What Certificates Are and How They Work

In the recent past I have realized that certificates are poorly understood. But accompany us in our everyday life. In the case of IT pros this is very unsettling because they are expected to handle them with ease.

The first and most important concept about certificates is that you need to be thinking about two pieces of information. The certificate is the public part and it always has a matching private key. You may or may not require both for your needs – but continue reading and find out.

The terms we use to refer to certificates are actually misleading because we do not differenciate between a certificate with or without a private key. We actually use the same term for both. But in fact it is the private key that makes all the difference.

Consider a web server certificate … this kind of certificate can only be used for securing communication with SSL if the web server is in possession of the private key – whereas the system accessing the web server only requires the certificate (without the private key) to talk to the server in a secure manner. In general terms, you require a certificate with a private key to provide a secure channel.

Certificate and private key

Well-known examples for using certificates include:

  1. Server certificates for TLS/SSL (as described above)
  2. Client certificates used for authenticating the client device
  3. EFS certificates to store encrypted files – access is limited to the users in possession of the certificate
  4. BTW, SmartCards also use certificates


Now that you have a general knowledge what a certificate is and does, let’s dive deeper and take a look what certificates really are. I will first introduce public key cryptography and afterwards show how it relates to certificates.

In cryptography, where are two types of encryption:

Symetric encryption

Asymetric encryption

Encryption and Signatures

The public and the private key are mathematically related. It all starts with the private key and the public key can be calculated from it. The public key can even be restored from the private key at any time. Data encrypted with one key can only be recovered by using the other key.

When the public key is used to encrypt data, only the private key can convert it back to plain text. Therefore, encryption always requires the public key of the recipient. After encryption only he can read the original data.

Public key encryption

By using the private key for encryption you generate a signature. It can be verified by anybody in possession of your public key but only you could have created the signature in the first place. The trick – when working with signatures – is that you do not have to encrypt the whole message. Instead you create a so-called hash value of the message and encrypt it with your private key. So everybody can check your signature by creating a the hash value of your message and comparing it to your decrypted hash value.

Public key signatures

A hash is a one-way function that produces a short, fixed-length representation from text of arbitrary length. The hash value is reproducible but not reversible so that it is impossible (or at least close to impossible) to retrieve the original message from a hash value.

Authenticity, Integrity and Privacy

Using public key cryptography enables you to build a secure communication channel in such a manner that

… the authenticity and integrity of exchanged messages is ensured by using signatures.

… the privacy of the contained information is assured.


So apparently, for public key encryption to work, you need to exchange public keys with communication partners.

A public key is something impersonal so that it is not possible to know whom it came from. Therefore it is necessary to maintain something like an address book for public keys. But working with public keys is also dangerous because it does not relate to a person in itself. By compromising your address book it is possible to exchange the public key for an entry. Since you place a lot of trust in your own address book you are fooled into believing that messages resulted from someone you know.

Therefore, the concept of certificates was created. A certificate combines a public key with identity information. The relation between a public key and the identity information is ensured by a public key signature. There are several ways how this can work out:

Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG) let users build a web of trust. So any participant can certify an identity and its corresponding public key by placing an additional signature on it. Therefore, you only need to have several very close friend to trust. Foreign public keys need to have signatures of someone close by or someone who is in your web of trust. There needs to be a chain of signatures between the public key oft he recipient and yourself. The web of trust is a community-based approach to certificates and requires a critical mass for foreign people to be connected.

Community based trusts

The more popular system which – for example – TLS/SSL is based on relies on the centralized certification of public keys and the corresponding identity information. There are – by comparison – only few entities trusted to sign public keys. Those are called Certificate Authorities (CAs). I will dive deeper into this concept in the next part of this series.

centralized trusts

As I will not cover PGP/GPG in detail, please refer to S/MIME for additional information about encryption and signatures for email-based communication.

Keys Take Aways

Read on in part 2 about certificate authorities, part 3 about requesting certificates, part 4 about format conversions and part 5 about common pitfalls when using certificates on Windows systems.

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.