Digital Certificates: What Are They, and What Are They Doing in My Browser?

• 08/12/02

Digital certificates provide a means to authenticate individuals and secure communications on campus. CREN now offers an easy way for institutions to learn about and deploy this powerful technology.

Did you know that you have a cache of digital certificates in your Web browser? In fact, you probably have more than 60 digital certificates that come preinstalled in the Netscape and Internet Explorer browsers. These certificates are from vendors such as VeriSign, Entrust, and Baltimore. Your Web browser uses them to access Web sites—without your even being aware of the presence of the certificates.

Digital Certificates versus Electronic Signatures

In 2000, the 106th Congress passed Bill S. 761, the Electronic Signatures in National and Global Commerce Act (see http://thomas.loc.gov). By passing this act, Congress launched a new age for the use of digital technologies for authentication and authorization. For example, this act authorized businesses—and the government—to operate on an electronic basis, enabling important documents to become legally binding with the use of a digital signature.

The act left the definition of an electronic signature deliberately ambiguous. Some applications interpret a digital signature as being a digital image of one’s penned signature, the signature you provide as you sign for credit card purchases in department stores. Another set of technologies for electronic signatures create digital certificates that are issued by a trusted organization that is part of a public key infrastructure (PKI).

Public Key Infrastructures and Certificate Authorities

Digital certificates are the core of a public key infrastructure (PKI). A PKI includes organizations called certification authorities that issue, manage, and revoke digital certificates; organizations called relying parties who use the certificates as indicators of authentication; and clients who request, manage, and use certificates. Examples of certification authorities include VeriSign, a well-known commercial provider, and the CREN Certificate Authority that is available for higher education institutions.

Types of Certificates

It is easy to get confused about digital certificates, as there are different types of certificates, each with different functions. It helps to differentiate among at least four types of certificates. You can see samples of some of these different types of certificates in your browser.

• Root or authority certificates. These are self-signed certificates that create the base (or root) of a certification authority, such as Thawte, or CREN.
  
  
• Institutional certificates. These certificates are also called campus certificates. They are signed by a third party verifying the authenticity of a campus authority. Campuses then use their “authority” to issue client certificates for faculty, staff, and students.
  
  
• Client certificates. These are also known as end-entity certificates, individual certificates, or personal certificates.
  
  
• Web server certificates. These certificates are used to secure Web communications to and from servers and are also called server-side certificates.

Digital Certificates in Higher Education

The broadest use of digital certificates on campuses is Web server certificates. These certificates enable the encrypting of communications to and from Web servers to protect sensitive personal information, such as credit card and other financial or health information.

Individuals use digital certificates for two main purposes: (1) to authenticate themselves to a Web service or to a network resource and (2) to sign and, if desired, to encrypt e-mail. For example, higher education institutions are designing campus systems to use digital certificates for authenticating individuals for Web services such as updating personal information files; for viewing grades and financial status; for course registrations, residence lotteries, business services, and voting; and for remote access to resources, such as class material or health services. Electronic mail for general use as well as for the submission of timesheets, travel reports, and service orders is another application which benefits greatly by the use of PKI and the more approachable PKI-Lite.

The added value of digital certificates is that they provide a higher level of security than what we currently have with PIN and password combinations. Users still use passwords, but in combination with the digital certificates. So, if one loses the device on which a digital certificate is stored, a person who might obtain the certificate would also need the password in order to use the certificate. Digital certificate technologies also support the desire on many campuses to create single sign-on authentication and authorization systems that reduce the need for the multiple sign-ons (and password combinations) that are inevitably hard to manage. With just a little experience, users can easily manage their digital certificates within their browser or with another application.

Getting Started with Digital Certificates

Digital certificates within the PKI infrastructure are a broadly enabling technology. This means that once the technology is deployed, it is usually widely adopted. Some of the campuses that are deploying digital certificates include Columbia, MIT, and the University of Texas-Houston. Other institutions that are planning for deployment include the University of Minnesota, Dartmouth, Georgia Tech, and the University of California system.

As PKI is a comprehensive technology, use of client digital certificates on campus is usually not for only one or two applications. Institutionalizing the use of digital certificates on campus for faculty, staff, and students in general is done at the central IT level.

How Do Digital Certificates Work?

Digital certificates have been described as virtual credit cards. This is a useful analogy. Here are some of the ways that digital certificates and credit cards really are the same: Both credit cards and client digital certificates contain information about you, such as your name and information about the organization that issued the certificate or card to you.

Credit card organizations generally “validate” you to ensure that you can be trusted to be financially responsible. Similarly, campus organizations generally issue institutional identity cards, after ensuring or validating that you are a bona fide student, faculty, or staff member. In PKI terms, this is called the registration process—verifying that you are you, after which the campus organization would approve a digital certificate to be issued to you.

Similar to a credit card, once a digital certificate is issued, it should be managed with care. How is this done? In creating digital certificates an application generates a unique key pair that contains two parts, a public key and a private key. Then the certification authority—generally on your campus—creates a digital certificate by wrapping information about you and the organization around that public key and signing it.

In PKI terms, the public key for an individual is put into a digital document that is signed by the organization’s certification authority. It is the private key portion of the original key pair that must be securely managed. As the private key is a long set of alphanumeric characters, it is not something an individual memorizes; rather, the private key must be stored on some device, such as a laptop computer, PDA, or USB key ring.

To see an actual certificate, you can go to www.cren.net/crenca/caeventarpages/new_root.html. This is the root certificate of the CREN CA. A root authority certificate is a special kind of certificate that is self-signed and often serves as the root of a hierarchy of other certificate authorities within a community. When a certificate is self-signed, it means that the name in the Issuer field is the same as the name in the Subject Field.

PKI-Lite for Higher Education Community

Members of the higher education information technology community announced the creation of the PKI-Lite trust environment in late 2001. The PKI-Lite trust environment is designed to lower the barriers for the deployment of digital certificates on campuses. PKI and digital certificates can fairly easily bring improved security to campus communications and services. However, the PKI trust environment for financial purposes and some federal government applications had made PKI—in only one flavor—costly and complex to deploy. The PKI-Lite trust environment was developed as a means of supporting the use of digital certificates on campuses by matching the majority of campus application needs to the corresponding security and risk requirements.

PKI-Lite is full-featured PKI technology deployed with existing campus standards for identification and authentication (I & A) and security. The PKI-Lite trust environment was developed by the Higher Education PKI Technical Activities Group (HEPKI-TAG) and the Higher Education PKI Policy Activities Group (HEPKI-PAG). The PKI-Lite environment depends on the following three trust documents:

• A combination Certificate Policy and Certificate Practice Statement. This combined CP/CPS describes the recommended best practices for a campus certificate authority to use for the PKI-Lite environment.
  
  
• A recommended profile for the x.509 v3 PKI-Lite certificates.
  
  
• A relying party statement for organizations that will rely on the authenticity of certificates issued in the PKI-Lite trust environment.

The documents listed above are available at www.cren.net/crenca/pkiresources/index.html. Also on that page is a link to the Guide to Getting Started With Digital Certificates as well as a number of other useful PKI and digital certificate knowledge resources.

The CREN Digital Certificate Services

CREN currently offers an expanded set of certificate authority services to higher education institutions.

• CREN-signed campus certificates for institutions. These CREN-signed certificates are for institutions issuing certificates for their campus community—in the range of 10 or more Web server certificates and for more than 500-1,000 client certificates.
  
  
• CREN Web server certificates. These certificates are for campuses to use for securing Web servers, supporting a range of campus Web applications.
  
  
• Client certificates. CREN has an internal CREN.NET service equivalent to a campus certificate-issuing application. A registration contact at a campus validates/approves individuals and CREN issues the certificates. These certificates can be used to communicate with vendors, agencies, and so on.

With these three levels of service—including the free test certificates—CREN can help campuses get started using digital certificates at a level matching their particular campus needs. More detailed descriptions of each of these CREN CA Digital Certificate Services, along with an opportunity to try out a digital certificate, can be found at www.cren.net/crenca.

The CREN Test CA Demonstration Site allows users to generate and experiment with digital certificates.