Digital certificates contain crucial information about an online service or website, such as the certificate issuers’ name, the CA’s digital signature, and expiration date. Without digital certificates, impostors would run amok.
Wait, digital certificates and digital signatures? I’m confused
Digital signatures are the building blocks of a digital certificate. Therefore, before learning how digital certificates are managed and issued, it’s best to first learn what digital signatures are.
Digital signatures perform the same function as handwritten ones, except they’re a bunch of numbers and letters generated in a series of complex mathematical steps. They have three main concepts: the public-private key pair, hashing, and encryption, and are used in verifying the authenticity of data, as well as to provide non-repudiation, meaning that the signer cannot claim they did not sign the document.
Generating a digital signature involves a lot of back and forth. First, the sender hashes the data package using a hashing algorithm. Hashing is a one-way math function that generates a unique text string based on the input. Even if it’s intercepted, the hacker would have no way to reconstruct the data based on the hash. Since hashing is irreversible, it’s different from encryption, which is reversible.
After hashing comes encryption or, more specifically, asymmetric encryption. Asymmetric means that the sender and receiver hold different parts of the key. They’re different from one another, but they can exclusively decrypt each other’s encryption.
As its name implies, asymmetrical encryption needs two keys: a public key that can be shared, and a private key exclusive to the sender. The sender generates the keys upon initial transmission.
Before transferring data, the sender encrypts the hashed data (also known as a data-digest) using the private key. The resulting output is the digital signature. The digital signature, along with the public key, is then appended to the original, unmodified data and sent to the recipient.
The receiver, upon receiving the data pack, decrypts the signature using the attached public key to reveal the message digest. If the signature can be decrypted using the public key, then the recipient can be sure that the data came from the expected sender. The receiver then performs the same hashing function on the unmodified data to generate their own data-digest. If the resulting digest matches the one decrypted, then it confirms to the receiver that the data hasn’t been tampered with.
Note that digital signatures do not verify the identity of the sender; all it guarantees is that the data originated from a single source, hence its name.
Why would anyone need a digital certificate?
Remember, digital signatures only verify that data came from one source. It doesn’t confirm who that source is. Theoretically, any malicious actor can generate a key pretending to be the original sender and hijack a conversation.
To thwart these attempts, organizations can apply for a digital certificate that helps to prove their identity. These digital certificates can be obtained, at a cost, from certification authorities (CA). During the application process, the applicant would generate a private-public key pair and send the public key to the CA, along with identification documents. The CA, after checking the applicant’s identity, associates them to the submitted public key.
But it doesn’t stop there. What’s crucial is the CA’s signature. When issuing the certificate, The CA also signs it with its digital signature to vouch for the applicant’s identity. Essentially, it means the recipient only needs to trust the CA’s authority, not the sender.
When establishing a connection between, say, a server and the client, the client would request a copy of the server’s certificate. Upon receiving the certificate, the client first checks which CA signed the document and its signature. If the certificate is verified, then the client can begin decrypting the signature using the sender’s public key attached, or by downloading it directly from the CA.
As a side note, some CAs need to be vetted by CAs of a higher authority. This creates a chain of trust that’s very difficult for someone to forge.
Why do digital certificates expire?
Companies go out of business all the time, and people change roles just as frequently. Because digital certificate verifies the identity of a person or organization, they need to be renewed often to ensure that the entity holding the certificate is still who they say they are.
Keeping track of when certificates expire can be a hassle. Some web browsers today, including the Apple Safari and Google Chrome, now only accept certificates that are up to 398 days old, which is almost half the previous renewal time. This could cause even more management headaches. Moreover, when a company is holding thousands of certificates for different functions, renewing them can accumulate significant costs. CAs can also go defunct or be delisted as untrusted sources.
Aside from naturally expiring, the certificates can also be manually revoked. For example, if the private key has been leaked, then the subject can request the existing certificate to be distrusted. The compromised certificate would then be stored on a revocation list.
What happens when it expires?
Trust in digital certificates lies within the reputation of the certificate authority. Because it plays such an essential role in verifying the sender, CAs go through great lengths to check that the applicants are indeed who they say they are.
Given its essence, maintaining digital certificates should be on the priority list of any technology admin. Yet, as PKI-as-a-service firm Keyfactor has found in a recent report, over 73 per cent of companies admit that they’ve experienced more than four certificate-related outages in the past two years.
When a certificate expires, so does all of its authority and trust. When you visit a site, a digital certificate is one of the first things a browser checks. If it detects that the certificate is invalid or expired, it will warn the user via an unmissable message that their connection is not secure. Users must then agree that proceeding means being more exposed to man in the middle (MITM) attacks.
That’s a scary prospect for even IT Pros since they won’t know what exactly has happened on the backend. The warning sign scares away the vast majority of users.
Websites aren’t the only thing vulnerable to outages. Many file transfer, data storage, and media streaming services all perform a cert check before sending data. If a certificate is expired, it could completely shut down the app for all of its users.
You don’t have to comb through the web for prominent certificate mishaps, either. Earlier this month, popular music streaming service Spotify was down for more than an hour due to an expired certificate. While the Spotify outage only cost users an hour of music time, a California COVID-19 testing centre had a dire outage when an expired certificate prevented 250,000 to 300,000 COVID-19 lab results from being uploaded. Also, the Equifax breach in 2018 was left undetected for 76 days due to an expired certificate.