A primary goal of a digital certificate is to confirm that the public key contained in a certificate is the public key belonging to the person or entity to whom the certificate is issued. For example, a Certificate Authority (CA) may digitally sign a special message (known as certificate information) containing the name of a user (in this case "Alice,"), as well as her public key in such a way that anyone can verify that the certificate information message was signed by no one other than the CA. Thereby, trust in the public key designated for "Alice" is confirmed.
The typical implementation of digital certification involves a signature algorithm for signing the certificate. The process follows these steps:
As with any digital signature, anyone can verify, at any time, that the certificate was signed by the Certificate Authority (CA), without access to privileged information.
This scenario assumes that Bob knows the specific CA public key. The public key could be obtained from a copy of the CA certificate, which contains the public key.
Since certificates have a valid time duration, it is possible for the certificate to expire and no longer be valid. A certificate is valid only for the period of time specified by the CA that issued the certificate. The certificate contains information about the beginning and expiration dates. If a user attempts to obtain access to a secured server by using an expired certificate, server authentication software will automatically reject the access request. Users can renew certificates before the expiration date to avoid this situation.
It is also possible for certificates to be revoked by the CA for other reasons. To handle this situation, the CA maintains a list of revoked certificates. This list is called a certificate revocation list (CRL), and is available to network users to determine validity of any given certificate.