Ecommerce Implementation  «Prev  Next»
Lesson 7Types of certificates
ObjectiveDescribe the types of certificates required.

Types of Certificates

Four types of certificates are currently in use:
  1. Certificate authority certificate
  2. Server certificate
  3. Personal certificate
  4. Software publisher certificate
Your organization can use any or all of these certificates, depending on the nature of its business.

Certificate authority certificate

The certificate authority certificate is used by organizations such as VeriSign to sign other certificates.

Server Certificate

The server certificate is used on Web servers to identify the Web server and the company running it, and to allow for encrypted SSL sessions between the server and browsers. Server certificates are also necessary for a server to participate in SETs. You will create, install, and test server certificates in the upcoming exercises.

Personal certificate

The personal certificate is issued to individuals to allow them to be authenticated and to engage in
  1. Secure MIME (S/MIME): A specification for secure electronic mail. S/MIME was designed to add security to email messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption). S/MIME assumes that both the sender and receiver of secure email messages have public/private key pairs and uses the concept of a digital envelope.
  2. Secure Sockets Layer (SSL): An encryption method enabled by digital certificates.
  3. Secure Electronic Transaction (SET) : A method of information exchange that allows businesses and clients an extra level of protection while conducting business.
, SSL, and SET.

Software publisher certificate

Application developers use these certificates to sign and identify their released code so customers can identify the author. More about software publisher certificates and code safety.

Software Publisher Certificates and code safety

Just because a software developer has signed a program does not necessarily mean that the code is safe. In regard to applications, proper signing assigns responsibility. Several years ago, a private software developer created an ActiveX control called Internet Exploder, then got it signed by VeriSign. This control was malicious and erased hard drives. This incident did not violate VeriSign's claim for authentication, however. This is because the control did in fact belong to the creator. The certificate was completely accurate. Remember, authenticating identity is not the same thing as verifying whether code is malicious or not.
The certificate may also indicate the applications that it supports. A certificate issuer, called a certification authority (CA) can specify the supported applications or specify the expected cryptographic operations. For example, the certificate could specify virtual private network (VPN) key management. Alternatively, the certificate issuer might specify that the public key should be used for validating digital signatures.

X.509v3 standard

In the next lesson, you will learn about public and private CAs.