Everything you need to know about public key certificates

What is a public key certificate and how do you get one? You may have already heard about it, but not completely understand how it works or how to get one.

This article is based on the observation that the digital transition of businesses leads to the increasing dematerialization of documents. Today, with the Internet, and especially online software, businesses can process and exchange information. But, is it secure? How can you ensure that a website is secure and that implementing new processes such as electronic signatures do not harm your data? 

This is where the digital certificate comes in, guaranteeing the authentication of signatories as well as data and key encryption. 

appvizer has all the information you may need to understand the concept of public key certificates better: 

A public key certificate is also referred to as a digital certificate or an electronic certificate. 

It is a digital identity card to: 

• identify and authenticate a natural or legal person, 
• encrypt exchanges,
• sign online securely. 

The most used standard for creating digital certificates is X.509.

A digital key certificate is required when signing files online, via an electronic signature. The digital key certificate is what allows the signatory to be identified and the integrity of the file to be insured.  

There are several types and classes of certificates, each with a different level of security. 

This class only guarantees the existence of an email address, but not the identity of the certificate holder. 

This class guarantees the identity of the public key certificate holder and that of his company. The supporting documents have been transmitted and verified by the certification authority that issues the digital certificate. 

Like Class II, Class III guarantees the verification of the identity of the certificate holder, but its physical presence is required. 

There are also three levels of public key signatures, each corresponding to a different level of security and authentication. The different levels are:

• Simple electronic signature: data is in electronic format and attached or combined with other electronic data. It allows to have the identity of the signatory reliably verified and to indicate the signatory’s consent to sign the document. 
• Advanced electronic signature: created from a tool that guarantees the unique use of the signatory. It is unambiguously linked to the signatory, and it allows you to identify the signatory, as well as to detect possible modifications of the document after the signature.
• Qualified electronic signature: created from a tool that guarantees the sole use of the signatory, and based on a certificate qualified as an electronic signature. 

A public key certificate can have two types of support:

• Software
• Hardware - it will then take any form of a USB key or a smart card 

SSL certificates are public key certificates that secure communications between web servers and browsers. 

The SSL (Secure Sockets Layer) / TLS (Transport Layer Security) certificate is the most well known public key certificate. It is a data file that contains: 

• A public cryptographic key, linked to the private cryptographic key of an organization or private person
• URLs of secure sites 
• The corporate name of an organization, in the case of OV (organization validation) and EV (extended validation) certificates

This SSL security is installed on a server and is used for encrypting sensitive data online to ensure a secure connection. It is most often used for banking transactions or the transfer of sensitive data, such as IDs and passwords. 

It is materialised for use by a padlock and the “https” protocol in the URL bar.

This type of certificate is used in the particular case of electronic signatures. How to define it?

It is the digital equivalent of a handwritten signature. 

Characteristics of the electronic signature certificate:

• Nominative
• Issued to a single person (not a company)
• Issued by a certification authority or a Qualified Trust Service Provider (QTSP)

A public key certificate is used to authenticate a person, secure access and, by extension, allow him/her to sign electronically. Without a digital certificate, the digital signature has no legal value.

It is a guarantee of security and proof of the identity of the signatory, the only person with the right to sign. The certificate provides the link between the electronic signature and the signatory as it contains information essential to authenticate the signatory and guarantee the inalterability of the document.

In which cases can electronic signatures be used? Exchanges are facilitated, accelerated, and secured, for example, to:

• Sign an invoice or purchase order
• Sign contracts of any kind
• Respond to calls for tenders
• Sign official documents (e.g. tax and social security declarations)
• Secure access to your mailbox or one of the websites

Would you like to know more about the legal framework of electronic signatures, and how to make a legal digital signature?

A qualified digital certificate can only be issued by a recognized organization that has been accredited by ETSI (the European Telecommunications Standards Institute) or an institution of another EU country as a qualified trust service provider. These service providers are trusted third parties who are entitled to issue such certificates in accordance with the Electronic Transactions Regulations 2016 and the eIDAS Regulation.

Among the most well known and used certificate authorities in the United Kingdom we note for example:

• Entrust Ltd
• Barclays Bank Plc
• Experian Ltd
• Morpho UK Limited

Source: European Commission

As mentioned above, a public key certificate can only be obtained from a qualified certificate provider accredited by the competent authority. The EU Commission and the eIDAS maintain a corresponding list of such providers.

In most cases, the certificate is issued to a natural person acting on behalf of the company. The key certificate shall, however, contain the corporate name of the company or public organization for which the natural person is acting.

To receive a digital certificate, certain conditions apply: 

• The certificate must comply with the GDPR 
• As a rule, it should take several weeks to receive this digital document

With the contours of the digital certificate now clear, how can you simply sign documents online, while ensuring the security of your data? How does this work in practice?

Online public key signature software facilitate the dematerialization in companies:

• Sign or get your documents signed faster
• Give legal value to your documents
• Adopt an eco-responsible approach and stop printing documents
• Avoid the risk of losing documents by not transmitting them physically
• Reduce your costs and simplify your exchanges in mobility and abroad

Some digital signature system vendors, such as Yousign or DocuSign, are also recognised as certification authorities. They are therefore able to issue public key certificates. You have the guarantee that the proposed certification and the electronic signature have the legal value required to sign with complete peace of mind.

Yousign has the dual role of a SaaS-based electronic signature software publisher and a certification authority. It is certified by eIDAS and ETSI and holds the Security Visa issued by ANSSI. The French publisher makes a point of providing the highest level of security for the client’s data.

In terms of functionalities, Yousign is:

• an electronic signature provider,

• a digital safe,

• a storage with probative value,

• a time stamp for signatures and documents