x509, keys, certs, authorities, what’s the difference?

Your point and click PKI

Everything starts off with some information and a key or keys. A key is merely a long unique string of numbers.
Keys often, but not always, come in pairs. A private key and a public key.
The private is one you keep and share with NO ONE! The public is the one you can give to ANYONE.
You can read more on this in our “What is a PKI?”

All public keys have private keys, but not all private keys have public keys.
A certificate, a.k.a. a digital certificate is a combination of some identifying information and a key.
For example, this may be a name; George Washington, or an email address; happycomputeruser@gmail.com, or the collection of 1 or more computers representing a website(server/computer); Wikipedia.org. Certificates can be used solely for identification. However, most of the certificates people encounter are being used for identification AND secure private communication.

The combination of the identification data and the key into a digital certificate that meets the x.509 standard allows you to create a secure, encrypted communications line between yourself and the person/machine/thing you are trying to communicate. The identity data contained in the certificate helps you confirm the person/machine/thing you are communicating with is who it/they say they are.

In other words, if you had a very private message you wanted to have delivered to your bank. You would want to make sure that anyone could not read the message while it travels from you to the bank, and you probably want to make sure that it gets to your bank and not some other bank, or worse some criminal pretending to be your bank. For more starter information see our post “what is SSL” for advanced information see our post “What is a PKI?”.

Now that we have a rough idea about what certificates are and how you use them we’ll look at how the brilliant people at NIST define a digital certificate.

The below is from NIST the National Institute of Standards and Technology.

Digital Certificate:

A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber’s public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.


Let’s add some notes to clarify those defining terms.

  • A digital representation of information(mostly identity information)
  • which at least: (can do more)
  • (1) identifies the certification authority issuing it(who made it or signed it),
  • (2) names or identifies its subscriber,(user or computer)
  • (3) contains the subscriber’s public key(long unique string of numbers),
  • (4) identifies its operational period(expiration date),
  • and
  • (5) is digitally signed by the certification authority issuing it.(signed)

In conclusion, a digital certificate is like a digital ID card for a person or computer that allows them to have a secure encrypted communication with another person or computer. To learn more about the Certificate Authority portion of this process click here.