ELI5: What are Certificates?
Think of a digital certificate like a school ID card. The school (a trusted authority) creates the card with your name and photo so everyone knows you are who you say you are. On the internet, certificates work the same way — a trusted organization creates a digital ID that proves a website or person is real. Without it, you would never know if you were talking to the real website or a fake one pretending to be it.
Overview
A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity (person, server, organization). Certificates are issued by a trusted Certificate Authority (CA) and follow the X.509 standard. They enable HTTPS, email encryption (S/MIME), code signing, client authentication, and VPN connections.
Key Concepts
- X.509 certificate fields: subject, issuer, serial number, validity period, public key, signature algorithm, extensions
- Certificate types by validation:
- Domain Validation (DV) — verifies domain ownership only; quickest and cheapest
- Organization Validation (OV) — verifies domain + organization identity
- Extended Validation (EV) — highest assurance; rigorous identity verification
- Certificate types by usage:
- Wildcard (*.example.com) — covers all subdomains of a domain; if compromised, all subdomains are affected
- SAN (Subject Alternative Name) — a single certificate covering multiple specific domains
- Self-signed — signed by the entity itself, not a trusted CA; used internally for testing
- Code signing — verifies software publisher identity and code integrity
- Email / S/MIME — encrypts and signs email messages
- Client certificate — authenticates users or devices to servers
- Certificate lifecycle: request (CSR), issuance, usage, renewal, revocation
- CSR (Certificate Signing Request) — generated by the applicant; contains the public key and identity information
- Revocation: CRL or OCSP; reasons include key compromise, CA compromise, or affiliation change
- Certificate formats: PEM (.pem, .crt), DER (.der), PKCS#12 (.pfx, .p12), PKCS#7 (.p7b)
Exam Tips
Remember
Wildcard covers *.domain.com but NOT the root domain itself. SAN certificates list specific domains. DV = domain only, EV = highest trust. Self-signed certificates are NOT trusted by browsers by default. CSR contains the public key, never the private key.
Connections
- Issued and managed by pki infrastructure including CAs and RAs
- Contains the public key used for encryption and digital signature operations
- See also key-management for how the private keys associated with certificates are protected
Practice Questions
Q-Bank: Certificates (4 Questions)
Q1. A web administrator needs a single certificate to secure
mail.example.com,portal.example.com, andapi.example.com. Which certificate type is BEST suited for this requirement?A. Wildcard certificate B. Extended Validation (EV) certificate C. Subject Alternative Name (SAN) certificate D. Self-signed certificate
Show Answer C. Subject Alternative Name (SAN) certificate
A SAN certificate lists multiple specific domains on a single certificate, which is exactly what is needed here. A wildcard certificate (A) covers
*.example.comsubdomains but these are three specific subdomains that could also be served by a SAN, and SAN is more precise and preferred when the exact list is known. An EV certificate (B) provides highest identity assurance but does not inherently cover multiple domains. A self-signed certificate (D) would not be trusted by browsers and is only appropriate for internal testing.Q2. A security analyst discovers that a web server’s private key has been compromised. What should the administrator do FIRST?
A. Reissue the certificate with a longer key length B. Revoke the certificate and request a new one C. Switch from DV to EV validation D. Convert the certificate from PEM to PKCS#12 format
Show Answer B. Revoke the certificate and request a new one
When a private key is compromised, the FIRST step is to revoke the certificate through the CA using CRL or OCSP and then generate a new key pair and request a replacement. Reissuing with a longer key (A) does not address the current compromise. Switching validation levels (C) is unrelated to key compromise. Changing the certificate format (D) has no security impact on a compromised key.
Q3. A junior administrator generates a Certificate Signing Request (CSR) and sends it to a Certificate Authority. Which of the following is included in the CSR?
A. The CA’s private key B. The applicant’s private key C. The applicant’s public key D. The root certificate chain
Show Answer C. The applicant's public key
A CSR contains the applicant’s public key and identity information. The CA signs this to create the certificate. The CA’s private key (A) is used by the CA to sign, not included in the CSR. The applicant’s private key (B) must never leave the applicant’s control. The root certificate chain (D) is established by the CA infrastructure, not part of the CSR.
Q4. A company wants to use HTTPS for its public website and needs the browser address bar to display the organization’s verified legal name. Which certificate validation type provides this level of assurance?
A. Domain Validation (DV) B. Organization Validation (OV) C. Extended Validation (EV) D. Wildcard Validation
Show Answer C. Extended Validation (EV)
Extended Validation (EV) certificates require the most rigorous identity verification and historically display the organization’s legal name in the browser. DV certificates (A) only verify domain ownership with no organization identity. OV certificates (B) verify organization identity but do not provide the same browser-level visual assurance. Wildcard Validation (D) is not a validation level — wildcard refers to a certificate type covering subdomains, not a trust level.
Scenario
See case-certificates for a practical DevOps scenario applying these concepts.