What is, and Why do I Need, a Certificate?

What is a certificate?

A certificate is a small data file that digitally binds a cryptographic key to an organization’s details. Using a certificate allows a person, computer or organization to exchange information securely over the Internet using a public key infrastructure (PKI). A certificate can also be referred to as a digital certificate or a public key certificate.

A certificate provides identification information, is forgery resistant and can be verified because it was issued by a trusted party. The certificate contains the name of the certificate holder, a serial number, expiry dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real. To provide evidence that a certificate is genuine and valid, it is digitally signed using a root certificate belonging to a trusted party. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify certificates that the CA's have issued and signed. When PKI is deployed internally, certificates are signed by the department operating the internal PKI (usually the IT department).

Why do I need a certificate?

For security, modern web client applications communicate with the web server using the HTTPS protocol. HTTPS is the secure version of HTTP and it means that the identity of the server is verifiable and all communications between client and server is encrypted. When a client requests a HTTPS connection, the server will initially send its certificate to the client. The certificate contains the public key needed to begin the secure session. Based on this initial exchange the client and browser initiate a handshake, which establishes a uniquely secure connection between client and server.

 PcVue web client applications all require HTTPS and therefore the web server (IIS) requires a certificate. As each certificate is unique, it must be generated as part of the deployment of the web server.

What type of certificates are available?

• Self-signed certificate - A self-signed certificate is one that has been signed by the same entity whose identity it certifies. As a self-signed certificate is not issued by an official Certification Authority (CA) or trusted internal party, it is not secure and, must not be used a web server deployed in production. A self-signed certificate also has the disadvantage that it will not be recognized by web browsers and an exception will have to be created in the web browser's configuration. However, a self-signed certificate can be useful at the development and testing stages.
• Certificate from a Certification Authority (CA) - A certificate requested from, and issued by, a Certification Authority. Anyone with system administrator rights can request a certificate using the IIS web server and it is a process generally managed by a company's IT department. Certificate authorities can be private (internal) or commercial ventures in which case the certificate is chargeable.
• Certificate from Let's Encrypt - A free, automated, and open Certification Authority (CA), provided by the Internet Security Research Group (ISRG).
  • Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Software running on a web server can communicate with Let’s Encrypt to obtain a certificate, configure it for use, and automatically renew it (let's Encrypt certificates are only valid for three months).