How digital certificates work

You obtain a digital certificate by sending information to a CA. The X.509 standard defines a format for this information, but some CAs have their own format. Certificate requests are usually generated by the certificate management tool your system uses, for example the iKeyman tool on UNIX(R) systems and RACF(R) on z/OS(R). The information comprises your Distinguished Name and is accompanied by your public key. When your certificate management tool generates your certificate request, it also generates your private key, which you must keep secure. Never distribute your private key.

When the CA receives your request, the authority verifies your identity before building the certificate and returning it to you as a personal certificate.

Obtaining personal certificates

You obtain your personal certificate from a Certification Authority (CA).

When you obtain a certificate from a trusted external CA, you pay for the service. When you are testing your system, or you need only to protect internal messages, you can create self-signed certificates. These are created and signed by the certificate management tool your system uses. Self-signed certificates cannot be used to authenticate certificates from outside your organization.

Figure 5 illustrates the process of obtaining a digital certificate from a CA.

Figure 5. Obtaining a digital certificate
This diagram shows the process of requesting a digital certificate from a Certification Authority (CA). You send your public key to the CA, which confirms your identity then builds and returns your signer certificate.

How certificate chains work

When you receive the certificate for another entity, you might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path, is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificate of that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified until the root CA certificate is reached. Figure 6 illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.

Figure 6. Chain of trust
This diagram shows the signature on a user certificate verified with a CA certificate that is itself verified with the root CA certificate. The certificates are on a certification path.

When certificates are no longer valid

Digital certificates are issued for a fixed period and are not valid after their expiry date. Certificates can also become untrustworthy for various reasons, including:

A Certification Authority can revoke a certificate that is no longer trusted by publishing it in a Certificate Revocation List (CRL). For more information, refer to Working with Certificate Revocation Lists and Authority Revocation Lists.