Expressvpn Glossary
Digital certificate
What is a digital certificate?
A digital certificate is an electronic document that verifies the identity of a website, user, or device and binds that identity to a public key. It works within a public key infrastructure (PKI) to enable encrypted, authenticated communication. On the web, digital certificates power HTTPS by proving a site’s legitimacy and ensuring that the connection is secure and private.
How does a digital certificate work?
A trusted certificate authority (CA) verifies the entity’s identity and then issues a certificate that includes the entity’s public key and key identifying details.
When a browser starts an HTTPS session, it receives this certificate and checks that it comes from a trusted CA and hasn’t expired or been revoked. If it passes these checks, the browser uses the public key inside the certificate to establish encryption keys for the session, creating a secure channel with the verified entity.
Key components of a digital certificate
A digital certificate includes several elements that establish trust and enable encryption:
- Public key: Used to encrypt data or verify digital signatures. It’s shared openly as part of the certificate.
- Private key: Used to decrypt data or create digital signatures. It’s stored securely by the certificate owner and not included in the certificate itself.
- CA: The trusted entity that verifies identity and issues the certificate.
- Subject information: Identifies who the certificate belongs to, such as a website, organization, or individual.
- Serial number: A unique set of digits assigned by the CA to track the certificate.
- Digital signature: Confirms the certificate’s authenticity and integrity.
- Validity period: Defines how long the certificate remains active before renewal is required.
Types of digital certificates
Different digital certificates serve specific security functions:
- Secure Sockets Layer (SSL) / Transport Layer Security (TLS) certificates: Secure data exchanged between a website and browser, enabling authenticated HTTPS connections.
- Secure/Multipurpose Internet Mail Extensions (S/MIME) email certificate: Encrypt and authenticate email messages to protect against tampering or spoofing.
- Code signing certificates: Verify the authenticity of software or applications, confirming they haven’t been altered since publication.
- Client certificates: Identify and authenticate individual users or devices within a network.
- Root and intermediate certificates: Form the trust hierarchy that connects all other certificates to a trusted CA.
Why are digital certificates important?
Digital certificates play a key role in protecting data as it moves between browsers, servers, and devices. They help prevent phishing, support compliance with privacy and security requirements, and build user trust through clear indicators like HTTPS.
Security and privacy considerations
Digital certificates should be managed carefully to maintain security and trust. Certificates need to be renewed before they expire to avoid service interruptions and loss of credibility.
Strong encryption standards, such as Rivest–Shamir–Adleman (RSA) or elliptic curve cryptography (ECC), help reduce the risk of key compromise. Regular monitoring is important to identify revoked, misconfigured, or otherwise invalid certificates as soon as they appear.
Certificate pinning can reduce spoofing attempts by allowing trust only for known certificates. A virtual private network (VPN) can provide an additional layer of encryption, protecting data even when outside secure website sessions.
Common certificate authorities
Some of the most recognized CAs include:
- DigiCert: A major global CA known for high-assurance SSL/TLS certificates and enterprise security solutions.
- GlobalSign: Provides identity and security services for websites, organizations, and Internet of Things (IoT) devices.
- Sectigo (formerly Comodo): Offers a wide range of certificates, including SSL/TLS and code signing options.
- Let’s Encrypt: A non-profit CA that provides free, automated SSL/TLS certificates to promote web encryption.
- Entrust: Supplies enterprise-grade certificates and identity management solutions for secure communications.
Further reading
- What is a certificate authority, and how does it work?
- What is TLS encryption, and how does it protect your data?
- Certificate authority trust breach exposes vulnerability in Internet's trust hierarchies
FAQ
What is the main purpose of a digital certificate?
A digital certificate verifies identity and establishes trust between two parties online. It confirms that the public key used for encryption genuinely belongs to the individual, organization, or website it claims to represent.
Is a digital certificate the same as an SSL certificate?
Not exactly. A Secure Sockets Layer (SSL) certificate is one type of digital certificate specifically used to secure website traffic over HTTPS. Digital certificates also include other types, such as email, code signing, and client authentication certificates.
How can I tell if a website has a valid certificate?
Look for “HTTPS” in the URL and a security icon in the browser’s address bar. You can click the icon to view details such as the issuing certificate authority (CA), expiration date, and whether the certificate is valid or revoked.
Can VPNs replace digital certificates?
No. A VPN encrypts network traffic and hides your IP address, while a digital certificate authenticates identities and enables secure connections through encryption keys. They serve different purposes but can complement each other to enhance privacy and security.
Support Center 
Live Chat 
FAQ 
