Sun Java System Web Server 7.0 Update 4 Administrator's Guide

Using Certificates for Authentication

Authentication is the process of confirming an identity. In the context of network interactions, authentication is the confident identification of one party by another party. Certificates are one way of supporting authentication.

Certificates or digital certificates are collections of data that uniquely identify or verify an individual, company, or other entity on the Internet. Certificates also enable secure, confidential communication between two entities. Personal certificates are used by individuals, whereas server certificates are used to establish secure sessions between the server and clients through secure sockets layer (SSL) technology.

A certificate is like a passport; it identifies the holder and provides other important information. Certificates are verified, issued and digitally signed by a trusted third party called Certification Authority (CA). Once a CA has signed a certificate, the holder can present it as proof of identity to establish encrypted, confidential communication. The CA can be a company that sells certificates over the Internet, or it can be a department responsible for issuing certificates for your company’s intranet or extranet. You decide which CAs you trust enough to serve as verifiers of other people’s identities.

Certificates are based on public key cryptography, which uses a pair of digital keys (very long numbers) to encrypt (encode) information, so that it can be read only by its intended recipient. The recipient then decrypts (decodes) the information to read it.

A key pair contains a public key and a private key. The owner distributes the public key and makes it available to anyone. But the owner never distributes the private key; it is always kept secret. Because the keys are mathematically related, data encrypted with one key can be decrypted only with the other key in the pair. Most importantly, a certificate binds the owner's public key to the owner's identity.

In addition to the public key, a certificate typically includes information such as:

Note –

A server certificate must be installed before encryption can be activated.

Server Authentication

Server authentication refers to the confident identification of a server by a client; that is, identification of the organization assumed to be responsible for the server at a particular network address. SSL enabled servers must have a certificate and clients may optionally have a certificate.

Client Authentication

Client authentication refers to the confident identification of a client by a server; that is, identification of the person assumed to be using the client software. Clients can have multiple certificates, much like a person might have several different pieces of identification.