Buy a certificate now!
Contact us about Thawte certificates

The basics

FAQ Home : Home : On (Types of server certificate)



What is a digital certificate?

A digital certificate is a computer file which contains three pieces of information; the name (and perhaps other information) of the person or organisation to whom it refers, a public (cryptographic) key associated with that person or organisation, and a digital signature of a trusted organisation which links the two together.

You can think of a digital certificate as much like a driver's licence or a passport. The licence or passport contains a name and usually some other identifying information (a photo, a date of birth), asserts something about its holder (that they have the right to drive, citizenship of a particular country or the right to enter a country), and is issued by a trusted organisation (a government or one of its agencies... whether it is right to trust your government is a discussion for somewhere else). A digital certificate contains a name and usually some other identifying information (such as a company's location, and the name of their web server), asserts something about its holder (that it is acceptable to use the accompanying public key to communicate securely with the person or organisation to whom it was issued), and is issued by a trusted organisation (in this case, a certification authority such as Thawte).

What is a certification authority?

A certification authority is an organisation trusted by the browser manufacturers (and manufacturers/developers of other software) that issues digital certificates after verifying the identity of those to whom they are to be issued.

Certification authorities have to keep careful records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined procedures. Each certification authority should provide a Certification Practice Statement (CPS) which outlines what procedures will be followed to verify applications; Thawte's CPS can be found here.

What is a public key? What is a private key?

There are two main types of encryption systems in common use. One type is called a 'symmetric cryptosystem' or 'secret key cryptography'. The other type is called an 'asymmetric cryptosystem' or 'public key cryptography'.

When two people are trying to communicate using secret key cryptography, they use the same key to encrypt and decrypt the messages they send. That key has to be kept secret, as anyone with that key can read the messages which are sent. This can make life difficult; sending out a key and making sure nobody else could have taken a copy of it in transit is not easy.

Using public key cryptography makes managing the keys much easier. Instead of using one single key to encrypt and decrypt the messages, two keys are used which are mathematically related. One of them, the public key, is used to encrypt the messages, and the other one, the private key, is used to decrypt the messages. If you only have the public key, you can send an encrypted message but you can't decrypt it yourself - for that, you must have the private key. Because you don't have to send out the private key to anyone else, there's less risk that someone else will be able to steal it and read your encrypted messages.

Let's take an example. Alice and Bob (we're traditionalists here; in examples in cryptography, it is almost invariably Alice and Bob who are trying to communicate and Eve who is trying to listen in on their conversation) are planning a surprise birthday party for Eve, Bob's girlfriend. Eve thinks they're up to something and wants to listen in.

If Alice and Bob were using secret key cryptography, they'd have to make sure that they both had the same key first. Alice phoned Bob to tell him the key to use, and Eve was listening in on another phone (she obviously doesn't trust Bob). Now, if Eve can get a copy of any of the messages Alice and Bob exchange, she can read them, and she'll know all about the party.

But what happens if Alice and Bob are using public key cryptography? Alice can tell Bob her public key, and Bob can tell Alice his public key (note that each of them has their own key pair). They might even swap digital certificates containing their public key information. No matter what Eve does with those keys, she won't be able to read the messages that Alice and Bob exchange, because she doesn't have their private keys - the birthday party will remain a surprise.

Why is it important for me to back up my private key?

Without your private key, your public key (and therefore your digital certificate) is useless. It isn't possible to recover a private key if you only have the public key which it matches; this is why it's quite safe to give out your public key.

If you lose your private key, you won't be able to read encrypted messages sent to you. So if you have a personal certificate, you won't be able to read encrypted email; if you have a server certificate, your server won't be able to read encrypted traffic sent to it (most usually this will mean that it won't offer the option of a secure connection at all).

For most server certificates, the public and private keys are stored separately. For some server certificates, and most developer and personal certificates, the certificate and its private key are stored in one place. Either way, making backups is vital.

We never see your private key - we can't help you if you lose it!

Note also that the same applies if you have chosen a password to protect your private key on the server. We never see that password and we cannot help you if you lose it; if you've protected your key with a password or passphrase, the key will be useless if you cannot remember that password. Please make sure you keep a note of it in a safe (and secure) place.

What is an SSL certificate/a web server certificate?

A web server certificate - also just called an 'SSL certificate', for 'Secure Sockets Layer', one of the protocols used to exchange information securely online - is a digital certificate which contains some or all of the following information:

  • The name of the person or organisation to whom it has been issued (the Organisation field)
  • Optionally, the part of the organisation or the trading name to whom it has been issued (the Organisational Unit field)
  • The country in which the person or organisation is based
  • The state, province or county in which the person or organisation is based
  • The town or city in which the person or organisation is based
  • The name of the server to which the certificate will enable secure connections - e.g. secure.herald.co.uk (this is the Common Name field)

along with a public key for the person or organisation to whom the certificate has been issued. ('A' public key rather than 'the' public key, because an organisation might have many public keys used for different purposes, or on different servers.)

There are several different types of server certificate available from Thawte. They are discussed here.

Why would I want a server certificate?

Typically you would use a server certificate to enable secure traffic across the Internet (or an internal network) between a web browser and a web server. You might use this so that you can take financial information (such as credit card numbers) online; you might be taking other sensitive information, such as medical information, from clients. You might also use one to secure an email server, so that email can be exchanged securely to and from that server (but you can't use an server certificate to secure your personal email messages; for that you want a personal certificate).

Most types of server certificate will also prove that the server is associated with your organisation, so that people can be confident that they are sending their data to the right place.

What is a developer certificate?

A developer certificate is a digital certificate which can be used for signing pieces of code, macros, or other downloadable content. Signing such an item means that the users who are downloading it can be confident that:

  • it was produced and/or authorised by the organisation in whose name the certificate was issued, and
  • it has not been tampered with or altered since the item was signed.

This means that you can be more confident, when downloading material, that it is what its producer intended to make available. For instance, it cannot have been infected with a virus in transit. In some applications, such as Java applets, only signed code can request or be granted certain privileges (such as access to a user's files); it's also possible to timestamp code so that you know when it was signed, as well as by whom.

What is a personal certificate?

A personal certificate is a digital certificate which identifies a person and not an organisation. They can be used for digitally signing email; they can also be used for identifying yourself to a Web site. They aren't used on servers, but generally in client software such as email programs, Web browsers and the like.

In their most basic form, personal certificates tie a public key to an email address; it's also possible to include names, affiliations, employment details and other such data.

What is a CSR?

CSR stands for 'Certificate Signing Request'. You need one if you are going to request a server certificate (of any type), or if you are requesting a JavaSoft developer certificate; you don't need one if you are requesting any other kind of developer certificate or a personal certificate (in both those cases, your browser will interact with Thawte's servers to generate the required key information).

A CSR contains information about the person or organisation who is requesting the certificate (the same information which will eventually be contained in the certificate itself) along with a public key relating to that person or organisation.

When you generate a CSR on your server, it constructs the public and private key pair that your server will eventually use for secure traffic. You need to back up your private key, as we cannot help you if you lose it - we never see it; it stays on your server.

There is some discussion about how to generate a CSR on this page.


Back to top : FAQ Home
Buy a certificate now! : Contact us about Thawte certificates

Last updated: March 24th 2008
Last checked: March 24th 2008

© Copyright Herald Information Systems, 1999 - 2008.

[home]
[clients]
[services]
[new]
[links]
[contact]