The Basics

In the ‘digital world’ the Digital Certificate is used to identify the person, authority, device, website, software and/or electronic file and it is a CA [7] that issues these Digital Certificates. The purpose of the CA is to provide digital identities of users, devices or files. The CA is configured and installed in accordance with the customer’s requirements and these requirements are documented in the Certificate Policy [CP] for the CA.

Every request for a Digital Certificate is validated and approved, or rejected, by the Registration Authority [RA]. A trained Administrator, again in accordance with the CP, can manually operate the RA or this function can be automated depending on the CA you choose.

Every Digital Certificate issued is unique and is delivered according to the CP.


The Business Case

Any network where information is stored electronically needs to be secured. Up to now, the most common way of protecting such data has been through the use of usernames and passwords. This is no longer considered ‘secure’.

A single unsecured transaction could result in significant losses to an organization. This alone makes a strong argument for using Digital Certificates. Digital Certificates remove this risk completely.


Even more compelling business arguments in favour of using Digital Certificates [Digi-IDs™] would include the reduction or removal of paper forms and workflow from an organization. Paper business processes can be computerized and digital signature [8] replace handwritten signatures using Digi-IDs™. The savings to organizations as a result of using this technology are well documented.

Two factor authentication [9], Machine Readable Travel Documents [MRTD], secure email [8] national ID Cards [10], digital rights management, web access control, device-to-device authentication [9] and many other business processes can benefit from significant savings by using technology smartly. Integral to all of these processes, is the requirement for digital authentication [9], digital identification, digital encryption, digital stamping [11] and digital signing and being able to support these transactions with a legally binding infrastructure. This is what Digi-CA™ [12] provides to your organization. The online flash presentation of Digi-CA™ [13] explains the benefits in a simple and easy to understand manner.

Replacing an Existing CA

[1] If you are trying to migrate [14] an existing environment from another Traditional Certificate Authority [15] [CA] vendor to Digi-CA™ [12], there is a ready-to-go solution that works independently from the Traditional CA. The customer can provide the information manually or the Digi-CA Assistant™ can help minimize the migration process by using unobtrusive network scanning.

This is how it works:

• A list of all existing Certificates is provided, including all of the following information:




• Certificate Subject Details
• Expiry Date
• Certificate with Public Key
• Certificate Issuer: Signer CA Certificate with Public Key




• The information provided by the customer is loaded into the Digi-CA™ [12] system using the Digi-CA™ Control Centre;




• Based on the information provided, the Digi-CA™ will send expiry reminder emails according to the expiry reminder policy and each email will contain a unique URL for the Certificate renewal;




• For client certificate [8] migration, once the user enters the Certificate renewal screen using the URL provided in the email, they will be prompted by the system to prove their identity using their existing (old) Client Certificate (this is achieved by Digi-Access™ [3] using the Client Certificate Authentication [9] method over a Secure Socket Layer [SSL] [16] or Transport Layer Security [TLS] connection) and only if the old user Certificate details match the pre-configured Digi-CA™ system data, will the user be allowed to renew their certificate.




• For SSL Certificates, the Digi-CA™ is preconfigured in the same way as for Client Certificates except that it doesn’t require the old Certificates details other than the expiry date so that the replacement occurs seamlessly. To automate the entire life cycle of your SSL environment, see the Automated & Authenticated Certificate Delivery™ System [17].




This is the highly effective method used to replace older and more costly Traditional CA systems. If needed, the Digi-CAST1™ Team of professional advisors outlined in sub section 2.4.1.1 will assist you in every detail.

Understanding Online Security

If you want to use the Internet as a tool to improve communications, reduce costs, to improve customer service and retention or to expand your market reach, then Digi-Sign’s products, services and solutions will help you.

These same offerings can be used in physical border control, building access, electronic signatures and any situation where truly knowing the other person/device is a necessity to securing the transaction.

Online Security Questions

[1] Consider the following questions carefully:

• When you visit a web site, like your Bank’s for example, how do you know that it really is their web site?
• When you download software from the Internet, how can you be sure that it really is from the original Publisher?
• If you are sending a confidential email to someone, how can you be sure that they are the only person that can open it?
• Your company has a Virtual Private Network [VPN], how can you replace password security with a stronger alternative?
• When you make a payment over the Internet using your credit card, how can you be assured a hacker won’t steal it during transmission?
• If your organization wishes to use the internet to have business forms / documents (legally binding) signed on line, how can you do this?
• Your organization wishes to put some or all of its systems on line for suppliers, customers, etc. How can you securely control access to them?

Remember, the Digi-ID™ [18] can be used in a variety of different security situations, however the most common uses are for proving identity, digitally signing/sealing files and encrypting data or two factor authentication [9].

This is how the Digi-ID™ answers the above questions:

back to top

If the Bank is serious about security, they will use a Digi-SSL™ [19] Secure Web Server Certificate to prove its online web site identity.

back to top

Using a Digi-Code™ [20] Software/Code Signing Certificate, a pop up dialog box assures the user of the Publisher’s identity prior to download.

back to top

If the email is first encrypted using a Digi-ID™ for email [Digi-Mail™ [18]], then only the intended recipient can decrypt the email.

back to top

Passwords can be copied and misused, however, if each user has a Digi-ID™, using Digi-Access™ [3], security and identification is assured because this is strong two factor authentication [9].

back to top

The same Digi-SSL™ that confirms the identity of the website, automatically encrypts any data that is submitted through it.

back to top

Again using the Digi-ID™, because the identity of the owner has been verified, they can use it to sign any digital file.

back to top

Using a Digi-CA™ [12] combined with Digi-Access™, the systems can be secured and all users can be verified before offering them the correct access level.

back to top

Online Security & Digital Certificates

[1] The solution to the problem of online identification, two factor authentication [9] and privacy in computer based systems lies in the field of cryptography. Due to the non-physical nature of electronic communication, traditional methods of physically marking transactions with a seal or signature are useless. So an alternative mark must be coded into the information itself in order to identify the source and provide privacy against eavesdroppers.

One widely used tool for privacy protection is what cryptographers call a "secret key." Log-on passwords and cash card PINs are examples of secret keys. Consumers share these secret keys only with the parties they want to communicate with, such as an online subscription service or a bank. Private information is then encrypted with this password, and it can only be decrypted by one of the parties holding that same password.

Despite its widespread use, this secret-key system has some serious limitations. As network communications proliferate, it becomes very cumbersome for users to create and remember different passwords for each situation. Moreover, the sharing of a secret key involves inherent risks. In the process of transmitting a password, it can fall into the wrong hands, or one of the sharing parties might use it maliciously and then deny all action or liability.

Digital Certificate [8] technology addresses these issues because it does not rely on the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, a Digital Certificate uses a matched pair of keys that are unique complements to one another. In other words, what is done by one key can only be undone by the other key in the matching pair?

Digi-CA™ [12] generates these Digital Certificates [8] using the patented Rivest, Shamir & Adelman [RSA] cryptographic algorithm. This algorithm is a mathematical formula that creates a dual key algorithm that is used to create the Digital Certificate.

Private and Public Key

In this type of Key-Pair system, the "Private Key" can only be accessed by you. Your "Public Key" gets widely distributed as part of the Digi-ID™ [18]. Customers, partners or employees who want to communicate privately with you can use the Public Key in your Digi-ID™ to encrypt information, and you are then the only one who can decrypt that information. Since the Public Key alone does not provide access to communications, you do not need to worry about who gets hold of this Key.

Your Digi-ID™ tells customers and correspondents that your Public Key in fact belongs to you. Your Digi-ID™ contains your name and identifying information, your Public Key and electronic signature as certification. The online flash presentation of Digi-CA™ [13] explains the benefits in a simple and easy to understand manner.

Why Digital Certificates are needed

[1] Every time a user sends an email it travels across the internet or world wide web. It is called the world wide web because the internet is made up of thousands of servers or a ‘web of servers’. Each and every communication visits a minimum of 8 and a maximum of 32 servers before it reaches its intended destination. Each of these points of contact represents a security risk. Scripts, viruses, hackers and other devices can intercept the data at any time and can copy or alter it unnoticed.

Device-to-device authentication, two factor authentication [9], transaction signing and the inherent ‘digital identity’ within the Digital Certificate means that you know who and what you’re communicating with.

Encrypting information is only one aspect of security. The other is knowing the identity of the person. If two people choose to communicate by email, how can they be sure that any of the communications were transmitted without being tampered with? Equally, if a website owner wants to be sure that only a specific user gains access to secured information, how can this assurance be provided?

The simple answer is that Digital Certificates are the digital equivalent of a passport or signature.

By opening a user’s Digital Certificate much of the information that would be available in a passport or drivers license can be viewed in the Certificate. The person’s name, the organization that they work for (or the organization that issued the Certificate) and other information is clearly legible. A Digital Certificate cannot be compromised or ‘cracked’, this provides the assurance necessary to assure the recipient that the person is genuinely who they claim to be.


Digital Certificate Uses

Digital Certificates can be used to identify a person or a device. Once identification is established, the Certificate is most frequently used to prove one person’s, or device’s, identity to another person or device. Because of the RSA system, they both know each other. The Digital Certificate can now be used for signing and/or encrypting email or for providing two-factor strong authentication.

How Digital Certificates Work

[1] Using the dual-key cryptography algorithm, the Digital Certificates allow users to exchange Public Keys to secure and authenticate each other.
There are two main uses for Digital Certificates are for:

1. Secure Email

2. Secure Access

And when considering using Digital Certificates you need to consider:

3. The Digital Certificate policy

4. The Registration Authority Function

• Communication; Secure Email

User A and B exchange Public Keys and use the other person’s Public Key to encrypt messages back to each other. Only User A has the Private Key that can decrypt any the messages encrypted with User A’s matching Public Key.









• Secure Access

In the case where a web server has a highly secure area and wishes to give restricted and controlled access to the information stored on it, then usernames and passwords do not offer sufficient protection. Replacing this insecure login method with a Digi-ID™ [18] solves this problem.

There are two types of Digi-Access™ [3] authentication systems:

One-to-One Authentication
One-to-Many Authentication




• One-to-One Authentication

Public keys and Private Keys ‘recognize’ each other and because the Public Key can be freely distributed, the web server can store all the Public Keys belonging to its list of authorized users and match the Keys for users seeking access. This is called On-to-One authentication.
User A’s Public Key is stored on the web server. When User A attempts to gain access to the server, the server asks User A’s browser’s Certificate Store to confirm that it has the matching Private Key to the Public Key stored on the server. If the match is confirmed, User A is granted access.

In simpler deployments, you might only need to identify groups of users in which case the One-to-Many implementation is faster to implement and easier to manage.








• One-to-Many Authentication

In One-to-Many Authentication, the entire group of users or several sub-groups are formed. The server is then configured to seek the Signing Certificate only, in which case, the server doesn’t need a copy of each individual’s Public Key.

This is easier to deploy and manage because the server doesn’t require a unique configuration for each Digi-ID™ that will be used to access it. By its simplicity, the server is configured once and any number of users can access it without any further intervention and still the individual user can be revoked so that access is denied on the individual basis as needed.

Digital Certificate Policy

[1] The rules, methods and guidelines that specify how the Digital Certificate is distributed to the end user are documented in the Certificate Policy [CP]. The CP is the ‘Who, What, Where and How’ document that describes the principles of the Digital Certificate usage and how they are to be distributed. This CP is agreed before the CA is operational and all Digital Certificates must be deployed in accordance with the CP.


The Registration Authority [RA]

The Registration Authority [RA] decides what users are permitted to receive a Digi-ID™ [18]. The RA can be a Systems Administrator or other responsible member of the organization, or the process can be automated using a database and a series of automated checks and controls, each one of which is designed to reduce the error possibility or the risk of deception.

Three Types of Digital Certificate

[1] There are three main types of Digital Certificates, they are:

1. Secure Socket Layer [16] Certificate [SSL] Digi-SSL™

2. Software Signing [Code Signing Certificate] Digi-Code™ [20]

3. Client Certificate [Digital ID] Digi-ID™

• Secure Socket Layer

Secure Socket Layer [SSL] server Certificates are installed on a server. This can be a server that hosts a website like www.digi-sign.com [21], a mail server, a directory or LDAP server, or any other type of server that needs to be authenticated, or that wants to send and receive encrypted data. To automate the entire life cycle of your SSL environment, see the Automated & Authenticated Certificate Delivery™ System [17].



• Code Signing Certificate

Code Signing Certificates are used to sign software or programmed code that is downloaded over the Internet. It is the digital equivalent of the shrink-wrap or hologram seal used in the real world to authenticate software and assure the user it is genuine and actually comes from the software publisher that it claims.



• Client Certificate

Client Certificates or Digital IDs are used to identify one person to another, a person to a device or gateway or one device to another device. Client Certificates are issued in their thousands and millions each year and would be the principle reason for purchasing a CA.

Two people communicating by email will used a client certificate to authenticate or digitally sign their respective communications. This Signature will assure each person that the email is genuine and comes from the other person.

A person that is given access to a secure online service like a database, an extranet or intranet will be authenticated to the gateway or entry point using a Client Certificate. This type of strong two factor authentication [9] replaces less secure usernames and passwords currently in use on many websites.

If two routers or a Virtual Private Network [VPN] connection needs to authenticate each other, a Client Certificate can be used and exchanged to prove the connection is trusted. This type of client authentication occurs deep within the application and is not usually visible to the end user. This type of device-to-device authentication often uses a particular IPSec Client Certificate.
Also, bespoke applications and hardware seeking to utilize IP technology securely can use Digital Certificates to authenticate the application and/or for device-to-device authentication.

Where to get Digital Certificates

All Digital Certificates come from a Certificate Authority [7] which is a computer system that is capable of issuing the different types of Digital Certificate. The online flash presentation of Digi-CA™ [13] explains the benefits in a simple and easy to understand manner.

Digi-Sign Digital Certificates

[1] Digi-Sign offers three types of Digital Certificate and both types of CA (in fact Digi-CA™ Shared [22] is a third type of CA and is unique to Digi-Sign). With exception of Digi-Code™ [20], these are offered in three Classes depending on your requirements.

The different types of Digital Certificate are:

• Digi-SSL™ [19] - SSL Certificates
• Digi-Access™ [3] - Two Factor Authentication Certificates
• Digi-Mail™ [23] - Secure Email Certificates
• Digi-ID™ [18] - Digital Signatures
• Digi-Code™ [20] - Code Signing Certificates

And there are several Classes for each of these Certificates, e.g. Xs, Xp, Xe, Xg Xn, etc. The three standard Classes are the Xs, Xp and Xg, where Xs is the basic Class and offers no real flexibity to the user and Xg is at the other end of the spectrum and is the most flexible. Here is a breakdown of the most commont Certificate Type and Class combinations you are most likely to see:

• Digi-SSL™ - Xs, Xp & Xg
• Digi-Access™ - Xs, Xp & Xg
• Digi-Mail™ - Xs, Xp & Xg
• Digi-ID™ - Xs, Xp & Xg
• Digi-Code™ - Xs

Two Factor Authentication