Digital certificates are the backbone of the Public Key Infrastructure (PKI), which is the basis of trust online. Digital certificates are often compared to signatures; we can trust a document because it has a signature, or certificate authority (CA) by someone we trust. Simply put, digital certificates are a reproduction of a simple model which occurs in the real world. Incidents involving digital certificates have been in the news recently. Issues surrounding digital certificates and CAs are not always clear or noticeable to end users. However, IT managers, software developers, and other security professionals need to understand these problems so that the risks can be properly managed. So who or what can we trust online? Every computer connected to the Internet contains a list of trusted root CAs. These root CAs issue certificates, which can be used to either sign certificates for other CAs or to servers. There needs to be a "chain of trust" from any certificate that the system sees to any of the root certificates that it trusts. What does “trusted” mean? If a secure connection or signed file is "trusted", this generally equates to an absence of warnings. Digital certificates are used to secure websites using SSL/TLS, identify and validate executable files using code signing, and secure email via Secure/Multipurpose Internet Mail Extensions (S/MIME). If a browser accesses an HTTPS server with an untrusted server certificate, it will generate a warning. If an unsigned or untrusted executable file is run, a warning message may be generated. A user may see these messages and avoid potentially risky behavior. HTTPS is widely used as a way to assure users that connections to sites are authentic. Many users view the "green bars" that browsers use to mark HTTPS addresses as a sign that their connections are safe. This trust is based on two things:
- CAs are not supposed to issue certificates to inappropriate users.
- Users (e.g. PC, browsers or mobile devices) should not add any inappropriate CA to the list of trusted CAs.