What is the difference between a digital signature and a digital certificate
Both digital signatures and digital certificates play a huge part in the SSL/TLS ecosystem, and understanding their similarities and differences can be instructional in understanding Public Key Encryption.
Digital Certificate vs Digital signature
Let’s start with a digital signature, then we’ll look at digital certificates and finally we’ll put them all together.
What is a digital signature?
A Digital Signature is, in reality, nothing more than a numeric string that can be affixed to emails, documents, certificates almost anything. We use digital signatures to help determine authenticity and to validate identity. It’s not the same as encryption, it actually works in conjunction with encryption. Digital Signatures fall more into the category of hashing.
Here’s how it works. When you digitally sign something you use cryptographic key to leave a digital signature – that string of numbers – on whatever it is you’re signing. The signature is then hashed along with the file and both the signed file and the hash value forwarded along. When the intended recipient receives the signed file, it’s going to perform the same hash function that signer performed. Hashing takes data of any length and then outputs a fixed-length hash value.
For instance, SHA-256, the hashing algorithm associated with most SSL certificates outputs hash values that 256 bits in length, this is usually represented by a 64 character hexadecimal string. If the hash values match, the signature is authentic and the file’s integrity intact.
What is a digital certificate?
A digital certificate is an X.509 certificate that asserts endpoint identity and facilitates encrypted connections—at least in the context of SSL. We use digital certificates for all range of things, everything from web servers to IoT devices. For the sake of this discussion, let’s stick to SSL/TLS and how they work in that context.
When a browser arrives at the website, it receives a copy of the SSL certificate that’s installed on that server (for the respective site) and performs a series of checks to ensure that the certificate is authentic. The certificate asserts the identity of the server (and possibly organization information depending on certificate type). It also facilitates secure connections between the sites and its users by helping to establish the parameters of the connection (what ciphers and algorithms will be used).
How do Digital Signatures and Digital Certificates differ?
Well, as we’ve just established a digital signature is a string of decimals that is affixed to a file to assist with identifying the signer and ensuring its integrity. A digital certificate is itself a file that is used to assert identity and to facilitate encrypted connections.
How do digital signatures and digital certificates work together in SSL?
Have you ever wondered how your browser knows whether to trust an SSL certificate? Here’s how it works. Every browser uses a root store, which is a collection of trusted roots that is pre-downloaded on your system. Each one of these roots has trusted status by virtue of being saved on your computer. When an SSL certificate is issued, what’s really happening is you’re sending an unsigned certificate to a trusted Certificate Authority, they then validate the information contained in the certificate and applies its digital signature using one of its roots’ private keys.
Or at least, that’s how it works in theory. In reality, trusted roots are much too valuable to issue directly from. Any issue that caused revocation of the root would end up invalidating every SSL certificate it had ever digitally signed. So instead, CAs spin up Intermediate roots. These Intermediate certificates are digitally signed with one of the roots’ private keys, and then the intermediate’s private key is used to digitally sign end user (or leaf) SSL certificates.
Sometimes CAs spin up Intermediate roots for sub-CAs or just use them to issue themselves. There can be multiple intermediates involved in the certificate chain, too.
In order for a browser to trust an end user SSL certificate, it has to follow the certificate chain. It does this by checking what certificate’s private key was used to digitally sign the certificate. Then it looks at the intermediate certificate to see what certificate’s private key was used to sign that. It continues following digital signatures up to the certificate chain until it links back to one of the roots in its trust store.
If the leaf certificate is descendant from one of the trusted roots, by extension the browser trusts it, too. If not, a browser warning is displayed instead.
The digital signature is crucial for authenticating the digital certificate itself.
Both Digital Certificate and Digital Signature is must for the encryption and security of our website and our sensitive/confidential information.