What are certificates?

Digital certificates are used to link names (and other properties) with entities (persons or computers). In this function, they are similar to identification cards and must therefore meet certain requirements with regard to 'authenticity'.

For all practical purposes, digital certificates are closely linked to private keys (also: secret keys, private keys; for the sake of simplicity, imagine the secret key as a password with a length of about 500 characters): a certificate states, for example: 'Kiel University certifies on day X that Mrs. Mustermann exists, works at institute Y, has the mail address mustermann@y.uni-kiel.de, and has proven possession of a certain private key with (public) counterpart z; this certificate is valid for 3 years from day X'.

Clever mathematical methods then make two things in particular possible: You can use the 'counterpart z' (known as a public key) to encrypt a text, for example an email, or your transfer in online banking, so that the secret private key is necessary to read it; you can also use your secret private key to sign a text so that anyone who knows the public counterpart can check that the text, the signature and the key 'match'. A digital signature therefore also attests to the text itself; there are no 'blank signatures'.

You can see how central the role of the private key is in these procedures - in contrast to identification cards, where you have to look more or less like a photo, everyone who has the private key is indistinguishable from the rightful owner. Accordingly, when you receive such a certificate, you are obliged to keep the private key secret from third parties and to report any possible loss, theft, copy immediately so that the certificate is revoked and thus rendered useless.

Conversely, the certificate itself is not secret: every mail you sign contains this information, and newly issued certificates are announced in public lists. On the one hand, this serves the purpose of being able to send you encrypted mails directly, since this requires the 'counterpart z' from the certificate; on the other hand, it is of the utmost interest to Kiel University, for example, if someone else would have someone else certify that they had the web address 'www.uni-kiel.de'.

Just as with identification cards, the authenticity of certificates is only relative: You trust 'my passport' because you believe that nobody except 'the passport authority' can issue credible identity documents (identity documents are difficult to forge) and 'the passport authority' only issues truthful identity documents (the issuer is trustworthy).

In the global internet, there is no binding 'passport authority', but rather a rough consensus among browser and operating system manufacturers to trust such 'Certificate Authorities' (CAs) that submit to the rules of an umbrella organization (CA/Browser Forum). These passport authorities can in turn delegate their business to third parties; in principle, each CA can authenticate any name and web address. (Using Kiel University as an example, this means that we are basically an independent CA until mid-2019. The trustworthiness of our certificates is certified by the DFN-PKI. The trustworthiness of the confirmation by the DFN-PKI is certified by T-Systems, a subsidiary of Deutsche Telekom. Operating system and browser manufacturers trust all certificates authorized directly or indirectly by T-Systems. From mid-2019 at the latest, we will apply for certificates at Kiel University directly as customers of the DFN-PKI, i.e. we will no longer be an independent 'passport authority'. Even before that, like most German universities, we had completely outsourced our CA operations back to the DFN-PKI).