What Are Digital Certificates?

Digital certificates are electronic documents that bind public keys to verified identifiers, establishing who owns a particular key and enabling others to trust signatures made with it. They're the mechanism that allows verifiers to confirm that a public key truly belongs to a claimed issuer.

The identity-key binding problem

Public key infrastructure (PKI) relies on verifiers checking signatures using issuers' public keys. But how does a verifier know that a public key actually belongs to the California DMV rather than an imposter? If anyone could assert ownership of a key without verification, the entire system would collapse.

Digital certificates solve this problem by providing authenticated statements about key ownership. A certificate says, in effect: "This public key belongs to this entity, and I (the certificate authority) vouch for that relationship."

How certificates work

A digital certificate contains several elements: the public key being certified, the identifier it is bound to (the subject), the identity of the certificate authority that issued the certificate (the issuer), validity dates, and a digital signature from the certificate authority.

When a state DMV obtains a certificate for its signing key, a certificate authority verifies the DMV's identity through established procedures, then creates and signs a certificate binding the DMV's public key to its verified identity. Anyone who trusts that certificate authority can now trust that the public key belongs to the DMV.

Certificate authorities and chains of trust

Certificate authorities (CAs) are trusted entities that issue certificates. Their role is similar to a notary public, they verify identities and vouch for relationships. The security of the entire system depends on CAs performing this role responsibly.

Certificates often form chains. A root CA issues certificates to intermediate CAs, which in turn issue certificates to end entities, such as DMVs. When verifying a certificate, systems check the entire chain back to a trusted root. This hierarchical structure enables the root CA to remain highly protected, while intermediate CAs handle the issuance of operational certificates.

X.509: The certificate standard

Most digital certificates follow the X.509 standard, which defines their format and fields. X.509 has been used for decades in internet security, email encryption, and enterprise systems. The same standard that secures web traffic (the certificates behind HTTPS) is now being applied to digital identity.

X.509 certificates include fields for subject identity, issuer identity, validity period, public key, intended usage, and extensions for additional information. Certificate validation involves checking signatures, expiration dates, and revocation status.

Certificates in digital identity

For mobile driver's licenses and other verifiable digital credentials, certificates establish the authenticity of issuer keys. When a DMV signs a credential, verifiers can trace the signing key back through certificate chains to trusted root certificates.

In certificate-based deployments, verifiers validate that an issuer’s signing certificate chains back to a trusted root (or other trusted anchor) and that the certificate is within its validity window and not revoked. When an mDL is presented, the reader verifies that the credential's signature is validated against these trusted roots. If the chain validates, the credential is accepted. If not, it's rejected.

Certificate lifecycle

Certificates have defined validity periods and can be revoked before expiration if keys are compromised or circumstances change. Certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP) allow verifiers to check whether certificates remain valid.

Managing certificate lifecycles, issuance, renewal, rotation, and revocation is a significant operational responsibility. Organizations must ensure certificates are renewed before expiration, revoked promptly when needed, and replaced without service interruption.

The passport analogy

Digital certificates function like passports for the cryptographic world. Just as a passport vouches for someone's identity and citizenship, a certificate vouches for the ownership of a public key. Just as border agents verify passports by checking signatures and authenticity features, verification systems check certificates by validating digital signatures and certificate chains.

Certificates provide the trust anchors that enable PKI to work at scale, allowing millions of verification decisions to be made confidently without requiring direct communication between issuers and verifiers.