Digital Certificates 101

Doing any business online – whether it’s selling merchandise through a website or simply using email for company communication – carries some level of digital risk. While we all know (some of us vaguely, perhaps) that we should make sure that a shopping site is secure, or that an email hasn’t been sent or modified by someone other than it should have been, we don’t all necessarily know how to do that.
We asked John Adams, Chief Technology Officer of ChosenSecurity to give us the basics about digital certificates.
John Adams.jpgWhat is a digital certificate?
A digital certificate, sometimes called a digital ID, is an identity credential used on the Internet to identify people and machines. Not unlike a driver’s license, it is issued from a reputable 3rd party source, called a certificate authority. Because it contains cryptographic information, it can be also used to sign and encrypt digital content. All browsers and the vast majority of networks and applications support digital certificates today without requiring modifications.

How do I get one?
The easiest way is to access a public certificate authority using your Web browser and purchase one with a credit card. You will be asked to fax over identification documents, so your identity can be verified before a certificate is issued. Certificates come in different flavors, the most popular being client certificates and server certificates; the one you use depends on what it is you want to identify.

How do I use a certificate?

Once the certificate is loaded, which is an automated process, you use the functionality built into the application(s). For example, within Microsoft Outlook, there is a button to sign emails and another one to encrypt. Web server certificates are primarily used to secure sensitive transactions, such as credit card transactions, over the Web. A padlock icon is usually used to show the presence of a secure Web session.
Is it for every business?
Most businesses use certificates, even though their clients may not realize it. If you use the Web to transact business or communicate sensitive information with clients, then you need certificates.

How expensive is it?

Personal certificates for personal use are generally priced below $20. Personal certificates for commercial use are generally priced between $5 and $90, depending on volume; the price of certificates for Web servers ranges from under $100 to over $1,000, depending on the features supported in the certificate. In general, more expensive certificates require a more rigorous identification process.

How do I use it day to day in my organization?

Personal certificates are stored on a personal computer or on a USB token or smart card. The certificate is then used to sign and encrypt email messages, sign documents or authenticate the owner whenever he or she wishes to access sensitive information from a remote location.
Should every communication (via email) be digitally signed?
Digitally signing an email or a document accomplishes two things: integrity and authenticity. It establishes integrity, because if the document or email is altered, the signature will not verify. It establishes authenticity, because only the certificate holder could have signed the document. Not all emails require integrity and authenticity, but many do. Whenever this is a requirement, emails should be digitally signed. There have been cases where email has been rejected as evidence of a transaction, because its authenticity and integrity could not be proven.
John Adams is chief technology officer for ChosenSecurity, a leading provider of on-demand digital certificates.

Laura Leites, Assistant Editor,