How Certificates Are Used - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

1.3.3. How Certificates Are Used

Certificates have a purpose: to establish trust. Their usage varies depending on the kind of trust they
are used to ensure. Some kinds of certificates are used to verify the identity of the presenter; others
are used to verify that an object or item has not been tampered with.
1.3.3.1. Uses for Certificates
Section 1.3.3.1.1, "SSL"
•
Section 1.3.3.1.2, "Signed and Encrypted Email"
•
Section 1.3.3.1.3, "Single Sign-on"
•
Section 1.3.3.1.4, "Object Signing"
•
1.3.3.1.1. SSL
The Secure Sockets Layer (SSL) protocol governs server authentication, client authentication, and
encrypted communication between servers and clients. SSL is widely used on the Internet, especially
for interactions that involve exchanging confidential information such as credit card numbers.
SSL requires an SSL server certificate. As part of the initial SSL handshake, the server presents
its certificate to the client to authenticate the server's identity. The authentication uses public-key
encryption and digital signatures to confirm that the server is the server it claims to be. Once the
server has been authenticated, the client and server use symmetric-key encryption, which is very fast,
to encrypt all the information exchanged for the remainder of the session and to detect any tampering.
Servers may be configured to require client authentication as well as server authentication. In this
case, after server authentication is successfully completed, the client must also present its certificate
to the server to authenticate the client's identity before the encrypted SSL session can be established.
For an overview of client authentication over SSL and how it differs from password-based
Section 1.3.2, "Authentication Confirms an
authentication, see
1.3.3.1.2. Signed and Encrypted Email
Some email programs support digitally signed and encrypted email using a widely accepted protocol
known as Secure Multipurpose Internet Mail Extension (S/MIME). Using S/MIME to sign or encrypt
email messages requires the sender of the message to have an S/MIME certificate.
An email message that includes a digital signature provides some assurance that it was sent by the
person whose name appears in the message header, thus authenticating the sender. If the digital
signature cannot be validated by the email software, the user is alerted.
The digital signature is unique to the message it accompanies. If the message received differs in
any way from the message that was sent, even by adding or deleting a single character, the digital
signature cannot be validated. Therefore, signed email also provides assurance that the email has
not been tampered with. This kind of assurance is known as nonrepudiation, which makes it difficult
for the sender to deny having sent the message. This is important for business communication. For
information about the way digital signatures work, see
S/MIME also makes it possible to encrypt email messages, which is important for some business
users. However, using encryption for email requires careful planning. If the recipient of encrypted email
How Certificates Are Used
Identity".
Section 1.2, "Digital Signatures".
9