Public-key digital certificates: identity credentials, X.509 format, and lifecycle

Digital certificates are cryptographic credentials issued to an entity (a person, organization, or device) to assert its identity in online interactions. They tie an entity's identity to a public key, enabling others to verify signatures and establish encrypted connections. Certificates are typically issued and signed by a trusted third party known as a certification authority (CA).

What a certificate contains

• A subject identifier such as the holder's name or organization.
• A unique serial number assigned by the issuer.
• Validity interval (start and expiration dates).
• The certificate subject's public key, which corresponds to a private key held only by the subject.
• Information about the issuer (the CA) and the digital signature the issuer creates to bind the data together.

Standards and storage

Most public certificates follow the X.509 format or a compatible profile of it; this standard defines the structure and fields commonly used. Certificates can be published in searchable directories or repositories so relying parties can retrieve another party's public key; providers may also publish revocation information so that expired or compromised certificates can be detected.

How certificates are used

• Authentication: proving the identity of a server, client, or user (for example in HTTPS/TLS).
• Encryption: establishing a shared secret or transporting a symmetric key securely.
• Digital signatures: verifying that a message, document, or software package was created by the holder of the associated private key.

Issuance, validation and lifecycle

A CA issues a certificate after some form of vetting of the requester. The certificate includes the CA's digital signature so recipients can check that the certificate was actually issued by that CA. Certificates have limited lifetimes and can be revoked before expiry if the private key is compromised or if the holder's status changes. Revocation is commonly handled with Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP).

Common certificate assurance levels

Different providers and ecosystems classify certificates by the strength of identity verification performed before issuance. These informal categories are often described as:

• Class 1: Basic validation, typically confirming control of an email address or a domain. There is little or no independent identity proofing.
• Class 2: Stronger checks, such as comparing the applicant's information against pre‑existing, trusted databases or records.
• Class 3: The highest level in this tiered scheme, involving in‑person verification or equivalent high-assurance identity proofing before the certificate is issued.

These class labels are used by some CAs and relying communities to indicate expected assurance; they are not a universal technical standard and practices vary between jurisdictions and providers.

Digital certificates play a central role in modern secure communications by enabling trust in public-key operations; their effectiveness depends on robust issuance processes, careful private-key management, and timely revocation when necessary. For historical and technical background on electronic documents and credentials, see related material on electronic systems.