European Union regulations

Directive 93/1999[3]​ has established a common framework applicable to all countries of the European Union whereby the level of demand posed by the regulations on electronic signature implies that Certification Service Providers that issue qualified certificates are worthy of trust by any trusting third party and their certificates give the advanced electronic signature they accompany the same value as the "handwritten signature" or "holographic signature".

Spanish regulations

The 'Law 59/2003 on Electronic Signature'[4]​ has repealed Royal Decree Law 14/1999, of September 17, on electronic signature, making the certification activity in Spain more effective.

Finally, CAs are also responsible for managing signed certificates. This includes certificate revocation tasks that can be initiated by the certificate holder or any third party with a legitimate interest before the CA by email, telephone or in-person intervention. The list, called the Certificate Revocation List (CRL), contains the certificates that fall into this category, so it is the responsibility of the CA to publish and update it appropriately. On the other hand, another task that a CA must perform is the management associated with the renewal of certificates due to expiration or revocation.

If the CA issues many certificates, you run the risk of having large CRLs, making them impractical for trusting third parties to download. For this reason, they develop alternative mechanisms to check the validity of certificates, such as servers based on the OCSP and SCVP protocols.

Due to the large number of existing certification entities, and despite the security measures they use for the correct verification of natural and legal persons, there is a risk that a CA issues a certificate to a fraudster with a false identity. As there is no record of which certificates have been issued by each CA, it is not easy to detect which cases have been fraudulently filtered or which certificates refer to a name that is the same or very similar to that of another entity. To avoid these types of problems, Google has launched the Certificate Transparency initiative, which records all certificates issued by CAs through cryptographically unforgeable audit files, which can help combat phishing (in Spanish: identity theft).[5]​.

"End entity" certificates sometimes designate people (and are then called "qualified certificates") and sometimes identify web servers (and then the certificates are used within the TLS protocol so that communications with the server are protected with strong 128-bit encryption).

Contenido

Una CA puede ser o bien pública o bien privada. Los certificados de CA (certificados raíz) de las CAs públicas pueden o no estar instalados en los navegadores pero son reconocidos como entidades confiables, frecuentemente en función de la normativa del país en el que operan. Las CAs públicas emiten los certificados para la población en general (aunque a veces están focalizadas hacia algún colectivo en concreto) y además firman CAs de otras organizaciones.

CAs in the European Union

Article 11 of the Electronic Signature Directive 1999/93EC establishes that member countries shall notify the Commission and the other Member States of the following:

There is already a web page with the information on article 11 of Directive 1999/93.[6]​.

Modern web browsers natively integrate (in standard form) a list of certificates from different certification authorities that, depending on the case, are automatically chosen according to the internal criteria defined by the browser developers.

So, when a natural or legal person wants to configure a web server using secure HTTPS communication secured by TLS, a public key and a private key are generated, and then they send to one of these certification authorities a certificate signing request (CSR) that contains their public key as well as data about their identity (postal, telephone, email address, etc.).

After verification of the identity of the certificate applicant by a registration authority (RA), the certification authority signs the CSR thanks to its own private key (and therefore not the private key of the applicant), which is then converted into a certificate, which it then sends back to the applicant.

The certificate thus returned in the form of a computer file is integrated into the applicant's web server. When a user connects to this web server, it in turn transmits the certificate previously provided by the certification authority.

The client's web browser authenticates the server's certificate thanks to the certificate (natively integrated into the browser) previously signed by the certification authority. The identity of the server is thus confirmed to the user by the certification authority.

The browser then contacts the corresponding certification authority to confirm, through an OCSP request, that the server's certificate has not been revoked since it was issued by the certification authority.

Previously, certain browsers regularly downloaded Certificate Revocation Lists (CRLs) from certification authorities instead of contacting them directly using OCSP requests. This practice has been abandoned due to the excessive and useless use of bandwidth.

At a technical level, this key management infrastructure ensures that:

Request for a certificate

The typical mechanism for requesting a web server certificate from a CA is that the requesting entity, using certain functions of the web server software, fills in certain identifying data (including the server's URL locator) and generates a public/private key pair. With this information, the server software creates a file "File (computing)") that contains a CSR (Certificate Signing Request) request in PKCS#10 format that contains the public key and is sent to the chosen CA. This, after verifying by itself or through the services of a Registration Authority (Registration Authority, RA) the identification information provided and making the payment, sends the signed certificate to the requester, who installs it on the web server with the same tool with which it generated the CSR request.

In this context, PKCS corresponds to a set of specifications that are de facto standards called Public-Key Cryptography Standards.

The Certification Hierarchy

CAs have their own public certificates"), whose associated private keys are used by CAs to sign the certificates they issue. A CA certificate can be self-signed when there is no higher-ranking CA that signs it. This is the case of root CA certificates, the initial element of any certification hierarchy. A certification hierarchy consists of a hierarchical structure of CAs in which it starts from a self-signed CA, and at each level, there is one or more CAs that can sign certificates of 'end entity' (certificate holder: web server, person, software application) or certificates from other subordinate CAs that are fully identified and whose Certification Policy") is compatible with higher-ranking CAs.

Trust in the CA

One of the ways to establish trust in a CA for a user is to "install" on the user's (trusting third party) computer the self-signed certificate of the root CA of the hierarchy that you want to trust. The installation process can be done, in Windows-type operating systems, by double-clicking on the file that contains the certificate (with the crt extension) and thus starting the "certificate import wizard". As a general rule, the process must be repeated for each of the browsers that exist in the system, such as Opera "Opera (browser)"), Firefox or Internet Explorer, and in each case with its specific certificate import functions.

If a CA is installed in the repository of trusted CAs of each browser, any certificate signed by said CA can be validated, since the public key is available with which to verify the signature carried by the certificate. When the CA model includes a hierarchy, trust must be explicitly established in the certificates of all trusted certification chains. To do this, your certificates can be located through different means of publication on the Internet, but it is also possible that a certificate contains the entire certification chain necessary to be installed with confidence.

European Union regulations

Directive 93/1999[3]​ has established a common framework applicable to all countries of the European Union whereby the level of demand posed by the regulations on electronic signature implies that Certification Service Providers that issue qualified certificates are worthy of trust by any trusting third party and their certificates give the advanced electronic signature they accompany the same value as the "handwritten signature" or "holographic signature".

Spanish regulations

The 'Law 59/2003 on Electronic Signature'[4]​ has repealed Royal Decree Law 14/1999, of September 17, on electronic signature, making the certification activity in Spain more effective.

Finally, CAs are also responsible for managing signed certificates. This includes certificate revocation tasks that can be initiated by the certificate holder or any third party with a legitimate interest before the CA by email, telephone or in-person intervention. The list, called the Certificate Revocation List (CRL), contains the certificates that fall into this category, so it is the responsibility of the CA to publish and update it appropriately. On the other hand, another task that a CA must perform is the management associated with the renewal of certificates due to expiration or revocation.

If the CA issues many certificates, you run the risk of having large CRLs, making them impractical for trusting third parties to download. For this reason, they develop alternative mechanisms to check the validity of certificates, such as servers based on the OCSP and SCVP protocols.

Due to the large number of existing certification entities, and despite the security measures they use for the correct verification of natural and legal persons, there is a risk that a CA issues a certificate to a fraudster with a false identity. As there is no record of which certificates have been issued by each CA, it is not easy to detect which cases have been fraudulently filtered or which certificates refer to a name that is the same or very similar to that of another entity. To avoid these types of problems, Google has launched the Certificate Transparency initiative, which records all certificates issued by CAs through cryptographically unforgeable audit files, which can help combat phishing (in Spanish: identity theft).[5]​.

"End entity" certificates sometimes designate people (and are then called "qualified certificates") and sometimes identify web servers (and then the certificates are used within the TLS protocol so that communications with the server are protected with strong 128-bit encryption).

Contenido

Una CA puede ser o bien pública o bien privada. Los certificados de CA (certificados raíz) de las CAs públicas pueden o no estar instalados en los navegadores pero son reconocidos como entidades confiables, frecuentemente en función de la normativa del país en el que operan. Las CAs públicas emiten los certificados para la población en general (aunque a veces están focalizadas hacia algún colectivo en concreto) y además firman CAs de otras organizaciones.

CAs in the European Union

Article 11 of the Electronic Signature Directive 1999/93EC establishes that member countries shall notify the Commission and the other Member States of the following:

There is already a web page with the information on article 11 of Directive 1999/93.[6]​.

Modern web browsers natively integrate (in standard form) a list of certificates from different certification authorities that, depending on the case, are automatically chosen according to the internal criteria defined by the browser developers.

So, when a natural or legal person wants to configure a web server using secure HTTPS communication secured by TLS, a public key and a private key are generated, and then they send to one of these certification authorities a certificate signing request (CSR) that contains their public key as well as data about their identity (postal, telephone, email address, etc.).

After verification of the identity of the certificate applicant by a registration authority (RA), the certification authority signs the CSR thanks to its own private key (and therefore not the private key of the applicant), which is then converted into a certificate, which it then sends back to the applicant.

The certificate thus returned in the form of a computer file is integrated into the applicant's web server. When a user connects to this web server, it in turn transmits the certificate previously provided by the certification authority.

The client's web browser authenticates the server's certificate thanks to the certificate (natively integrated into the browser) previously signed by the certification authority. The identity of the server is thus confirmed to the user by the certification authority.

The browser then contacts the corresponding certification authority to confirm, through an OCSP request, that the server's certificate has not been revoked since it was issued by the certification authority.

Previously, certain browsers regularly downloaded Certificate Revocation Lists (CRLs) from certification authorities instead of contacting them directly using OCSP requests. This practice has been abandoned due to the excessive and useless use of bandwidth.

At a technical level, this key management infrastructure ensures that: