Briefly about electronic certificates

Blog Brief overview of electronic certificates

Electronic signing in practice
Brief overview of electronic certificates

An electronic certificate is a term we encounter every day in the world of digital trust. It is one of the basic tools used within PKI (Public Key Infrastructure),which forms the basis of digital trust.   

Electronic certificates reliably linkthe identity of a person or organizationto a specific public cryptographic key, which is confirmed bya certification authority (CA)

Without electronic certificates, it would not be possible to create legally relevant electronic signatures, secure communication using TLS, or unambiguously assign a cryptographic key to a specific person or organization. 

However, in order to fully understand electronic certificates, it is necessary to examine their content, technical, and legal framework. Today, in addition to basic concepts, we will also focus on the specific field of each certificate.

Certificate contents

Each certificate has a specific structure. Certificates are issued by certification authorities, whose task is to verify that specific conditions are met before a certificate can be issued. These conditions vary depending on the purpose of the certificate.

For example, certificates for authenticating individuals verify their identity. Certificates intended for SSL/TLS encryption, on the other hand, require proof that the person is the actual owner of the domain.

The structure, content, and requirements of certificates are specified by the technical standard RFC –5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

Basic certificate fields

  • Serial number – a unique positive number within a specific certification authority.
  • Subject – the name of the certificate owner is recorded here in the form of a distinguished name (DN), which consists mainly of the following fields:
    • CN (common name): e.g., John Smith,
    • O (organization): e.g., SEFIRA spol. s r.o.
    • C (country): e.g. CZ
    • and other attributes depending on the type of certificate.
  • Issuer – identification of the authority issuing the certificate. 
  • Validity – specifies the period during which the certification authority guarantees that it will provide information about the status of the certificate (e.g., revocation information in the form of a CRL).
  • Public key – contains the public key and other related information, such as the algorithm for using this key.
  • Certification authority electronic signature – an electronic signature of the certification authority confirming the accuracy of the information. This electronic signature is created using a key owned by the CA and used for the purpose of signing certificates.

Selected extensions

  • Key usage – the purpose of use is very important, especially when verifying electronic signatures, where one of the steps is to verify the correctness of the certificate used. These certificates must include contentCommitmentin their key usage.
  • CRL distribution points – here you will most often find URL addresses where you can obtain CRL lists (Certificate Revocation List) for certificate revocation verification. Other methods may also be listed.
  • Authority Information Access (AIA) – this usually contains information about issuing certificates or access to the OCSP responder, which is an alternative way to obtain information about certificate revocation.
  • Certification policies – information about the certification policies on the basis of which the certificate was issued.
  • QC Statement – here you will find confirmation of whether the qualified certificate complies with eIDAS and whether it is a certificate for electronic signatures or seals. Information is also recorded here as to whether the private key is generated and stored on a qualified device for creating signatures or seals. 

Qualified certificate for electronic signature

In the Czech Republic, there are currently three types of electronic signatures based on PKI, i.e. certificates.

  1. A guaranteed (advanced) electronic signature is created using a private key with an existing certificate, but does not have to be issued by a qualified certification authority. It can therefore be created using an internal certification authority, for example at work. In practice, it is used, for example, for services such as Bank iD Sign and is suitable for everyday business or contractual matters.
  2. A recognized electronic signature is createdusing a qualified certificate issued by a qualified trust service provider. Compared to a guaranteed signature, it offers greater legal certainty. At the same time, it is sufficient for communication with public authorities within the Czech Republic, but it is not usually accepted within the EU.
  3. A qualified electronic signature is the "highest quality" type of electronic signature that can currently be created. It must be guaranteed that the private key was generated on a qualified signature creation device (according to the terminology of the eIDAS Regulation Qualified Signature Creation Device, QSCD), which is then recorded in the certificate in the QC Statement.

Qualified certificates are therefore the highest form of certificates used for electronic signing. They are issued by qualified certification authorities, which guarantee their existence and confirm the accuracy and validity of the information provided. The specific procedures for issuing certificates are specified in detail and published in the certification policies of the individual authorities.

Electronic signatures created by qualified certificates in accordance with applicable legislation must be accepted and treated as valid by Czech authorities in the course of their work.

Electronic signature

Correct signature in the correct place in accordance with eIDAS.

Sign anytime, anywhere
In accordance with legislation
For organisations

Read more

Electronic seal

Electronic seal recognised throughout the EU. Integrated with signature.

Qualified seal
Advanced seal
Plain seal

Read more

Trusted archiving

Long-term provability of electronic documents.

In accordance with eIDAS
Qualified time stamps
Signature integration

Read more

Related
products and services

OBELISK Signing Portal

Consultation on the digitization of organizations

OBELISK Digitalization Platform

QTSP Accreditation

QTSP Accreditation

NATO Secret clearance

NATO Secret clearance

Membership of the ESD

Membership of the ESD

ISO

ISO