Digital certificate is an electronic credential that is required by public key infrastructure (PKI) systems that can securely identify an individual as well as create an association between the individuals authenticated identity and public key. Certificate authority (CA) is a trusted party who will sign and issue certificates. CA is responsible for verification when it comes to identity of a key owner and is responsible for binding the owner to a public key. Because the users online don’t meet in person, CA is used to exchange encrypted communications due to security issues. Each certificate issued by the CA has its own unique serial number, public key information for the user, an identity, as well as the validity dates for the life of the certificate.
You don’t necessarily need a third party, it can be internal to an organization. CA server cat be set up to act as the manager of certificates and the user’s public key. An example of third party CAs are VeriSign and Entrust and they have their service built into a popular web browsers to perform certificate services automatically.
How it works is a user will send CSR (certificate signing request) to a CA to apply for a certificate. To identify, CA and RA will ask for identification. This can be your social security, driver’s license, address, credit number, and so on. Once identification is established CA creates public and private keys for the users. Then a certificate is created with identification and public key information embedded. Lastly, the user finish registering and receives his certificate, which he can use to send encrypted messages.
This is good because the receiver will see the certificate and will use it to verify the sender and ensure he or she knows who is sending the message. Also it’s safe because if the certificate’s original subscriber information changes, gets compromised, or becomes invalid, certificates get revoked. Usually RA (registration authorities) act as a middle man to help CA out by confirming identities of users, issuing key pairs, and initiating the certificate process with a CA on behalf of the user.