X.509 Public Key Digital Certificates

An X.509 digital certificate is a document (file) containing various identifying information (name, email address, etc.), and the certificate owner’s public key. The information in this document is verified for accuracy and currency by a Registration Authority (RA), and then the document is digitally signed by a Certification Authority (CA), using their own private key.

Users of the certificate can validate the digital signature of the certificate using the public key of the CA (which is readily available to anyone). Once the signature is validated, the certificate contents can be trusted. It is similar to passport or driver’s license issued by some authority.

Anyone can verify that this certificate is authentic (was really created by the named issuer) and intact (has not been tampered with in any way) because it is digitally signed. If you trust the issuer (e.g. Digicert) you must trust the information in the certificate. Without certificates, it would be easy to use wrong public key (the “public key substitution threat”). With certificates, if you do the appropriate checking (“validate” the cert) you can be assured that the public key is the one for the person identified in the Subject Distinguished Name of the cert.