Public-key certificates provide a method to identify and authenticate clients and servers on the Internet. Public-key certificates are administered and issued by a third party known as a certification authority (CA). A subject (individual, system, or other entity on the network) uses a program to generate a key pair and submits the public key to the CA along with identifying information (such as name, organization, e-mail address, and so on). This is known as a certificate request. The CA issues a digitally signed certificate. A digital signature is a block of data that is created using a private key.
The CA ties the certificate owner to the public key within the certificate. The subject then uses the certificate, along with his private key to establish his identity. Once this is done, whomever the subject is communicating with knows that a third party has vouched for his identity.
The process requires these steps:
A client submits a request for, and receives, a certificate from the CA.
An administrator installs the CA’s certificate on the server and marks it trusted. Any client certificate signed by the same CA will now be trusted and accepted by the server.
The client supplies its certificate and negotiates a secure connection with the server.
