Understanding Certificates

Digital certificates are essential tools in modern cybersecurity, acting as digital passports that verify identities and secure communications over networks. They play a crucial role in encrypting data, authenticating users, and ensuring the integrity of online transactions. By leveraging digital certificates, organizations can protect sensitive information from unauthorized access and cyber threats, fostering trust and confidence in digital interactions.

There are several types of Digital Certificates and two major categories. The two major categories of Digital Certificates are: Public Digital Certificates and Private Digital Certificates. Examples of some of the types of Digital Certificates are S/MIME, Code Signing, Authentication, and TLS (Encryption). There are other types, but these are the major ones we will discuss.

Protect Your Enterprise with Digital Certificates

0-80ae68c4-8440-4415-9f5f-315fbda43cb3-800x1080

Discover how digital certificates can transform your organization’s security infrastructure, ensuring safe, reliable communications and authentication. Machine Identification (e.g., knowing the machine or device you connect to is who it asserts it is) is mandatory for a secure environment. All this and more is enabled by Digital Certificate technology.

0-eb4946bc-84eb-42c5-b415-7f75494d2d9d-800x600

Secure Email Communications

Digital certificates encrypt emails, ensuring that messages are only accessible to intended recipients, thus maintaining confidentiality and integrity.

Website Authentication

They authenticate websites, providing assurance to users that they are interacting with legitimate sites, which helps prevent phishing attacks.

0-50417ab0-55c3-4e5e-aeb6-0b28275a0c01-800x600

Data Encryption

Digital certificates encrypt data in transit, safeguarding it from interception and unauthorized access during transmission.

Code Signing Certificates

Code signing certificates are often over looked in the Digital Certificate ecosphere. They are an important part of insuring that code that is being executed is what the author intended and not malware or bot. We believe Code Signing Certificate usage will increase as concerns over security and integrity of code will get greater attention.

0-eb91aaa5-97ac-480a-8f6d-16d157ec1459-800x600

Device Certificates

Device Certificates play a vital role in establishing a secure connection between users and their target web sites (e.g., their bank). Users believe they are communicating with a legitimate site, and digital certificates offer essential trust to verify the identity of the entity on the other end.

IoT Certificates

Internet of Things (IoT) devices are becoming more prevalent and a part of our individual lives. They are an important subset of Device Certificates, but we believe their usage will grow dramatically as IoT devices proliferate. Management of these critical certificates that provide encryption and authentication will be mandatory.

Public vs. Private Digital Certificates

What follows is a detailed technical comparison between Public and Private Digital Certificates. Key takeaways from the information below are:

- - Public Digital Certificates are essential for public/internet facing websites, applications, and services that need trust with external users.
  - Public Digital Certificates are globally recognized and compliant with industry standards, but come with higher costs and strict validation processes.
  - Private Digital Certificates are ideal for internal authentication, encryption, code signing, and other unique applications.
  - Private Digital Certificates offer flexibility and cost savings.
  - Private Digital Certificates lack external trust and require careful internal management with strong governance policies.
  - You should come away from a review of these details that there are strong use cases for both public and private digital certificates. Usage of each technology has pros and cons, and their typically is a “right” choice for a given use case.Let Easy-PKI help with your decision process on which type of Digital Certificate to use. We have been working with Digital Certificates for over 25 years.

Comparison Between Public and Private Certificates

This table compares the major differences between Public and Private Digital Certificates

Topic

Public Certificates

Private Certificates

Definition

Certificates issued by public certificate authority, following mandates of the CA/B Forum, trusted by public browsers

Certificates issued by an internal/private CA, typically used within a private network. Not trusted by public browsers without addition to the browswer certificate key store

Validation Process

Rigorous annual validation steps (domain validation, organization validation, etc.)

Relies on issuing organizational policies, typically with simpler and sometimes no external validation

Browser Trust

Automatically trusted by major browsers and operating systems.

Not trusted by browsers unless manuall added as a trusted certificate to each browser on users machines or servers

Certificate ownership validation rigorously controlled by the CA/B Forum

Yes

Controlled by the entity issuing the Private Certificate

Scope of Trust

Trusted by the general public and external users

Trusted only within the issuing organization, typically only on their private network

Common Uses

Website encryption (TLS), SecureMail, Code Signing, authentication, and device authentication.

Internal website encryption (TLS), device authentication, SecureMail, Code Signing, VPN

Scope of User

Primarily used on public (Internet) facing and services requiring public trust

Typically used for internal services, servers, and applications

Encryption Strength

Uses industry standard algorithms, currently RSA, ECC. These algorithms will be changing due to PQC

Should use industry standard algorithms, but can vary due to no external governance

Security Risks

Less prone to compromise due to strict CA regulation and audits

Risk of internal CA compromise, which can impact the organizations network.

Revocation

Can be revoked by the CA and reflected globally

Revocation only applies internally

Cost

Paid annual fees, higher cost for Extended Validation (EV) certificates, or free if "Let's Encrypt" Certificates are used

Over long term, lower costs, but there are strartup/infrastructure costs associated with Private Certificates, which are often offset by no Public CA fees

Renewal

Requires renewal every 397 days currently, being reducted to required renewal every 47 days by 2029 due to CA/B Forum mandate

Validity period (renewal) dpends on internal policies, not controlled by the CA/B Forum

Management

Requires external CA management, coordination between the CA and the company using the certificates

Internal management by the organizations IT or Security department

Installation

Certificates issued by the CA, then manually installed on public facing servers, unless a DCLM is in use

Certificates generated internally, manually installed on devices and server, added to local trust stores, unless a DCLM is in use

Configuration Complexity

Simpler due to automatic trust from Public CA's

More complex, as every device needs the private CA's root certificate (and possibility intermediate certificate(s)) installed in the local keystore

Compliance

Meets industry standards (e.g., HIPPA, GDPR, PCI-DSS, CCPA, etc)

Depending on decisions made during initial CA configuration, could be compliant with industry standards

Audit & Oversight

Regularly audited by independent bodies, required by the CA/B Forum for the CA to maintain the ability to issue Publicly Trusted Certificates

Should be audited internally as dictated by organization's governance

In general, use each type of Digital Certificates as follows:

Public Certificates

Public websites and API’s
Email Encryption
Software distribution (code signing)

Private Certificates

Internal Servers and Services
VPN’s
Intranet
Secure device communication in private networks

These are generalizations and there are always edge cases.

Understanding the Certificate Lifecycle

Step 1

The lifecycle of a digital certificate begins with its issuance, where a Certificate Authority (CA) verifies the identity of the requester and issues the certificate. This can be a Public CA or a Private CA.

Step 2

Renewal is crucial to maintain security. As certificates approach expiration, they must be renewed to ensure continuous protection and protect the Enterprise from unexpected downtime due to an expired digital certificate. Please pay careful attention to the following section regarding Certificate LifeCycle Management.

Step 3

Revocation is necessary when a certificate is compromised or no longer needed. The CA updates the certificate status to prevent misuse.

Digital Certificate LifeCycle Management

Digital Certificate LifeCycle Management (DCLM) is one of the most critical components of your Certificate infrastructure. DCLM’s provide automated issuance, inventory, and perform the very important task of either reminding users to renew a certificate before it expires (which would cause an outage if it expries) or DCLM’s can automate the replacement of the Digital Certificate.

For Public Certificates, issued by a public Certificate Authority (CA) such as DigiCert, GoDaddy, Sectigo, etc., the current maximum lifespan for a certificate is 397 days. The public CA governance body, the Certificate Authority Browser Forum (CA/B Forum) provides the rules that public CA’s must follow with regard to Digital Certificates, including their lifespan.

The CA/B Forum, backed by the major CA’s, are moving towards a much shorter lifespan for public Digital Certificates. The CA/B Forum is indicating that an incremental shortening of the lifespan for a public Digital Certificate will occur, starting in late 2025, from 397 days to 47 days by 2029. Without DCLM to automate the notification and/or replacement of Digital Certificates, an Enterprise will not be able to keep up with renewal of critical public Digital Certificates. This makes the implementation and use of a DCLM a mandatory part of your infrastructure. Easy-PKI has experience with the major DCLM providers and can help you with this effort. Allow us to assist you through this task.

Two important notes. This shortened lifespan only applies to the “terminating” or “leaf” certificate, and not to any Intermediate or Root Certificates. Second, “Private” Digital Certificates are not under the control of the CA/B Forum. These certificates, their lifespan, and all other certificate properties are controlled by the issuing CA, typically an Enterprise. This provides greater flexibility, but requires more oversight.

Things To Ask Yourself

Are you making use of Private Digital Certificates where they can save you time and money?
Do you have a clear understanding how the CA/B Forum influences your Public Certificate configuration and investment?
Do you utilize Digital Certificate LifeCycle Management in preparation of the approved CA/B Forum ballots on the upcoming certificate lifespan changes for public Digital Certificates?
- - - Do you know how to get engaged and involved with the CA/B Forum to stay up to date on their plans?

Secure Your Organization with Expert Guidance

Unlock the full potential of digital certificates for your business. Our team at Easy-PKI is ready to guide you through the complexities of Digital Certificates, ensuring robust security and operational efficiency. Contact us today for a personalized consultation and discover how digital certificates can enhance your organization’s security and drive new revenue opportunities.