Digital certificates: security and online trust

Table of contents

• What are digital certificates?
• How do digital certificates work?
• Types of Digital certificates
• Why are digital certificates important?
• How to obtain a digital certificate?
• Do digital certificates expire?
• Threats and risks aassociated with digital certificates

---

Digital certificates play a key role in authenticating websites, identities, and online communications. But what exactly are they? How do they work, and what types exist?

This article explores the world of digital certificates, their role in cyber security, and why they are essential for data protection.

What are digital certificates?

Digital certificates are electronic documents used to verify the identity of individuals, businesses, or devices and to protect online communications through encryption. They function like a digital passport, issued by a Certificate Authority (CA), that confirms the authenticity of an entity.

Their primary role is to ensure that anyone communicating with a website or an online service can do so securely, without the risk of interception or data manipulation. They are mainly used for authentication, encryption, and digital signatures, protecting financial transactions, emails, and software.

How do digital certificates work?

The functionality of digital certificates is based on an asymmetric cryptography system known as PKI (Public Key Infrastructure). This system uses a pair of cryptographic keys: a public key, which is included in the digital certificate and visible to anyone, and a private key, which is securely held by the certificate owner.

The interaction between these two keys enables authentication, data integrity, and confidentiality in online communications.

The role of PKI and Certificate Authorities

The PKI infrastructure is a hierarchical system where Certificate Authorities (CAs) are responsible for issuing, managing, and revoking digital certificates. CAs act as trusted third parties, verifying the identity of entities requesting a certificate before issuing it.

How a digital certificate is created

To obtain a digital certificate, the applicant must generate a CSR (Certificate Signing Request), a certificate request containing the organization’s or server’s identity information and the public key to be certified.

• Key Pair Generation
  The applicant creates a cryptographic key pair (public and private).
• CSR Creation
  The applicant generates a certificate request that includes the public key and entity details (domain name, organization name, location, etc.).
• Submission to the CA
  The CSR is sent to a Certificate Authority, which verifies the applicant’s identity and digitally signs the certificate to confirm its authenticity.
• Certificate Installation
  The signed certificate is installed on the server or device that will use it.

SSL/TLS verification and authentication process

When a user connects to a website secured with SSL/TLS, the browser performs a series of checks to ensure the connection’s security. This process is known as the SSL/TLS handshake and involves several steps:

• Secure connection request
  The browser sends a request to the server to establish a secure connection.
• Certificate trransmission
  The server responds by sending its digital certificate to the browser.
• Certificate verification
  The browser checks if the certificate is valid, not expired, and issued by a trusted CA.
• Key exchange
  If the certificate is valid, the browser and server negotiate a session key that will be used to encrypt the communication.
• Secure connection established
  Once authentication is complete, all data exchanged between the user and the server is encrypted and protected from interception.

This process ensures that the visited website is authentic and that the communication cannot be altered by attackers.

Digital Certificates for electronic signatures

Beyond securing web connections, digital certificates are also used for electronic signatures and code signing. In these cases, the verification mechanism is similar:

• Digital document signing
  When a document is digitally signed, the signing software uses the private key to create a unique signature. Anyone receiving the document can verify its authenticity using the public key of the signer.
• Software code signing
  Developers use code signing certificates to sign software and assure users that the code has not been altered by malicious third parties.

In both scenarios, asymmetric cryptography enables validation of integrity and authenticity of the signed content.

Revocation and management of digital certificates

If a digital certificate is compromised (e.g., if the private key is stolen), it must be revoked immediately. Certificate Authorities manage Certificate Revocation Lists (CRLs) and use the Online Certificate Status Protocol (OCSP) to verify in real time whether a certificate has been revoked.

To maintain security, it is essential to monitor certificate validity and renew them before expiration. An expired or revoked certificate can compromise trust and the security of digital communications.

Types of Digital certificates

Digital certificates are not all the same—different types exist, each designed for specific purposes related to authentication, data protection, and identity verification.

The main differences involve their use case, the level of security they provide, and the validation process carried out by Certificate Authorities (CAs) before issuing them.

SSL/TLS certificates: securing web communications

SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates are the most common type and are used to encrypt communications between a web browser and a server. They ensure that transmitted data remains confidential and cannot be intercepted by attackers.

These certificates fall into three main categories based on the level of identity verification:

• Domain Validation (DV)
  The CA only verifies that the applicant controls the domain. These certificates are easy to obtain, often within minutes, and are ideal for personal websites and blogs but provide a lower level of trust.
• Organization Validation (OV)
  In addition to verifying domain ownership, the CA checks the organization’s identity, making it more secure. These certificates are suitable for business websites, e-commerce platforms, and organizations that require a higher level of trust.
• Extended Validation (EV)
  The highest level of authentication. The CA performs thorough checks on the legitimacy of the requesting organization, providing maximum trust. EV certificates activate visual indicators in browsers, such as the company name in the address bar, enhancing credibility.

Other variations of SSL certificates include:

• Wildcard SSL
  Protects a domain and all its subdomains with a single certificate (e.g., *.example.com).
• SAN (Subject Alternative Name) or Multi-Domain SSL
  Allows multiple domains to be secured under a single certificate (e.g., example.com, site2.com, example.net).

Digital signature certificates: ensuring document authenticity

Digital signature certificates are used to guarantee the authenticity and integrity of electronic documents, emails, and online transactions. Unlike SSL/TLS certificates, which secure communications in real-time, digital signature certificates are used to sign files and messages, certifying the sender’s identity and preventing unauthorized modifications.

Typical use cases include:

• Signing PDFs and electronic contracts, ensuring that they have not been altered after signing.
• Digitally signing emails, confirming the sender’s identity and preventing phishing or spoofing attacks.
• Authentication in e-government processes, such as tax filings and official documents.

These certificates are often issued in compliance with regulations like eIDAS (in Europe), ensuring legal validity for digitally signed documents.

Client certificates: secure user authentication

Client certificates, also known as user authentication certificates, are used to securely identify and authenticate individuals or devices on a network.

Unlike passwords, which can be stolen or intercepted, client certificates use cryptographic techniques to ensure that only authorized users can access certain services.

These certificates are commonly used for:

• Authentication on corporate networks and VPNs, reducing reliance on weak passwords.
• Accessing cloud services and sensitive platforms, such as online banking systems.
• Electronic signing within enterprises, enabling employees to approve critical transactions securely.

Client certificates are often stored on smart cards, USB tokens, or TPM (Trusted Platform Module) chips to add an extra layer of security.

Code signing certificates: protecting software integrity

Code signing certificates are used by developers to digitally sign applications, drivers, and software, ensuring that the code has not been altered by third parties.

These certificates help:

• Ensure that users trust the software source, preventing it from being mistaken for malware.
• Protect applications from unauthorized modifications, reducing the risk of man-in-the-middle attacks or trojan horse infections.
• Avoid security warnings on operating systems, which flag unsigned software as potentially dangerous.

Code signing certificates are essential for software distributed on platforms like Windows, macOS, and Android. They are often required for publishing apps in official stores such as the Microsoft Store, Apple App Store, and Google Play Store.

Root and intermediate certificates: the foundation of trust

Root and intermediate certificates are issued by Certificate Authorities (CAs) and form the backbone of the Public Key Infrastructure (PKI).

• Root certificates
  These are the primary certificates issued by CAs and are pre-installed in operating systems and browsers. If compromised, they could undermine the entire trust system.
• Intermediate certificates
  Issued by root CAs to sign other certificates, reducing the risk of direct exposure to the root keys.

When a browser verifies an SSL/TLS certificate, it checks the certificate chain, which links the website’s certificate to a trusted root certificate.

Which digital certificate should you choose?

The choice of a digital certificate depends on the intended use:

• To secure a website? → An SSL/TLS certificate (DV, OV, or EV) is the best option.
• To sign electronic documents? → A digital signature certificate ensures authenticity and legal validity.
• To authenticate users on a system? → A client certificate provides better security than passwords.
• To protect software and applications? → A code signing certificate is essential for developers and companies.

In an increasingly digital world, the use of digital certificates is essential for ensuring security, privacy, and trust in online transactions and digital processes.

Why are digital certificates important?

Digital certificates play a crucial role in cyber security, helping to protect data and online identities.

One of their most common uses is securing HTTPS connections. Without an SSL/TLS certificate, data transmitted between users and servers could be exposed to attacks like Man-in-the-Middle (MitM). They are also used in electronic signatures to ensure the integrity and origin of digital documents.

In businesses, client authentication certificates help control access to corporate resources, reducing the risk of cyber threats. In software development, code signing certificates prevent programs and applications from being tampered with or infected by malware.

How to obtain a digital certificate?

Obtaining a digital certificate involves contacting a Certificate Authority (CA), which verifies the applicant’s identity and issues the certificate. The process varies depending on the type of certificate required, but it generally follows these steps:

• Generate a CSR (Certificate Signing Request), a file containing the entity’s details and public key.
• Submit the CSR to a CA, which validates the applicant’s identity.
• Receive the issued digital certificate after verification.
• Install the certificate on the server or device that will use it.

Below, we’ll explore how to obtain different types of digital certificates with practical examples and code.

1. Obtaining an SSL/TLS Certificate for a Website

If you want to secure a website with HTTPS, you’ll need an SSL/TLS certificate. There are two main ways to get one:

• Free certificates
  Provided by CAs like Let’s Encrypt, suitable for personal websites and small projects.
• Paid certificates
  Issued by CAs like DigiCert, GlobalSign, Sectigo, offering higher trust and support for OV (Organization Validation) and EV (Extended Validation) certificates.

1.1 Generating a CSR with OpenSSL

If you have a Linux server or hosting with SSH access, you can generate a CSR (Certificate Signing Request) using OpenSSL.

Run the following command in the terminal:

openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

This command:

• Creates a new 2048-bit private key (mydomain.key).
• Generates a CSR file (mydomain.csr).

During the process, you’ll need to enter details such as the domain name (Common Name, CN) and company information.

Example:

Country Name (2 letter code) [XX]: US 
State or Province Name (full name) [Some-State]: California 
Locality Name (eg, city) []: Los Angeles 
Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company Inc. 
Organizational Unit Name (eg, section) []: IT Department 
Common Name (e.g., server FQDN or YOUR name) []: www.mysite.com 
Email Address []: admin@mysite.com

Once the CSR is generated, submit it to your chosen CA to obtain the certificate.

1.2 Getting a free SSL certificate with let’s encrypt (Certbot)

For a free SSL certificate, Let’s Encrypt provides an easy and automated solution.

Install Certbot, the tool used to request and renew SSL/TLS certificates:

sudo apt update && sudo apt install certbot

Request and install a certificate for Apache:

sudo certbot --apache -d mysite.com -d www.mysite.com

For Nginx servers:

sudo certbot --nginx -d mysite.com -d www.mysite.com

Let’s Encrypt will issue and configure the certificate automatically.

To check the certificate status:

sudo certbot certificates

To renew it manually:

sudo certbot renew

2. Obtaining a digital signature certificate for documents and emails

Digital signature certificates ensure the authenticity and integrity of electronic documents, emails, and online transactions. They are issued by CAs like GlobalSign, DigiCert, Actalis, and comply with regulations such as eIDAS (Europe).

To digitally sign a PDF using Adobe Acrobat:

• Obtain a certificate from a trusted provider (e.g., GlobalSign).
• Import the certificate into Adobe Acrobat.
• Open a PDF → Click on Tools → Certificates → Digitally Sign.
• Select the certificate and sign the document.

For signing emails with S/MIME certificates in Outlook or Thunderbird:

• Obtain an S/MIME certificate from a CA.
• Import it into the email client.
• Enable digital signing in the security settings.

3. Obtaining a client certificate for user authentication

Client certificates are used for user authentication on VPNs, corporate networks, and secure services without relying on passwords.

To generate a client certificate with OpenSSL:

openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr

After submitting the CSR to a CA and receiving the signed certificate, you can use it to access secure services.

For example, to configure a client certificate for OpenVPN:

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt

The client.p12 file contains the private key and certificate, required for authentication.

4. Obtaining a code signing certificate for software

For developers, a code signing certificate is essential to sign applications and drivers, ensuring they are not altered or flagged as unsafe.

After obtaining a code signing certificate from a CA like DigiCert, GlobalSign, or Sectigo, you can use it with Microsoft SignTool or Java Jarsigner.

Example of signing an executable file on Windows with SignTool:

signtool sign /a /t http://timestamp.digicert.com /fd SHA256 MyApp.exe

Example of signing a JAR file with Jarsigner:

jarsigner -keystore mykeystore.jks -signedjar MyApp_signed.jar MyApp.jar myalias

These certificates are required for software distributed through official platforms such as the Microsoft Store, Apple App Store, and Google Play Store.

Do digital certificates expire?

Yes, all digital certificates have an expiration date, usually between 1 and 2 years for SSL/TLS certificates. Expiration is necessary to maintain security, as outdated certificates may become vulnerable to attacks.

If a certificate expires and is not renewed, the website or service using it may display security warnings, discouraging users from proceeding.

Threats and risks aassociated with digital certificates

Digital certificates are essential for cyber security, but they can be vulnerable to various attacks and mismanagement issues. A compromised or poorly managed certificate can lead to data breaches, service disruptions, and malware distribution through seemingly legitimate websites or software.

Below, we explore the main threats and risks associated with digital certificates, with real-world examples and mitigation strategies.

1. Fraudulent certificates and spoofing attacks

One of the most dangerous threats is the creation of fraudulent certificates, which are either issued by a compromised CA or obtained illegally to impersonate a legitimate website.

These certificates are often used in phishing or spoofing attacks, tricking users into believing they are on a secure website.

Attack example

An attacker obtains an SSL certificate for a domain that looks similar to a bank’s website (e.g., bancaonline.com instead of banca-online.com).

Users who receive phishing emails with a link to the fraudulent site see the SSL padlock in the address bar and believe the site is legitimate. Once they enter their credentials, the attacker steals them without the victim realizing it.

Mitigation strategies

• Use EV (Extended Validation) certificates
  These display the verified company name in the browser, making spoofing harder.
• Monitor certificates using Certificate Transparency (CT)
  Google and other organizations provide tools to check if fraudulent certificates have been issued for your domain.
• Implement HTTP Strict Transport Security (HSTS)
  This prevents browsers from accepting invalid or self-signed certificates.

2. Private key theft and certificate compromise

Every digital certificate relies on a pair of cryptographic keys: a public key and a private key. If an attacker steals the private key, they can impersonate the certificate owner, decrypt sensitive data, and sign malicious software or documents.

Attack example

In 2011, the CA DigiNotar was breached, allowing attackers to issue fake SSL certificates for Google, Yahoo, and other services. Iranian users accessing Gmail were intercepted, believing they were on a secure site.

Mitigation strategies

• Use Hardware Security Modules (HSMs)
  These protect private keys from unauthorized access.
• Set restrictive file permissions for private key storage and keep them in secure environments.
• Use certificates with Perfect Forward Secrecy (PFS)
  This limits damage even if a key is compromised.
• Rotate cryptographic keys regularly and revoke compromised certificates immediately.

3. Certificate expiration and service Disruptions

One of the most common mistakes in certificate management is letting them expire, which can cause service outages, security errors, and loss of user trust.

Real-world example

In 2021, a Microsoft Teams certificate expired, causing a multi-hour outage. Users could not access the service because the expired SSL certificate prevented secure connections.

Mitigation strategies

• Use automatic monitoring tools to receive alerts before expiration.
• Enable automatic certificate renewal using tools like Let’s Encrypt and Certbot.
• Maintain an up-to-date certificate inventory to prevent oversight.

4. Man-in-the-Middle (MitM) Attacks and Interception

A Man-in-the-Middle (MitM) attack occurs when an attacker intercepts communication between a user and a server, potentially decrypting transmitted data. This is possible if a weak or misconfigured SSL certificate is exploited.

Attack example

If a website uses a self-signed or expired certificate, an attacker can set up a rogue Wi-Fi hotspot (e.g., at an airport) and intercept user credentials when they connect.

Mitigation strategies

• Avoid self-signed certificates, which are not trusted by browsers.
• Enable HTTPS with valid SSL certificates and renew them regularly.
• Use modern cryptographic standards, avoiding outdated algorithms like SHA-1.

5. Misuse of code signing certificates

Code signing certificates ensure the integrity of software, but if compromised, they can be used to distribute malware signed with a legitimate certificate, bypassing security checks.

Attack example

In 2015, hackers stole a legitimate code signing certificate to sign malware distributed through fake software updates. Users trusted the malicious software because it appeared to be “signed” by a known company.

Mitigation strategies

• Protect code signing certificates with HSMs to prevent unauthorized access.
• Enable immediate revocation in case of certificate compromise.
• Verify file hashes before executing a signed program.

6. Ineffective certificate revocation

If a certificate is compromised, it must be revoked immediately so that browsers and operating systems no longer trust it. However, the revocation system is not always reliable.

Real-world example

In 2013, the NSA gained access to valid certificates to intercept communications. Even after revocation, many browsers and operating systems continued to trust the certificates for weeks, exposing users to risks.

Mitigation strategies

• Use OCSP Stapling, allowing servers to provide real-time proof of certificate validity.
• Implement CAA (Certificate Authority Authorization) to restrict which CAs can issue certificates for your domain.
• Regularly check revoked certificates in public revocation lists.

---

Questions and answers

1. What happens if a digital certificate expires?
   If a digital certificate expires, the site or service using it becomes untrustworthy and may show security warnings to visitors.
2. How can I check if a website has a valid SSL certificate?
   You can check the padlock icon in the browser’s address bar and click on it to view the certificate details.
3. What is the difference between DV, OV, and EV certificates?
   DV certificates only verify the domain, OV certificates authenticate the organization, and EV certificates provide the highest level of identity verification.
4. Are digital certificates mandatory for websites?
   They are not mandatory, but without an SSL/TLS certificate, browsers mark the site as “not secure,” which can impact trust and visibility.
5. How much does an SSL certificate cost?
   The cost varies: DV certificates can be free, while EV certificates can cost hundreds of dollars per year.
6. Does an SSL certificate protect against all cyberattacks?
   No, it secures communication but does not prevent attacks like phishing or vulnerabilities in website code.
7. What is a Certificate Authority (CA)?
   A CA is a trusted entity that issues and verifies digital certificates to ensure identity and online security.
8. What is a digital certificate’s private key?
   It is a secret cryptographic key used to decrypt data secured by the certificate. It must be carefully protected.
9. Why is Let’s Encrypt free?
   Let’s Encrypt provides free SSL certificates to promote a safer and more accessible web for everyone.
10. Can I use a digital certificate for multiple domains?
    Yes, Wildcard and SAN (Subject Alternative Name) certificates allow multiple domains to be secured with a single certificate.