser trusts the public key and proceeds with the TLS handshake.

Revocation Mechanisms

  • CRL (Certificate Revocation List) – Periodically downloaded list of revoked serial numbers.

  • OCSP (Online Certificate Status Protocol) – Real‑time query to an OCSP responder for a single certificate status.

Security Considerations

  • Private keys must be stored securely (hardware security modules, encrypted storage).

  • CA compromise undermines the entire trust model – root CAs are stored in operating system or browser trust stores.

  • Certificate Transparency logs help detect mis‑issued certificates.

  • Shorter validity periods (e.g., 90 days) reduce exposure if a key is compromised.

Suggested diagram: Flow of a TLS handshake showing where the server certificate is presented and how the client validates the certificate chain, checks revocation via OCSP, and establishes a shared secret.

Key Terms Summary

TermDefinition
Public Key Infrastructure (PKI)Framework of policies, procedures and technologies to manage digital certificates and public‑key encryption.
Certificate Authority (CA)Trusted entity that issues and signs digital certificates.
Certificate Signing Request (CSR)Message sent by an applicant containing its public key and identity information, signed with its private key.
Chain of TrustSequence of certificates from the end‑entity certificate up to a trusted root CA.
RevocationProcess of invalidating a certificate before its expiry date.
OCSPProtocol that provides real‑time certificate status checking.

Practice Questions

  1. Explain why a digital certificate contains both the subject’s public key and the CA’s digital signature.

  2. Describe the steps a web browser takes to validate an HTTPS server certificate.

  3. Compare the advantages and disadvantages of using CRL versus OCSP for revocation checking.

  4. What could happen if a root CA’s private key is compromised? Suggest mitigation strategies.