Digital Certificates: What Are They, and What Are They Doing in My Browser?
Digital certificates provide a means to authenticate individuals and secure
communications on campus. CREN now offers an easy way for institutions to learn
about and deploy this powerful technology.
Did you know that you have a cache of digital certificates in your Web browser?
In fact, you probably have more than 60 digital certificates that come preinstalled
in the Netscape and Internet Explorer browsers. These certificates are from
vendors such as VeriSign, Entrust, and Baltimore. Your Web browser uses them
to access Web sites—without your even being aware of the presence of the
Digital Certificates versus Electronic Signatures
In 2000, the 106th Congress passed Bill S. 761, the Electronic Signatures in
National and Global Commerce Act (see http://thomas.loc.gov).
By passing this act, Congress launched a new age for the use of digital technologies
for authentication and authorization. For example, this act authorized businesses—and
the government—to operate on an electronic basis, enabling important documents
to become legally binding with the use of a digital signature.
The act left the definition of an electronic signature deliberately ambiguous.
Some applications interpret a digital signature as being a digital image of
one’s penned signature, the signature you provide as you sign for credit
card purchases in department stores. Another set of technologies for electronic
signatures create digital certificates that are issued by a trusted organization
that is part of a public key infrastructure (PKI).
Public Key Infrastructures and Certificate Authorities
Digital certificates are the core of a public key infrastructure (PKI). A PKI
includes organizations called certification authorities that issue, manage,
and revoke digital certificates; organizations called relying parties who use
the certificates as indicators of authentication; and clients who request, manage,
and use certificates. Examples of certification authorities include VeriSign,
a well-known commercial provider, and the CREN Certificate Authority that is
available for higher education institutions.
Types of Certificates
It is easy to get confused about digital certificates, as there are different
types of certificates, each with different functions. It helps to differentiate
among at least four types of certificates. You can see samples of some of these
different types of certificates in your browser.
- Root or authority certificates. These are self-signed certificates that
create the base (or root) of a certification authority, such as Thawte, or
- Institutional certificates. These certificates are also called campus certificates.
They are signed by a third party verifying the authenticity of a campus authority.
Campuses then use their “authority” to issue client certificates
for faculty, staff, and students.
- Client certificates. These are also known as end-entity certificates, individual
certificates, or personal certificates.
- Web server certificates. These certificates are used to secure Web communications
to and from servers and are also called server-side certificates.
Digital Certificates in Higher Education
The broadest use of digital certificates on campuses is Web server certificates.
These certificates enable the encrypting of communications to and from Web servers
to protect sensitive personal information, such as credit card and other financial
or health information.
Individuals use digital certificates for two main purposes: (1) to authenticate
themselves to a Web service or to a network resource and (2) to sign and, if
desired, to encrypt e-mail. For example, higher education institutions are designing
campus systems to use digital certificates for authenticating individuals for
Web services such as updating personal information files; for viewing grades
and financial status; for course registrations, residence lotteries, business
services, and voting; and for remote access to resources, such as class material
or health services. Electronic mail for general use as well as for the submission
of timesheets, travel reports, and service orders is another application which
benefits greatly by the use of PKI and the more approachable PKI-Lite.
The added value of digital certificates is that they provide a higher level
of security than what we currently have with PIN and password combinations.
Users still use passwords, but in combination with the digital certificates.
So, if one loses the device on which a digital certificate is stored, a person
who might obtain the certificate would also need the password in order to use
the certificate. Digital certificate technologies also support the desire on
many campuses to create single sign-on authentication and authorization systems
that reduce the need for the multiple sign-ons (and password combinations) that
are inevitably hard to manage. With just a little experience, users can easily
manage their digital certificates within their browser or with another application.
Getting Started with Digital Certificates
Digital certificates within the PKI infrastructure are a broadly enabling technology.
This means that once the technology is deployed, it is usually widely adopted.
Some of the campuses that are deploying digital certificates include Columbia,
MIT, and the University of Texas-Houston. Other institutions that are planning
for deployment include the University of Minnesota, Dartmouth, Georgia Tech,
and the University of California system.
As PKI is a comprehensive technology, use of client digital certificates on
campus is usually not for only one or two applications. Institutionalizing the
use of digital certificates on campus for faculty, staff, and students in general
is done at the central IT level.
How Do Digital Certificates Work?
Digital certificates have been described as virtual credit cards. This is a
useful analogy. Here are some of the ways that digital certificates and credit
cards really are the same: Both credit cards and client digital certificates
contain information about you, such as your name and information about the organization
that issued the certificate or card to you.
Credit card organizations generally “validate” you to ensure that
you can be trusted to be financially responsible. Similarly, campus organizations
generally issue institutional identity cards, after ensuring or validating that
you are a bona fide student, faculty, or staff member. In PKI terms, this is
called the registration process—verifying that you are you, after which
the campus organization would approve a digital certificate to be issued to
Similar to a credit card, once a digital certificate is issued, it should be
managed with care. How is this done? In creating digital certificates an application
generates a unique key pair that contains two parts, a public key and a private
key. Then the certification authority—generally on your campus—creates
a digital certificate by wrapping information about you and the organization
around that public key and signing it.
In PKI terms, the public key for an individual is put into a digital document
that is signed by the organization’s certification authority. It is the
private key portion of the original key pair that must be securely managed.
As the private key is a long set of alphanumeric characters, it is not something
an individual memorizes; rather, the private key must be stored on some device,
such as a laptop computer, PDA, or USB key ring.
To see an actual certificate, you can go to www.cren.net/crenca/caeventarpages/new_root.html.
This is the root certificate of the CREN CA. A root authority certificate is
a special kind of certificate that is self-signed and often serves as the root
of a hierarchy of other certificate authorities within a community. When a certificate
is self-signed, it means that the name in the Issuer field is the same as the
name in the Subject Field.
PKI-Lite for Higher Education Community
Members of the higher education information technology community announced
the creation of the PKI-Lite trust environment in late 2001. The PKI-Lite trust
environment is designed to lower the barriers for the deployment of digital
certificates on campuses. PKI and digital certificates can fairly easily bring
improved security to campus communications and services. However, the PKI trust
environment for financial purposes and some federal government applications
had made PKI—in only one flavor—costly and complex to deploy. The
PKI-Lite trust environment was developed as a means of supporting the use of
digital certificates on campuses by matching the majority of campus application
needs to the corresponding security and risk requirements.
PKI-Lite is full-featured PKI technology deployed with existing campus standards
for identification and authentication (I & A) and security. The PKI-Lite
trust environment was developed by the Higher Education PKI Technical Activities
Group (HEPKI-TAG) and the Higher Education PKI Policy Activities Group (HEPKI-PAG).
The PKI-Lite environment depends on the following three trust documents:
- A combination Certificate Policy and Certificate Practice Statement. This
combined CP/CPS describes the recommended best practices for a campus certificate
authority to use for the PKI-Lite environment.
- A recommended profile for the x.509 v3 PKI-Lite certificates.
- A relying party statement for organizations that will rely on the authenticity
of certificates issued in the PKI-Lite trust environment.
The documents listed above are available at www.cren.net/crenca/pkiresources/index.html.
Also on that page is a link to the Guide to Getting Started With Digital Certificates
as well as a number of other useful PKI and digital certificate knowledge resources.
The CREN Digital Certificate Services
CREN currently offers an expanded set of certificate authority services to
higher education institutions.
- CREN-signed campus certificates for institutions. These CREN-signed certificates
are for institutions issuing certificates for their campus community—in
the range of 10 or more Web server certificates and for more than 500-1,000
- CREN Web server certificates. These certificates are for campuses to use
for securing Web servers, supporting a range of campus Web applications.
- Client certificates. CREN has an internal CREN.NET service equivalent to
a campus certificate-issuing application. A registration contact at a campus
validates/approves individuals and CREN issues the certificates. These certificates
can be used to communicate with vendors, agencies, and so on.
With these three levels of service—including the free test certificates—CREN
can help campuses get started using digital certificates at a level matching
their particular campus needs. More detailed descriptions of each of these CREN
CA Digital Certificate Services, along with an opportunity to try out a digital
certificate, can be found at www.cren.net/crenca.
To see the certificates
in your browser, including some you may have unwittingly installed yourself,
you can go to the Preferences menu in Netscape/Windows, and from the Privacy
and Security Menu, select the Certificates option. From this option, you
can manage the Authorities certificates that come preinstalled in your
browser and also manage your personal certificates. You can view, edit
privileges, or even delete certificates.
You can also view
and manage certificates within Internet Explorer/Windows by selecting
Internet Options from the Tools menu and then choosing Content. Then,
by selecting Certificates, you can manage your Trusted Root Certificates
as well as your personal certificates. In Netscape/ Mac, just select the
Test Drive a Digital
Certificate: The CREN Test CA Demonstration Site
technologies is always easier when you have personal experience with a
technology. The CREN Test Demonstration site is a place for members of
the higher education community to experience how digital certificates
work. The site issues personal client digital certificates for use in
testing, piloting, and educational uses.
Just go to http://www.cren.net/crenca/ctca/
and select “CREN Test CA”—the wizard will walk you through
the steps for obtaining your CREN-signed personal certificate and loading
it into your browser. When you’ve picked up the certificate, you
can play the classic game of asteroids to see how you can use your certificate
for access to Web resources. When you’re finished, please remember
to leave feedback by using your certificate to access the online questionnaire.
If you have any difficulty, simply e-mail firstname.lastname@example.org.
The CREN Test CA Demonstration
site was a collaborative project of John Douglass of Georgia Tech and
Michelle Gildea, Arya Parsee, and Jim Reynolds of CREN.
|The CREN Test CA Demonstration Site allows users to generate and experiment with digital certificates.