Difference Between Digital Certificate And Digital Signature

Digital certificate is a digital identity of a person much like a driver license. It can also be issued to a computer or a network device identifying it while communicating. A digital certificate is issued by a Certification Authority (CA) complying with the X.509 standard and it normally contains mainly the following information:

  • Public key of the certificate owner
  • Name of the owner
  • Validity “from” and “to” dates
  • Name of the issuing authority
  • Serial number of the certificate
  • Digital signature of the issuing authority
  • Digital Signature Algorithm
  • Custom information

Digital certificate or digital signature relies on digital cryptography; a sophisticated, mathematically proven method of encrypting and decrypting information. A digital certificate contains information about the owner’s identity e.g., their name, email address, the date the digital certificate was issued and the name of the Certifying Authority that issued it. The certificate also contains the public key. The private key (correspond to the public key) is stored on the user's computer hard disk or on an external device such as a smart card. The user retains the control of the private key and it can only be used with the issued password or PIN.

As the above mentioned processes require a public key hence a need of a Public Key Infrastructure (PKI) arises which is responsible for managing all aspects of digital certificate issuance, publication, revocation, renewal etc, in short managing the full lifecycle of digital certificates. Every Digital certificate usually can be chained to a Root CA (which is the final trust point and issues a certificate to itself). The Root CA then issues a certificate to one or more subordinate CA s) which is used to issue certificates for end-entities, which can be human users, network devices, machines, databases or other software components. There are also different types of certificates like CA certificate, Root CA certificates, SSL server or SSL client certificates, object signing certificates (to sign code e.g. jar files) and user/end-entity certificates for document or email signing. There are also certificates for encryption purposes.

Technically speaking the difference between a digital signature and digital certificate is that a certificate is an electronic document that binds a public key using digital signature to an individual or a person, a computer or a network device where as a digital signature is to ensure that a data/information remain secure from the point it was issued. Imagine the havoc would have created if all the data travelling between governments, military installations or banks is hacked and updated without no one to detect.

For extra security and performance reasons, a digital signature is created by first hashing (using a secure hashing algorithm like SHA-1 or SHA-2) the data to be digitally signed and then signing this hash value using the private key of the signing digital certificate. Note the hashing process creates a small unique fingerprint of the data, such that it’s very hard to find two different input data values which produce the same hash value. To verify the signature on uses the public key of the signer to reverse the process and verify that the data received produces the same hash value as the one that was signed. Following diagram illustrates this:

 

Digital certificate themselves are digitally signed by the by the issuing Certification authority to ensure they cannot be modified by an attacker. So first the digital certificate is verified using the issuing CA’s public key, to obtain trust in the sender’s public key. Then the sender’s public key is used to verify the digital signature on the actual data message.