Describe Digital Certificate creation steps in detail.
Certificate creation steps
The creation of a digital certificate consists of several steps. These
steps are outlined in the following fig.
Step 1 Key Generation
The action begins with the subject (i.e. the organization/user) who wants
to obtain a certificate. There are two different approaches for this
purpose:
(a) The subject can create a private key and public key pair using some
software. This software is usually a part of the web browser or web
server. Alternatively, special software programs can be used for
this. The subject must keep the private key thus generated a
secret. The subject then sends the public key along with other
information and evidences about herself to the RA.
(b) Alternatively, the RA can generate a key pair on the subject’s behalf. This can happen
in cases where either the user is not aware of the technicalities involved in the
generation of a key pair or if a particular requirement that all the keys must be
centrally generated and distributed by the RA for the ease of enforcing security
policies and key management. Of course, the major disadvantages of this approach are
the possibility of the RA knowing the private key of the user, as well as the scope for
this key to be exposed to others in transit after it is generated and sent to the
appropriate user.
Step 2 Registration
Assuming that the user has generated the key pair, the user now sends the public key and
the associated registration information (e.g. subject name, as it is desired to appear in the
digital certificate) and the evidence about herself to the RA. For this, the software
provides a wizard in which the user enters data and when all data is correct, submits it. The
data then travels over a network to the RA. The format of the certificate requests has
been standardized and is called as Certificate Signing Request (CSR).
The user must not send the private key to the RA – the user must retain it securely.
Step 3 Verification
After the registration process is complete, the RA has to verify the user’s credentials. This
verification is in two respects , as follows .
(a) Firstly, the RA needs to verify the user’s credentials such as the evidences provided are
correct and that they are acceptable. If the user were actually an organization, then
the RA would perhaps like to check the business records, historical documents and
credibility proofs. If it is an individual user, then simpler checks, such as verifying the
postal address, email id, phone number, passport or driving license details can be
sufficient.
(b) The second check is to ensure that the user who is requesting for the certificate does
indeed possess the private key corresponding to the public key which is sent as a part of
the certificate request to the RA. This is very important, because, there must be a record that the user possesses the private key corresponding to the given public key.
Otherwise, this can create legal problems. This check is called as checking the Proof Of
Possession (POP) of the private key. How can the RA perform this check? There are
many approaches to this, the chief ones being as follows :
i) The RA can demand that the user must digitally sign her Certificate Signing Request
(CSR) using private key. If the RA can verify the signature correctly using the
public key of the user, the RA can believe that user indeed possesses the private
key.
ii) Alternatively, at this stage, the RA can create a random number challenge, encrypt
it with the user’s public key and send the encrypted challenge to the user. If the
user can successfully decrypt the challenge using her private key, the RA can
assume that the user possesses the right private key.
iii) Thirdly, the RA can actually generate a dummy certificate for the user, encrypt it
using the user’s public key and send it to the user. The user can decrypt it only if
she can decrypt the encrypted certificate and obtain the plain text certificate.
Step 4 Certificate Creation
Assuming that all the steps so far have been successful, the RA passes on all the details of
the user to the CA. The CA does its own verification and creates a digital certificate for
the user. There are programs for creating certificates in the X.509 standard format. The
CA sends the certificate to the user and also retains a copy of the certificate for its own
record. The CA’s copy of the certificate is maintained in a certificate directory. This is a
central storage location maintained by the CA
