Digital Certificate FAQ

In cryptography, a digital certificate is an electronic document that uses a digital signature to bind together a public key with an identity - this information can be a person's name or the name of an organization, etc. The certificate is used to confirm that a public key belongs to a specific individual.

X509 is the industry standard for digital certificate format. It defined the various mandatory and optional attributes that can be defined within the certificate.

Digital signature certificates have an explicit start date and an explicit expiration date. Most applications check the validity period of a certificate when the digital certificate is used.

The signature certificate expiration date is also used for managing the certificate revocation list (CRL - see below). A certificate is removed from the revocation list when its natural expiration date arrives. As such, generally the shorter the certificate validity period, the shorter the CRL.

Certificate Revocation List (CRL) is a method used in a public key infrastructure for maintaining access to servers in a network. A CRL is a list of digital signature users and their corresponding digital certificate status. A CRL specifies digital certificates that have been revoked in addition to the reason for the revocation.

The Online Certificate Status Protocol (OCSP) is an Internet procedure used to acquire the revocation status of an X509 digital certificate. OCSP is an alternative to Certificate Revocation Lists (CRLs).

Yes. A digital certificate only contains the public information of the user such as ID, name, and public key. The personal component of the user’s signature credentials, the private key, is not included in the certificate.

Digital certificates are issued by Certification Authorities (CAs). A CA can be a corporate CA for issuing digital certificates to the corporate employees, or it can be a commercial CA from which certificates can be purchased (e.g. Comodo, VeriSign, etc.). A CA is also incorporated within the CoSign Central box and is used for automatically issuing certificates to all corporate users.

A root certificate is one of two things: Either an unsigned public key certificate or a self-signed certificate used to identify the Root Certificate Authority (CA). The root certificate is in fact the anchor of trust in a digital certificate and is used for validating the entire certification tree.

A worldwide verifiable certificate is a digital certificate whose root certificate is installed in standard Windows operating-systems, thus not requiring the explicit download and installation of the root certificate for digital signature validation.

A CDS certificate is a digital certificate that is pre-installed in Adobe products and can be used for validating signatures in PDF documents. With CDS certificates, the user does not need to install the certificate (because it is already recognized by Adobe since it is CDS compliant), and the certificate does not require any special settings in Adobe.