Digital certificates are the digital equivalent (i.e. electronic format) of physical or paper certificates. Examples of physical certificates are driver's licenses, passports or membership cards. Certificates serve as identity of an individual for a certain purpose, e.g. a driver's license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity or your right to access information or services on the Internet.

The same reason you trust what is stated in a driver's license: endorsement by the relevant authority (Department of Transport) in the form of a difficult to forge signature or stamp of approval. Digital certificates are endorsed in a similar manner by a trusted authority empowered by law to issue them, appropriately known as the Certifying Authority or CA. The CA is responsible for vetting all applications for digital certificates, and once satisfied, "stamps" its difficult to forge digital signature on all the digital certificates it issues, attesting to their validity.

Three uses are outlined here. Your digital certificate could be used to allow you to access membership-based web sites automatically without entering a user name and password. It can allow others to verify your "signed" e-mail or other electronic documents, assuring your intended reader(s) that you are the genuine author of the documents, and that the content has not been corrupted or tampered with in any way. Finally, digital certificates enables others to send private messages to you: anyone else who gets his/her hands on a message meant for you will not be able to read it.

Digital certificates and the CA are just two elements of the Public Key Infrastructure (PKI), an overall Internet security system. Once the PKI is operational, everyone who has a digital certificate can be traced and held accountable for their actions. Consequently, uses for the Internet, which could not be fully realized before, will finally take off: electronic banking and commerce (funds transfer, buying and paying on-line), on-line transactions with government agencies (applying for and renewing ICs, licenses, paying fines and bills), and on-line transactions between businesses. The day when the only way to do some of these transactions is through the Internet may not be too far off. Everyone who wants to be part of it will need digital certificates.

Digital Certificates can be categorized into Server certificates and Personal certificates. The differences lie in the information they contain and who they identify.

Personal certificates serve to identify a person. It follows that the contents of this type of certificate include the full name and personal particulars of an individual. Among other uses of personal certificates some are: Secure e-mail correspondence, and Enhanced access control to sensitive or valuable information.

Server certificates identify a server (computer). Hence, instead of a name of a person, server certificates contain the host name e.g. "https://nicca.nic.in/ ". Server certificates are used to ensure that on-line transactions are secure.

The PKI is the overall system of identifying parties on the Internet using their certificates. It is headed by a Certifying Authority that is responsible for issuing and verifying the validity of the digital certificates.

Cryptography is the science of enabling secure communications between a sender and one or more recipients. This is achieved by the sender scrambling a message (with a computer program and a secret key) and leaving the recipient to unscramble the message (with the same computer program and a key, which may or may not be the same as the sender's key). There are two types of cryptography: Secret/Symmetric Key Cryptography and Public Key Cryptography

The emphasis of cryptography is on data confidentiality, data integrity, sender authentication, and non-repudiation of origin/data accountability.

Physical keys are used for locking and unlocking. In cryptography, the equivalent functions are encryption and decryption. A key in this case is an algorithmic pattern or rule(s) to render the message unreadable. Below is a simple example of how key is used in a symmetric cryptography.

Secret key (symmetric/conventional) cryptography is a system based on the sender and receiver of a message knowing and using the same secret key to encrypt and decrypt their messages. One weakness of this system is that the sender and receiver must trust some communications channel to transmit the secret key to prevent from disclosure.

Public key (asymmetric) cryptography is a system based on pairs of keys called public key and private key. The public key is published while the private key is kept secret with the owner. The need for a sender and a receiver to share a secret key and trust some communications channel is eliminated. This concept was introduced in 1976 by Whitfield Diffie and Martin Hellman.

Encryption is the transformation of information from readable form into some unreadable form.

Decryption is the reverse of encryption; it's the transformation of encrypted data back into some intelligible form.

Data confidentiality refers to a situation in which a message is inaccessible to others except the intended recipient(s). Encryption and decryption ensure confidentiality.

If a message received is the same as that which was sent - i.e. it is unaltered during transmission - data integrity is said to have been achieved. This can be verified using a message digest attached to the message, which acts as the digital fingerprint of the message.

It's a process to ensure that a message does not originate from someone other than its purported sender. Sender authentication is achieved through two related mechanisms: digital signature and digital certificate.

Data accountability refers to the availability of proof that message exchange actually took place. The sender would not be able to deny it. This is also accomplished through digital signatures.

Message digest, also known as the hash of a message, is a small piece of data that results from performing a particular mathematical calculation (hashing function) on the message during encryption. Two properties of message digests to note: (i) a small alteration in the original message would cause a big change in the message digest; (ii) derivation of the original message is not possible from the message digest. It acts as a "fingerprint" of the message and is used to ensure data integrity.

Just as a handwritten signature is affixed to a printed letter for verification that the letter originated from its purported sender, digital signature performs the same task for an electronic message. A digital signature is an encrypted version of a message digest, attached together with a message.

A secure digital signature system consists of two parts:
1. A method of signing a document such that forgery is detected, and
2. A method of verifying that a signature was actually generated by whomever it represents
Public key vs. secret key

A combination of both. The action of encrypting information with public-key cryptography is significantly slower than encrypting with a secret key. However the drawback of the secret-key system is that, secret keys must be transmitted either manually or through a communication channel, and there may be a chance that others can discover the secret keys during transmission. This is not a problem with public-key cryptography, as private keys never need to be transmitted or revealed to anyone. Each user has sole responsibility for protecting his or her private key.

So, in practice public-key cryptography is used with secret-key cryptography to get the best of both worlds. A system that uses public-key cryptography first generates a secret key and uses the secret key to encrypt the message. Public-key cryptography key is then used to encrypt the secret key, which then is attached to the secret key-encrypted message.