What is a certificate and what is it used for?
Certificates provide a way to verify a user's identity on a computer or over a computer network before allowing the user access to a protected website, application, computer or other resources. Typical computer services that require certificate authentication include secure websites, grid services, and email signing and encryption.
Certificates rely on Public Key Infrastructure (PKI), a virtual "lockbox" technology, in which two keys are needed in order for a user to access the requested resource: a "private" key that the user holds and a "public" key that the user's certificate holds. At Fermilab, the PKI-protected services and resources currently recognize the following two types of certificate:
- OSG PKI Certificate Authority is run by the Open Science Grid (OSG). OSG PKI certificates are primarily used for authentication to grid resources. Most Fermilab staff and users don't need an OSG PKI certificate.
- CILogon is part of the InCommon federation. Fermilab users can get CILogon Basic certificates which can be used to access websites and grid resources.
How do certificates work?
A certificate is a digitally-signed statement from a trusted third party that acts as a "middleman" that associates the public key with a name. When a user requests access to a PKI-protected resource, the resource invokes PKI and says "User X requested access. Please check whether User X is really User X." PKI retrieves the certificate it has for User X and requests the user's private key. It then checks whether the combination of public and private keys "opens the lockbox", and reports "yes" or "no" to the resource.
Besides people, certificates can also identify hosts and services.