Digital Certificates - Proving Identity Online
About 2 min read
A digital certificate is an electronic identity document in which a trusted third party (a certificate authority) attests that the holder of a public key is who they claim to be. It is the foundation of the mechanism by which web browsers verify a server’s identity during an HTTPS connection, and it underpins the trust infrastructure of the internet, including SSL/TLS communication, email signing, and code signing. As a core element of PKI (public key infrastructure), it is indispensable to modern security infrastructure.
The Structure of the X.509 Standard
The de facto standard for digital certificates is the X.509 standard established by ITU-T. The version widely used today is version 3, which consists of the following fields.
Among the extensions, the SAN (Subject Alternative Name) is particularly important, as it allows a single certificate to cover multiple domain names and IP addresses. Wildcard certificates (*.example.com) also rely on this mechanism.
The Difference Between DV, OV, and EV Certificates
| Type | What is verified | Issuance time | Cost | Use case |
|---|---|---|---|---|
| DV (Domain Validation) | Domain ownership only | A few minutes | Free - a few thousand yen | Personal sites, blogs |
| OV (Organization Validation) | Domain + existence of the organization | A few days | Tens of thousands of yen / year | Corporate sites, APIs |
| EV (Extended Validation) | Domain + organization + legal existence | 1 - 2 weeks | 100,000 yen or more / year | Financial institutions, e-commerce sites |
EV certificates once displayed the organization name in green in the browser’s address bar, but since 2019, Chrome and Firefox have discontinued this display. There have even been cases where phishing sites obtained EV certificates, so the simplistic equation of "EV = safe" no longer holds. In current practice, DV certificates are sufficient in the vast majority of cases.
The Spread of Free SSL Through Let's Encrypt
Let's Encrypt, launched in 2015 by the ISRG (Internet Security Research Group), is a certificate authority that issues DV certificates for free and automatically. Through an automatic renewal mechanism based on the ACME protocol, it has greatly reduced the operational problem of sites going down due to expired certificates. As of 2024, about 30% of all HTTPS sites use Let's Encrypt certificates, making a decisive contribution to raising the encryption rate of the web as a whole.
Certificate Revocation - CRL and OCSP
Due to private key leakage or organizational changes, it can become necessary to invalidate a certificate before its expiration date. There are two methods for checking revocation.
- The CA periodically publishes a list of revoked certificates
- The client downloads the entire list
- Communication cost grows as the list balloons
- There is a delay in the update interval
- Queries the status of an individual certificate in real time
- Efficient, with low traffic
- Depends on the availability of the OCSP server
- OCSP Stapling mitigates performance issues
Certificate Transparency
Certificate Transparency (CT) is a mechanism proposed by Google in 2013 that records all issued certificates in public logs, making it possible to detect the issuance of fraudulent certificates. If a certificate authority issues a fraudulent certificate by mistake (or maliciously), monitoring the CT logs allows it to be discovered early. Since 2018, Chrome has applied a policy of not trusting certificates that are not registered in CT logs, making it a de facto mandatory requirement. Understanding how public-key cryptography works makes the certificate verification process much clearer.
A common misconception is the belief that "HTTPS = a safe site," but a DV certificate proves only ownership of the domain. Phishing sites can also obtain legitimate DV certificates, so being HTTPS and being a trustworthy site are separate matters.
The basics of encryption are explained in detail in the article on encryption fundamentals, and browser security in the article on browser password safety. Please also refer to phishing countermeasures.SSL/TLS and certificate books on Amazon.
Was this article helpful?