Avatar of JCTDD
 asked on

What is the difference between a certificate and a Private/Public key pair?

I started reading:


where is says:
"At the end of the transactions defined in this protocol, the network device will have a private key and associated certificate that is issued by a CA. Applications on the device may use the key and its associated certificate to interact with other entities on the network."

I've used self-generated Private and Public keys in Windows and Linux before to encrypt and decrypt files with a 3rd party.

What is the difference between a certificate and the Private/Public key pair that I am have used before?
Internet ProtocolsMicrosoft Legacy OS

Avatar of undefined
Last Comment

8/22/2022 - Mon
Hiran Desai

Well, Certificates are issued by CA that's Certificate Authority who issues certificate and keeps records of Public key for that certificate.

The owner of the certificate does not need to share that key.

Whenever any client/computer accesses your website that has certificate it goes to Certificate Authority to search for Public key that's related with that certificate.

So Certificate has information such as who's owner, who has issued that certificate, Encryption methodology used for that certificate and such relevant details.

One can have Self Signed certificate where he/she issues the certificate on it's own and does not register that certificate with verified CA (Hence you do not need to pay for the certificate) but in such case as certificate isn't verified it will show image such as

A certificate incorporates a public/private key pair, using an asymmetric algorithm such as RSA-2048, in conjunction with other elements of a security infrastructure called PKI.

Public key infrastructure (PKI) is a security infrastructure whose services are delivered and implemented using public key concepts. It provides the foundation necessary for secure e-business through the use of cryptographic keys and digital certificates. This enables secure electronic transactions and the exchange of sensitive information.

Doing business electronically provides the opportunity to deliver new revenue-generating services and lower the cost of traditional business. But as services are delivered electronically, the same security must be provided as in the paper-based world. This security must provide five important capabilities:

Access control

Cryptography provides the basis of e-business security. Through encryption and digital signatures, public key cryptography provides those five elements.

When an individual's public key is obtained, the question is how to ensure that the key really is that person's. If that identity cannot be assured, an intruder could substitute his public key for that of the intended receiver. He could then read the message from the sender, change it, and forward it on to the intended receiver using that person's public key, thereby causing the intended receiver to believe that the forged message came from the original sender.

At the heart of PKI is the management of trust. The following are the elements of an efficient and effective PKI. All need to be addressed in order for proper trust to be addressed.

Certification policy
Certification statement
Certificate authority
Registration authority
Certificate repository
Certificate revocation system
Key backup and recovery system
Support for non-repudiation
Automatic key update
Management of key histories
Cross-certification - an extended form of third party trust; a process in which two CAs securely exchange crypto keying information, so that each can effectively certify the trustworthiness of the other's keys
Client side software interacting with all of the above in a consistent, trustworthy manner

The core services offered by PKI are:

Authentication - Assurance to one entity that another entity is who it claims to be
Integrity - Assurance to one entity that the data has not been changed intentionally or unintentionally.
Confidentiality -- Assurance to one entity that only the receiver explicitly intended can read a particular piece of data

Certification is the process in which someone recognized to be in a position of trust (i.e., the certification authority) uses their own private key to sign a small digital record called, the certificate, that couples an individual's public key to his or her name. Each certificate contains:

Name of the certification authority
Public key being certified
Name of the owner of the public key
A unique serial number for this certificate as assigned by the certification authority
Beginning and ending dates for which this certificate is valid

The recipient of a digitally signed electronic document relies upon the digital certificate to confirm the relationship between the public key and the identity of the party who is named in the electronic document.

The International Telecommunications Union (ITU) defines a format for public-key certificates in its X.509 (currently version 4) standard.

A Certification Authority (CA) is a trusted entity or third party that signs public key certificates.

The central responsibility of a CA is certifying the authenticity of users, much like the passport-issuing office of a government. A passport is a citizen's secure document, issued by an appropriate authority, which certifies that the citizen is who he/she claims to be. Any country trusting the authority of the first country's government passport office will trust the citizen's passport.

This is a good example of "'third party trust." Third party trust refers to a situation in which two entities or individuals implicitly trust each other, even though they have not previously established a business or personal relationship. In this situation, the two parties implicitly trust each other because they share a relationship with a common third party, and that third party vouches for the trustworthiness of the first two parties.

A certificate, then, is a network user's electronic equivalent of his/her passport. It contains information that can be used to verify the identity of the owner, such as the owner's name. A critical piece of information contained in a user's certificate is that owner's public key.

A CA manages the certificate process:

Digital certificate application
Certification (authentication of the applicant)
Issuance of the certificate

Most CAs offer various classes of digital certificates, depending on the certifying documents the applicant submits and the fee paid to the CA.
Low assurance certificate - does not provide proof of identity
High assurance certificates - requires stringent credentials at registration

A digital certificate usually contains these elements:

Version: Identifies the version of the certificate
Serial Number: Unique number for the certificate
Algorithm ID: Algorithm used to sign the certificate
Issuer: Name of the certificate authority
Validity: Validity dates
Subject: Name of owner
Subject Public Key info: Public Key of Owner
Issuer Unique ID: ID of issuing CA
Subject unique ID: ID of subject
[Blank]: Optional extensions
Digital Signature: All previous fields signed by CA

Certificate Format
The tasks associated with key management are:

Key generation
Key distribution
Key change
Key disposition
Key recovery
Control of cryptography keys

See for more detail http://www.experts-exchange.com/Security/Encryption/A_12456-Cryptography-Primer.html


The owner of the certificate does not need to share that key.

Whenever any client/computer accesses your website that has certificate it goes to Certificate Authority to search for Public key that's related with that certificate.

This is incorrect.  The certificate must be installed on the web server (whether self-signed or issued by a CA.)  In the case of a CA issued certificate, the end users browser checks its local certificate store (Trusted Root Certification Authorities, Intermediate Certification Authorities, etc.) to verify if it can implicitly trust the certificate.  If it cannot a warning is produced stating the same.  The CA may be referenced for Certificate revocation, however.

TLS handshake

Here's a detailed report of the certificate presented by CIA.gov

Based on the output, you can clearly see the references to certificate revocation (CRL, OCSP), Signature Algorithm (sha1WithRSAEncryption), RSA Public Key (2048 bit), etc.

Testing SSL server cia.gov on port 443

  Supported Server Cipher(s):
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

  Prefered Server Cipher(s):
    SSLv3  256 bits  AES256-SHA
    TLSv1  256 bits  AES256-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    Not valid before: Apr  8 00:00:00 2013 GMT
    Not valid after: Apr  8 23:59:59 2015 GMT
    Subject: / Entity/serialNumber=Government Entity/C=US/ST=Virginia/L=McLean/O=Central Intelligence Agency/OU=Operations 1/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.cia.gov

    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Modulus (2048 bit):
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Subject Alternative Name:
      X509v3 Basic Constraints:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Certificate Policies:
        Policy: 2.16.840.1.113733.
          CPS: https://www.verisign.com/cps

      X509v3 CRL Distribution Points:

      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
      X509v3 Authority Key Identifier:

      Authority Information Access:
        OCSP - URI:http://ocsp.verisign.com
        CA Issuers - URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer

A simpler answer:

Certificate is an signed electronic document that contains:
 - A public key
 - Information on the owner

The public key is  associated to a private key, just as the keys you have told us you already used. But the private key is NOT inside the certificate. The certificate is a public file just as your public key file.

This electronic document is signed by a Certification Authority, that is a entity that has his own private and public key pair, and its own certificate, that is signed by another CA, until you have a CA that is self-signed and is therefore called a Root CA. This CA you need to trust directly, and your computer always trust a lot of them by default.

If you have a chain of valid signatures from your certificate to a trusted root CA, you trust the certificate. By trust, I mean you know that the data in the certificate is legitimate, therefore the public key on it is associated to the information about the owner of that key and the private key owner is the one that is in the certificate data.

Therefore, certificate is just the way you can be sure (as long as you trust CAs) that a given key really is from someone. And that is very important, for signing (you need to be sure who is the one that owns a key) and also for encryption (if you want to send me something encrypted, how would you make sure that the key you find on internet is really mine? you need something to check this, and certificate is also for that).

PS: Certificates do contain more details, like validity, revocation, etc. But I´ll let this out for this moment.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

If I set up (I'm still learning about this) 802.1x authentication (with MS NPS and AD CS and automatic certificate enrollment), my workstation would receive a:

machine certificate?
user certificate?
And the certificate located on my hard disk would only contain the Public Key? The Issuing CA stores the Private Key for me?

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.