Digital certificates
Digital certificates protect against impersonation, certifying that a public key belongs to a specified entity. They are issued by a Certificate Authority.
Digital certificates provide protection against impersonation, because a digital certificate binds a public key to its owner, whether that owner is an individual, a queue manager, or some other entity. Digital certificates are also known as public key certificates, because they give you assurances about the ownership of a public key when we use an asymmetric key scheme. A digital certificate contains the public key for an entity and is a statement that the public key belongs to that entity:- When the certificate is for an individual entity, the certificate is called a personal certificate or user certificate.
- When the certificate is for a Certificate Authority, the certificate is called a CA certificate or signer certificate.
If public keys are sent directly by their owner to another entity, there is a risk that the message could be intercepted and the public key substituted by another. This is known as a man in the middle attack. The solution to this problem is to exchange public keys through a trusted third party, giving you a strong assurance that the public key really belongs to the entity with which we are communicating. Instead of sending your public key directly, you ask the trusted third party to incorporate it into a digital certificate. The trusted third party that issues digital certificates is called a Certificate Authority (CA), as described in Certificate Authorities.
- What is in a digital certificate
Digital certificates contain specific pieces of information, as determined by the X.509 standard. - Requirements for personal certificates
IBM MQ supports digital certificates that comply with the X.509 standard. It requires the client authentication option. - Certificate Authorities
A Certificate Authority (CA) is a trusted third party that issues digital certificates to provide you with an assurance that the public key of an entity truly belongs to that entity. - Distinguished Names
The Distinguished Name (DN) uniquely identifies an entity in an X.509 certificate. - Obtaining personal certificates from a certificate authority
We can obtain a certificate from a trusted external certificate authority (CA). - How certificate chains work
When you receive the certificate for another entity, you might need to use a certificate chain to obtain the root CA certificate. - When certificates are no longer valid
Digital certificates can expire or be revoked.
Parent topic: Cryptographic concepts