Why Certificates Need to Be Signed by CA?

This section describes why public keys need to be signed a CA (Certificate Authority). You communication partner can trust the CA, not you.

In the previous chapter, we learned how to put your own public key in a certificate and sign it by your own private key to make it as a self-signed certificate.

Of course, you can send your self-signed certificate to your communication partner and start to use it to encrypt the communication data. However, this only works if your communication partner knows you and trusts your digital signature.

In the case where you communication partner can not trust you directly, what you can do is to send your public key to a certificate authority (CA) and ask them to sign it for you. To do this, you need to put your public key into a certificate signing request (CSR), and mail it to a CA. The CA will verify the request and put your public key in a certificate and sign it with CA's private key.

When your partner receives your public key signed by a CA, he can validate the signature with the CA's public key. If the validation is ok, he can then trust your public key.

Here is a simple diagram that illustrates the certificate signing and validation process:

               Your public key 
You ---- Certificate signing request ---> CA
                                          | |
                                          | |Sign
                                          | |
        Your public key + CA signature    | v
You <----- Certificate signed by CA --------                         
|                                         |
|Send                                     |Send
|                                         |
v               CA's public key           v
Partner <-- Self-signed certificate ------
|Verify your certificate with CA's public key
|to trust your public key in the certificate

Last update: 2013.

Table of Contents

 About This Book

 Cryptography Terminology

 Cryptography Basic Concepts

 Introduction to AES (Advanced Encryption Standard)

 Introduction to DES Algorithm

 DES Algorithm - Illustrated with Java Programs

 DES Algorithm Java Implementation

 DES Algorithm - Java Implementation in JDK JCE

 DES Encryption Operation Modes

 DES in Stream Cipher Modes

 PHP Implementation of DES - mcrypt

 Blowfish - 8-Byte Block Cipher

 Secret Key Generation and Management

 Cipher - Secret Key Encryption and Decryption

 Introduction of RSA Algorithm

 RSA Implementation using java.math.BigInteger Class

 Introduction of DSA (Digital Signature Algorithm)

 Java Default Implementation of DSA

 Private key and Public Key Pair Generation

 PKCS#8/X.509 Private/Public Encoding Standards

 Cipher - Public Key Encryption and Decryption

 MD5 Mesasge Digest Algorithm

 SHA1 Mesasge Digest Algorithm

 OpenSSL Introduction and Installation

 OpenSSL Generating and Managing RSA Keys

 OpenSSL Managing Certificates

OpenSSL Generating and Signing CSR

Why Certificates Need to Be Signed by CA?

 Generating Certificate Signing Request (CSR)

 Viewing Components of Certificate Signing Request

 Signing a Certificate Signing Request

 OpenSSL Validating Certificate Path

 "keytool" and "keystore" from JDK

 "OpenSSL" Signing CSR Generated by "keytool"

 Migrating Keys from "keystore" to "OpenSSL" Key Files

 Certificate X.509 Standard and DER/PEM Formats

 Migrating Keys from "OpenSSL" Key Files to "keystore"

 Using Certificates in IE (Internet Explorer)

 Using Certificates in Firefox

 Using Certificates in Google Chrome

 Outdated Tutorials


 PDF Printing Version