Digital Certificates
Digital certificates are data structures that represent identities. EMS uses certificates to verify the identities of servers and clients. Though it is not necessary to validate either the server or the client for them to exchange data over TLS, certificates provide an additional level of security.
A digital certificate is issued either by a trusted third-party certificate authority, or by a security officer within your enterprise. Usually, each user and server on the network requires a unique digital certificate, to ensure that data is sent from and received by the correct party.
In order to support TLS, the EMS server must have a digital certificate. Optionally, EMS clients may also be issued certificates. If the server is configured to verify client certificates, a client must have a certificate and have it verified by the server. Similarly, an EMS client can be configured to verify the server’s certificate. Once the identity of the server and/or client has been verified, encrypted data can be transferred over TLS between the clients and server.
A digital certificate has two parts—a public part, which identifies its owner (a user or server); and a private key, which the owner keeps confidential.
The public part of a digital certificate includes a variety of information, such as the following:
- The name of the owner, and other information required to confirm the unique identity of the subject. This information can include the URL of the web server using the digital certificate, or an email address.
- The subject’s public key.
- The name of the certificate authority (CA) that issued the digital certificate.
- A serial number.
- The length of time the certificate will remain valid—defined by a start date and an end date.
The most widely-used standard for digital certificates is ITU-T X.509. TIBCO Enterprise Message Service supports digital certificates that comply with X.509 version 3 (X.509v3); most certificate authorities, such as Verisign and Entrust, comply with this standard.