What are Website Certificates?Why do they expire?

Ever got certificate error!! unsecured connection along with ‘Proceed anyway’ & ‘back to safety’ options. You may proceed to that website that you trusted a 100% safe and you know well that you were safe all these ages on it. But not now! the certificates issued are expired a while or long ago! that’s why it shows a security warning. Confused right? Yes I do so when I first saw such one in my life time. Read further to know about certificates and their types. After that we’ll discuss why do they expire at the end.

 

 

What is a Certificate?

A public key certificate, usually just called a certificate, is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. One of the main benefits of certificates is that hosts no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certificate issuer. Most certificates in common use are based on the X.509v3 certificate standard.

 

Typically, certificates contain the following information:

• + The subject's public key value.
• + The subject's identifier information, such as the name and email address.
• + The validity period (the length of time that the certificate is considered valid).
• + Identifier information about the issuer.
• + The digital signature of the issuer, which attests to the validity of the binding between the subject’s public key and the subject’s identifier information.

 

A certificate is valid only for the period of time that is specified in it; every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. If a certificate's validity period has passed, a new certificate must be requested by the subject of the expired certificate. Certificates can be used for:

• Authentication: Use authentication so that users can prove their identity to those with whom they communicate and can verify the identity of others. Authentication of identity on a network is complex because the communicating parties do not physically meet as they communicate. This can allow an unethical person to intercept messages or to impersonate another person or entity. Authentication is crucial to make communication more secure.
• Privacy: Use encryption to keep data private whenever sensitive information is transmitted between computing devices on any network.
• Encryption: Think of encryption as locking something valuable into a strong box with a key. Conversely, decryption can be compared to opening the box and retrieving the valuable item. On computers, sensitive data in the form of email messages, files on a disk, and files being transmitted across the network can be encrypted by using a key. Encrypted data and the key used to encrypt data are both unintelligible.
• Digital signatures: Use as a way to ensure the integrity and origin of data. A digital signature provides strong evidence that the data has not been altered since it was signed, and it confirms the identity of the person or entity who signed the data. This enables the security features of integrity and no repudiation, which are essential for secure electronic commerce transactions.

 

Many Windows applications use certificates, including Microsoft Internet Information Services (IIS), Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. The following sections explain the keys and file formats that can be used to compose certificates.

 

Certificate keys

In public key encryption, different keys are used to encrypt and decrypt information. The first key is a private key, which is a key that is known only to its owner. The second key is the public key, which can be known and available to other entities on the network.

 

The two keys are complementary in function. For example, a user’s public key can be published in a certificate in a directory so that it is accessible to other people in the organization. The sender of a message can retrieve the user’s certificate from Active Directory, obtain the public key from the certificate, and then encrypt the message by using the recipient's public key. Information that is encrypted with the public key can be decrypted only by using the corresponding private key of the set, which remains with its owner, who is the recipient of the message.

 

Certificate file formats

The type of certificate file formats you use can be based on a combination of security and compatibility concerns. In Windows 8 and Windows RT, you can import and export certificates in the following formats:

 

Personal Information Exchange (PKCS #12)

The Personal Information Exchange format (PFX, also called PKCS #12) enables the transfer of certificates and their corresponding private keys from one computer to another or from a computer to removable media.

 

Because exporting a private key might expose it to unintended parties, the PKCS #12 format is the only format that is supported in Windows 8 for exporting a certificate and its associated private key.

 

Cryptographic Message Syntax Standard (PKCS #7)

The PKCS #7 format enables the transfer of a certificate and all the certificates in its certification path from one computer to another, or from a computer to removable media.

 

DER Encoded Binary X.509

Distinguished Encoding Rules (DER) for ASN.1, as defined in ITU-T Recommendation X.509, might be used by certification authorities that are not installed on computers running Windows Server 2003, so it is supported for interoperability. DER certificate files use the .cer extension.

 

Base64 Encoded X.509

This is an encoding method that was developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet.

 

Because all S/MIME-compliant client computers can decode Base64 files, this format might be used by certification authorities that are on computers that are not running a Windows operating system, so it is supported for interoperability. Base64 certificate files use the .cer extension.

 

So why do they expire?

Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Beware of organizations with certificates that are valid for longer than two years or with certificates that have expired.