To verify a signature, you need the signer’s public key. So how are public keys distributed securely? You could simply download the key from a server somewhere, but how would you know you got the right file and not a forgery? Even if you get a valid key, how do you know that it belongs to a particular person?

Certificates answer these questions. A certificate is a statement, signed by one person, that the public key of another person has a particular value. In some ways, it’s like a driver’s license. The license is a document issued by your state government that matches your face to your name, address, and date of birth. When you buy alcohol, tobacco, or dirty magazines, you can use your license to prove your identity (and your age).

Note that the license only has value because you and your local shopkeepers trust the authority of the state government. Digital certificates have the same property: You need to trust the person who issued the certificate (who is known as a Certificate Authority, or CA).

In cryptographic terminology, a certificate associates an identity with a public key. The identity is called the subject . The identity that signs the certificate is the signer. The certificate contains information about the subject and the subject’s public key, plus information about the signer. The whole thing is cryptographically signed, and the signature becomes part of the certificate, too. Because the certificate is signed, it can be freely distributed over insecure ...

Get Java Cryptography now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.